gem-contribute 0.3.0 → 0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fb726fe2025ba0cc501be01d13b4138ff4b21a9c755ad81c9b0181ef35f41c88
-  data.tar.gz: 33e6e83e38b27f2b4e2079fc79cfa76c2bfb178a2ba37424a05dfc8ad91398c0
+  metadata.gz: 642744289b8e25b5109868d7ef71fbb33e7067d79d8fb9c6580e8a88b566dea6
+  data.tar.gz: d2e5cca3a504bd75de537e9b38ba22a0ff2f2b6915162cb9d37f5d065933cc72
 SHA512:
-  metadata.gz: fa04494e7ac4294f90d14ecb01d3f111d7e890dd5dc9ec1c5b77bc83aa215e8c0cac467f6bd9fa38ffa73c4665aece92520269473cf0f95555f48096a5a2b372
-  data.tar.gz: 4e9bfd2d676ac59d5d8c8c8db0e7928641c8e4f031a85fd435f1e52ec3b1b770aa41a705f456ad488a23019520093787d58e8326bbbf42e51f24a30e185a0cfc
+  metadata.gz: a2600e3b0ee2adf44fcadab52639e446aae0d15f7d4843c111d68d86b3fd726bed20d72ad62063c72230656cdf8c62a52d7fc1507b7e5fb85032678f77ae99a7
+  data.tar.gz: 1f208fe93824d839c8ca78cf842a5cc0fcbebcf3c9b4f89cf8d9fcdd1c403ce19b9b1f0c1e664b1a3b5d681e45f80559e8c333d3ba752111e64726b633491ed9

data/.github/workflows/release.yml

@@ -0,0 +1,71 @@
+name: Release
+
+# Triggers on `v*` tag pushes (e.g. `v0.4.0`). Verifies the tag matches
+# `GemContribute::VERSION` and that CHANGELOG.md has a dated section for
+# it, then runs rubocop + rspec as a final gate and publishes to
+# rubygems.org via Trusted Publishing (OIDC). No `RUBYGEMS_API_KEY`
+# secret — the rubygems.org-side trusted-publisher entry mints a
+# short-lived token from the GitHub Actions OIDC claim. Compatible with
+# `rubygems_mfa_required = true`, which the gemspec already sets.
+#
+# First-run setup (one-time, before the first tag push): see
+# MAINTAINER.md → "Cutting a release". The rubygems.org Trusted
+# Publisher entry must exist before this workflow can succeed.
+#
+# The `release` environment scopes the OIDC claim — only workflow runs
+# in that environment can authenticate to rubygems.org. Configure it at
+# Settings → Environments in the GitHub repo (no secrets, no protection
+# rules required, but adding a "required reviewer" gives a manual
+# approval gate before publishes).
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write   # create the GitHub release with auto-generated notes
+  id-token: write   # request OIDC token for Trusted Publishing
+
+jobs:
+  release:
+    name: Build, test, and publish
+    runs-on: ubuntu-latest
+    environment: release
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.2"
+          bundler-cache: true
+
+      - name: Verify tag matches gemspec version and CHANGELOG section
+        env:
+          REF_NAME: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+          tag_version="${REF_NAME#v}"
+          gem_version=$(ruby -r./lib/gem_contribute/version -e 'print GemContribute::VERSION')
+
+          if [ "$tag_version" != "$gem_version" ]; then
+            echo "::error::Tag $REF_NAME does not match GemContribute::VERSION ($gem_version)."
+            echo "Bump lib/gem_contribute/version.rb or retag, then push."
+            exit 1
+          fi
+
+          if ! grep -Fq "## [$gem_version]" CHANGELOG.md; then
+            echo "::error::CHANGELOG.md is missing a '## [$gem_version]' section."
+            echo "Add a dated section before tagging — see existing entries for the shape."
+            exit 1
+          fi
+
+      - name: rubocop
+        run: bin/rubocop
+
+      - name: rspec
+        run: bin/rspec
+
+      - name: Publish to rubygems.org via Trusted Publishing
+        uses: rubygems/release-gem@v1

data/CHANGELOG.md

@@ -4,6 +4,18 @@ All notable changes to this project will be documented here. The format is based
 
