oidc-test-trusted_publisher 0.8.1 → 0.8.11

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a9878e2157b8ee47664721d8a1b15475a9cb341de0da8c4a3b29590603b635c6
-  data.tar.gz: e7b4f217c4233dece06f4c9f7850ce322b67a07de437758931bf542890536305
+  metadata.gz: d026d0971c1b1145718132536e6bbb4e3ce5e784b88db4063c5234289edadf3e
+  data.tar.gz: 1b129193dcf766ca04818a56be6205373c230e65914e125baefbff418bd8a67d
 SHA512:
-  metadata.gz: 16416690bb041db2d099201c1ed0b406dc310f5909c1e1755850eae218155134a48b622cde9b0b8e4b1eb33a16147325677ed4d26d020d7a33b384324ef0418d
-  data.tar.gz: 4efd351f3b31dbbc2927d8167529ace1be3657e050c041c53f912273603b0f8604784f5147a5d616e7a528904d0027405337b7d701c6b3905465d3dd1143ae75
+  metadata.gz: fce2e41277c017a2b30809f0434e02033bc9afecf98cf5dcea630378c937175bdc9db73b5163a4a36154b7b2ce7748e8473678366dde8e9f35ce8624cdd411d1
+  data.tar.gz: 161f5e0178e01ce0a5d8a2f8ffad23f26483e75ce4b014909f6fcc45a825f8ec4d4f8c37cee0552182ca103b41238ddbb51261a580d98516fdeda97310a9a6ec

data/.rubocop.yml

@@ -1,5 +1,5 @@
 AllCops:
-  TargetRubyVersion: 2.6
+  TargetRubyVersion: 3.1
 
 Style/StringLiterals:
   Enabled: true
@@ -11,3 +11,9 @@ Style/StringLiteralsInInterpolation:
 
 Layout/LineLength:
   Max: 120
+
+Style/Documentation:
+  Enabled: false
+
+Metrics:
+  Enabled: false

data/Gemfile

@@ -10,3 +10,7 @@ gem "rake", "~> 13.0"
 gem "rspec", "~> 3.0"
 
 gem "rubocop", "~> 1.21"
+
+gem "racc"
+
+gem "sigstore", "~> 0.1.1"

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    oidc-test (0.8.1)
+    oidc-test (0.8.11)
 
 GEM
   remote: https://rubygems.org/
@@ -9,9 +9,22 @@ GEM
     ast (2.4.2)
     diff-lcs (1.5.0)
     json (2.6.3)
+    net-http (0.5.0)
+      uri
     parallel (1.22.1)
     parser (3.2.2.0)
       ast (~> 2.4.1)
+    protobug (0.1.0)
+    protobug_googleapis_field_behavior_protos (0.1.0)
+      protobug (= 0.1.0)
+      protobug_well_known_protos (= 0.1.0)
+    protobug_sigstore_protos (0.1.0)
+      protobug (= 0.1.0)
+      protobug_googleapis_field_behavior_protos (= 0.1.0)
+      protobug_well_known_protos (= 0.1.0)
+    protobug_well_known_protos (0.1.0)
+      protobug (= 0.1.0)
+    racc (1.8.1)
     rainbow (3.1.1)
     rake (13.0.6)
     regexp_parser (2.7.0)
@@ -42,16 +55,23 @@ GEM
     rubocop-ast (1.28.0)
       parser (>= 3.2.1.0)
     ruby-progressbar (1.13.0)
+    sigstore (0.1.1)
+      net-http
+      protobug_sigstore_protos (~> 0.1.0)
+      uri
     unicode-display_width (2.4.2)
+    uri (1.0.2)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
   oidc-test!
+  racc
   rake (~> 13.0)
   rspec (~> 3.0)
   rubocop (~> 1.21)
+  sigstore (~> 0.1.1)
 
 BUNDLED WITH
    2.5.10

data/Rakefile

@@ -1,5 +1,66 @@
 # frozen_string_literal: true
 
+require "bundler/gem_helper"
+
+module Bundler
+  class GemHelper
+    prepend(Module.new do
+      def install
+        super
+
+        task "release:attest" => "build" do
+          Bundler.ui.confirm "Attesting? #{attest?}"
+          attest if attest?
+        end
+
+        task "release:rubygem_push" => "release:attest"
+      end
+
+      def build_gem
+        @build_gem_path = super
+      end
+
+      def rubygem_push(path)
+        return super unless attest?
+
+        cmd = [{ "RUBYOPT" => "-r#{File.expand_path("tasks/rubygems_patch.rb", __dir__)} #{ENV["RUBYOPT"]}",
+                 "gem_attestation_path" => "#{path}.sigstore.json" }, *gem_command, "push", path]
+        cmd << "--key" << gem_key if gem_key
+        cmd << "--host" << allowed_push_host if allowed_push_host
+        sh_with_input(cmd)
+        Bundler.ui.confirm "Pushed #{name} #{version} to #{gem_push_host}"
+      end
+    end)
+
+    def attest?
+      return true if %w[y yes true on 1].include?(ENV["gem_attest"])
+      return false if %w[n no nil false off 0].include?(ENV["gem_attest"])
+
+      ENV["ACTIONS_ID_TOKEN_REQUEST_URL"] && ENV["ACTIONS_ID_TOKEN_REQUEST_TOKEN"]
+    end
+
+    def attest
+      Bundler.ui.confirm "Signing #{@build_gem_path}..."
+      sh [Gem.ruby, "-S", "gem", "install", "sigstore"]
+      sh [Gem.ruby, "-rnet/http", "-rsigstore", "-rsigstore/signer", "-e", <<~RUBY, @build_gem_path]
+        file = ARGV.first
+        jwt = Net::HTTP.get_response(
+          URI(ENV.fetch("ACTIONS_ID_TOKEN_REQUEST_URL") + "&audience=sigstore"),
+          { "Authorization" => "bearer \#{ENV.fetch("ACTIONS_ID_TOKEN_REQUEST_TOKEN")}" },
+          &:value
+        ).body.then { JSON.parse(_1).fetch("value") }
+
+        contents = File.binread(file)
+        bundle = Sigstore::Signer.new(jwt:, trusted_root: Sigstore::TrustedRoot.production).sign(contents)
+
+        json = "\#{file}.sigstore.json"
+        File.binwrite(json, bundle.to_json)
+        puts "Signed \#{file}, wrote \#{json}"
+      RUBY
+    end
+  end
+end
+
 require "bundler/gem_tasks"
 
 Bundler::GemHelper.tag_prefix = ENV["TAG_PREFIX"] if ENV["TAG_PREFIX"]

data/lib/oidc/test/version.rb

@@ -2,6 +2,6 @@
 
 module Oidc
   module Test
-    VERSION = "0.8.1"
+    VERSION = "0.8.11"
   end
 end

data/tasks/rubygems_patch.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require "rubygems/commands/push_command"
+
+Gem::Commands::PushCommand.prepend(Module.new do
+  def send_push_request(name, args)
+    return super unless ENV["gem_attestation_path"]
+
+    rubygems_api_request(*args, scope: get_push_scope) do |request|
+      request.set_form([
+                         ["gem", Gem.read_binary(name), { filename: name, content_type: "application/octet-stream" }],
+                         ["attestations", "[#{Gem.read_binary(ENV["gem_attestation_path"])}]",
+                          { content_type: "application/json" }]
+                       ], "multipart/form-data")
+      request.add_field "Authorization", api_key
+    end
+  end
+end)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: oidc-test-trusted_publisher
 version: !ruby/object:Gem::Version
-  version: 0.8.1
+  version: 0.8.11
 platform: ruby
 authors:
 - Samuel Giddins
@@ -29,6 +29,7 @@ files:
 - lib/oidc/test.rb
 - lib/oidc/test/version.rb
 - sig/oidc/test.rbs
+- tasks/rubygems_patch.rb
 homepage: https://github.com/segiddins/oidc-test
 licenses:
 - MIT
@@ -43,14 +44,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.6.0
+      version: 3.1.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.6
+rubygems_version: 3.5.16
 signing_key: 
 specification_version: 4
 summary: Test gem