 ## [Unreleased]
 
+## [0.3.1] - 2026-05-04
+
+### Added
+
+- Release workflow (`.github/workflows/release.yml`) — `v*` tag push triggers a publish to rubygems.org via [Trusted Publishing](https://guides.rubygems.org/trusted-publishing/) (OIDC). No `RUBYGEMS_API_KEY` secret involved; rubygems.org issues a short-lived token from the GitHub Actions OIDC claim. The workflow verifies the tag matches `GemContribute::VERSION` and that `CHANGELOG.md` has a dated section for it before running rubocop, rspec, and the publish step. First-time setup (rubygems.org pending-trusted-publisher entry, `release` GitHub Environment) is documented in `MAINTAINER.md` (closes [#44](https://github.com/cdhagmann/gem-contribute/issues/44)).
+
+### Fixed
+
+- `Gemfile.lock` regenerated to match `GemContribute::VERSION` after the 0.3.0 bump (commit `077eadb`) updated `version.rb` without running `bundle install`. CI runs bundler in deployment mode and was failing on the lockfile/gemspec mismatch. The MAINTAINER.md per-release checklist now calls out `bundle install` as an explicit step so the next bump doesn't repeat this.
+
+## [0.3.0] - 2026-05-04
+
 ### Added
 
 - `gem-contribute fork <gem>` — the look-around-first counterpart to `fix`: fork the gem's repo, clone it, leave you on the default branch with no issue-tied work yet. Same `-e` / `-a` flags. Use this when you want to read the code before deciding whether to commit to a specific issue (closes [#12](https://github.com/cdhagmann/gem-contribute/issues/12)).

data/MAINTAINER.md

@@ -86,7 +86,124 @@ older gem versions continue to work.
 
 ## Cutting a release
 
-(Stub — fill in when we cut v0.1.0 to RubyGems. Notes will live here:
-gemspec metadata checks, `bundle exec rake release` flow, signing, etc.)
+Releases publish to rubygems.org via [Trusted Publishing][gh-trusted-pub]
+(OIDC) — there is no `RUBYGEMS_API_KEY` secret and no manual `gem push`.
+A `v*` tag push triggers `.github/workflows/release.yml`, which verifies
+the tag matches `GemContribute::VERSION`, checks that `CHANGELOG.md` has a
+dated section for the version, runs rubocop and rspec, and then publishes.
+
+### One-time setup (before the first automated release)
+
+The rubygems.org Trusted Publisher entry must exist before any tag push
+can succeed. For an unclaimed gem name, use the **pending publisher**
+flow:
+
+1. Sign in at <https://rubygems.org>.
+
+2. Go to <https://rubygems.org/profile/me/oidc/pending_trusted_publishers/new>.
+
+3. Fill in the form:
+
+   | Field             | Value                |
+   |-------------------|----------------------|
+   | Gem name          | `gem-contribute`     |
+   | Repository owner  | `cdhagmann`          |
+   | Repository name   | `gem-contribute`     |
+   | Workflow filename | `release.yml`        |
+   | Environment       | `release`            |
+
+   The "Environment" value matches `environment: release` in the
+   workflow. Leave blank if you removed that line; otherwise both must
+   match exactly.
+
+4. Submit. The publisher entry is now "pending" — it has no gem attached
+   yet. The first successful publish from this workflow claims the name
+   and promotes the entry to a regular trusted publisher.
+
+After the gem is published, you can add additional trusted publishers
+(e.g. for a fork or replacement workflow) from the gem's settings page on
+rubygems.org instead of the pending-publisher flow.
+
+### Configure the GitHub environment (one-time)
+
+The workflow runs in an `environment: release` job. Create the environment
+in the repo so the OIDC claim carries the correct value:
+
+1. GitHub repo → Settings → Environments → **New environment**.
+2. Name it `release`.
+3. (Optional) Add yourself as a **Required reviewer** for a manual
+   approval gate before each publish. Recommended for the first few
+   releases until you trust the workflow.
+4. No secrets to configure. Trusted publishing replaces secrets entirely.
+
+### Per-release checklist
+
+When cutting a new version:
+
+1. **Bump the version.** Edit `lib/gem_contribute/version.rb` to the new
+   `MAJOR.MINOR.PATCH`. Follow [SemVer](https://semver.org/).
+
+2. **Regenerate `Gemfile.lock`.** Run `bundle install`. The lockfile's
+   `gem-contribute (X.Y.Z)` line must match the new version in both the
+   PATH spec at the top and the CHECKSUMS section near the bottom. CI
+   runs bundler in deployment/`--frozen` mode and refuses to install if
+   the lockfile is out of sync with the gemspec.
+
+3. **Update CHANGELOG.md.** Move the contents of `[Unreleased]` into a
+   new dated section: `## [X.Y.Z] - YYYY-MM-DD`. Leave `[Unreleased]`
+   empty for the next cycle. The release workflow refuses to publish if
+   it can't find a `## [X.Y.Z]` section matching the tag.
+
+4. **Commit on `main`.** Bump version.rb, the regenerated Gemfile.lock,
+   and CHANGELOG.md all in the same commit. Conventional message:
+   `Bump gem-contribute to X.Y.Z`.
+
+5. **Tag and push.**
+
+   ```sh
+   git tag -a vX.Y.Z -m "X.Y.Z"
+   git push origin main vX.Y.Z
+   ```
+
+6. **Watch the Actions tab.** The workflow will:
+   - verify the tag/version/CHANGELOG match
+   - run rubocop and rspec
+   - request an OIDC token, exchange it for a short-lived rubygems API
+     key, and publish the gem
+   - create a draft GitHub release with auto-generated notes
+
+   If the environment has a required-reviewer protection rule, the
+   workflow will pause for your manual approval before the publish step.
+
+7. **Sanity check.** After publish, `gem info gem-contribute` should show
+   the new version. The draft GitHub release is yours to edit and publish
+   when ready.
+
+### Troubleshooting
+
+- **"Tag … does not match GemContribute::VERSION"** — version.rb is out of
+  sync with the tag. Either delete the tag and bump version.rb, or
+  re-tag at the right SHA after fixing version.rb.
+- **"CHANGELOG.md is missing a section for …"** — add the dated section,
+  amend the bump commit, force-push, delete the old tag, retag, push.
+  (Force-push is fine on the bump commit before the publish has
+  succeeded.)
+- **OIDC failure / "no trusted publisher matches"** — check the
+  rubygems.org publisher entry: gem name, repo owner, repo name,
+  workflow filename (`release.yml`, not the full path), and environment
+  must all match. The workflow filename is the basename only, no
+  `.github/workflows/` prefix.
+- **`gem push` fails with `multifactor authentication required`** —
+  trusted publishing satisfies MFA. If you see this error, the workflow
+  fell back to a non-OIDC path; verify `permissions.id-token: write` is
+  set on the job.
+
+### Yanking a release
+
+Yanks happen via the rubygems.org web UI or `gem yank gem-contribute -v
+X.Y.Z`. There is no automated yank flow — by design. If you need to yank,
+also delete the corresponding `vX.Y.Z` tag and GitHub release so the
+record on GitHub matches what's available on rubygems.org.
 
 [gh-device-flow]: https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#device-flow
+[gh-trusted-pub]: https://guides.rubygems.org/trusted-publishing/

data/docs/ROADMAP.md

@@ -213,7 +213,7 @@ Everything required to call it 1.0 and not 0.x.
 - [ ] [#42](https://github.com/cdhagmann/gem-contribute/issues/42) — Add MAINTAINER.md (release process, OAuth App, plugin verification)
 - [ ] OAuth App: stay on personal-account App for v1.0 (per Q13); migrate when rate limits bite
 - [ ] [#43](https://github.com/cdhagmann/gem-contribute/issues/43) — CI workflow (`.github/workflows/ci.yml`): rubocop + rspec; gated integration tests; plugin install smoke (basic rubocop + rspec already landed via [PR #21](https://github.com/cdhagmann/gem-contribute/pull/21) / [#7](https://github.com/cdhagmann/gem-contribute/issues/7); gated integration tests and plugin smoke still pending)
-- [ ] [#44](https://github.com/cdhagmann/gem-contribute/issues/44) — Release workflow (`.github/workflows/release.yml`) with **Trusted Publishing (OIDC)**
+- [x] [#44](https://github.com/cdhagmann/gem-contribute/issues/44) — Release workflow (`.github/workflows/release.yml`) with **Trusted Publishing (OIDC)** (will go live with the 0.4 release)
 - [ ] 🌱 [#45](https://github.com/cdhagmann/gem-contribute/issues/45) — Archive workshop docs to `docs/archive/`
 - [ ] [#46](https://github.com/cdhagmann/gem-contribute/issues/46) — README rewrite for v1 audience
 - [ ] Verify `bundle plugin install` and `gem install` from a clean machine (covered by CI smoke test in #43)

data/lib/gem_contribute/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module GemContribute
-  VERSION = "0.3.0"
+  VERSION = "0.3.1"
 end

metadata

@@ -1,13 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: gem-contribute
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.1
 platform: ruby
 authors:
 - Chris Hagmann
+autorequire:
 bindir: exe
 cert_chain: []
-date: 1980-01-02 00:00:00.000000000 Z
+date: 2026-05-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -126,6 +127,7 @@ files:
 - ".github/workflows/auto-merge-kicked-tires.yml"
 - ".github/workflows/ci.yml"
 - ".github/workflows/pr-template-check.yml"
+- ".github/workflows/release.yml"
 - CHANGELOG.md
 - CLAUDE.md
 - CODE_OF_CONDUCT.md
@@ -211,6 +213,7 @@ metadata:
   changelog_uri: https://github.com/cdhagmann/gem-contribute/blob/main/CHANGELOG.md
   documentation_uri: https://cdhagmann.com/gem-contribute/
   rubygems_mfa_required: 'true'
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -225,7 +228,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.10
+rubygems_version: 3.4.19
+signing_key:
 specification_version: 4
 summary: Find and contribute to the open-source Ruby gems your project depends on.
 test_files: []