rake-gem-maintenance 0.1.4 → 0.1.6

data/lib/rake/gem/maintenance/gem_push.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require "open3"
+
+module Rake
+  module GemMaintenance
+    # Pushes a single gem file to one repository, retrying with a renewed API key on auth failure.
+    class GemPush
+      Result = Struct.new(:success, :error)
+
+      def initialize(gem_file, repository, otp_provider)
+        @gem_file = gem_file
+        @repository = repository
+        @otp_provider = otp_provider
+      end
+
+      def attempt
+        out_err, status = Open3.capture2e(env, command)
+        return Result.new(true, nil) if status.success?
+        return retry_with_renewed_key if auth_failure?(out_err)
+
+        Result.new(false, out_err)
+      end
+
+      private
+
+      def command
+        cmd = "gem push #{@gem_file} --host #{@repository[:url]}"
+        otp = @otp_provider.otp_for(@repository[:name], otp_seed_env_var: @repository[:otp_seed_env_var])
+        cmd += " --otp #{otp}" if otp
+        cmd
+      end
+
+      def env
+        env_var = @repository[:api_key_env_var]
+        return {} unless env_var
+
+        key = ENV.fetch(env_var, nil)
+        return {} if key.nil? || key.empty?
+
+        { "GEM_HOST_API_KEY" => key }
+      end
+
+      def auth_failure?(output)
+        output.match?(/unauthorized|api.key|forbidden/i) ||
+          output.include?("401") || output.include?("403")
+      end
+
+      def retry_with_renewed_key
+        new_key = ApiKeyRenewer.new(otp_provider: @otp_provider).renew(@repository)
+        return Result.new(false, "Auth failed and renewal credentials unavailable.") unless new_key
+
+        _out_err, status = Open3.capture2e(env.merge("GEM_HOST_API_KEY" => new_key), command)
+        if status.success?
+          Result.new(true, nil)
+        else
+          Result.new(false, "Push failed after key renewal.")
+        end
+      end
+    end
+  end
+end

data/lib/rake/gem/maintenance/install_tasks.rb

@@ -2,5 +2,13 @@
 
 require_relative "../maintenance"
 
+Rake::GemMaintenance::Repos.rubygems_api_key_env_var = "GEM_HOST_API_KEY"
+Rake::GemMaintenance::Repos.rubygems_otp_seed_env_var = "RUBYGEMS_OTP_SEED"
+
 Rake::GemMaintenance::UpgradeTask.new
 Rake::GemMaintenance::VersionBumpTask.new
+
+Rake::GemMaintenance::CredentialStore.new.apply_to_env(
+  username_env_var: "RUBYGEMS_USERNAME",
+  api_key_env_var: "GEM_HOST_API_KEY"
+)

data/lib/rake/gem/maintenance/otp_provider.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module Rake
+  module GemMaintenance
+    # Resolves a 2FA OTP code for gem push, either from the environment or interactively.
+    # Resolution order for otp_for:
+    #   1. RUBYGEMS_OTP env var set → use raw code (works in CI and locally)
+    #   2. otp_seed_env_var provided and env var set → generate TOTP code (works in CI and locally)
+    #   3. CI environment → nil (gate only interactive prompt)
+    #   4. Interactive prompt
+    class OtpProvider
+      def initialize(ci_environment: CIEnvironment, input: $stdin)
+        @ci_environment = ci_environment
+        @input = input
+      end
+
+      def otp_for(repository_name, otp_seed_env_var: nil)
+        env_otp = ENV.fetch("RUBYGEMS_OTP", nil)
+        return env_otp if env_otp && !env_otp.empty?
+
+        if otp_seed_env_var
+          seed = ENV.fetch(otp_seed_env_var, nil)
+          return generate_totp(seed) if seed && !seed.empty?
+        end
+
+        return nil if @ci_environment.ci?
+
+        prompt_for_otp(repository_name)
+      end
+
+      private
+
+      def generate_totp(seed)
+        require "rotp"
+        ::ROTP::TOTP.new(seed).now
+      end
+
+      def prompt_for_otp(repository_name)
+        print "Enter OTP for #{repository_name} (blank to skip): "
+        value = @input.gets&.chomp
+        value&.empty? ? nil : value
+      end
+    end
+  end
+end

data/lib/rake/gem/maintenance/renew_api_key_task.rb

@@ -0,0 +1,139 @@
+# frozen_string_literal: true
+
+require "rake"
+require "rake/tasklib"
+require_relative "credential_store"
+
+module Rake
+  module GemMaintenance
+    # Generates a new rubygems.org API key via the rubygems.org API and stores
+    # it in a Woodpecker CI org-level secret. Intended for local developer use only.
+    #
+    # Creates: <namespace>:renew_api_key
+    #
+    # Reads WOODPECKER_SERVER and WOODPECKER_TOKEN (or ~/.config/woodpecker/token)
+    # from the environment.
+    class RenewApiKeyTask < ::Rake::TaskLib
+      attr_accessor :namespace_name, :host, :api_key_env_var, :ci_environment,
+                    :woodpecker_server, :woodpecker_org, :woodpecker_secret_name,
+                    :username_env_var, :password_env_var, :credential_store
+
+      def initialize(namespace_name = :upgrade)
+        super()
+        apply_defaults(namespace_name)
+        define_tasks
+      end
+
+      private
+
+      def apply_defaults(namespace_name)
+        @namespace_name = namespace_name
+        @host = "https://rubygems.org"
+        @api_key_env_var = "GEM_HOST_API_KEY"
+        @ci_environment = CIEnvironment
+        @woodpecker_server = ENV.fetch("WOODPECKER_SERVER", nil)
+        @woodpecker_org = ENV.fetch("WOODPECKER_ORG", "cbp-org")
+        @woodpecker_secret_name = "rubygems_api_key"
+        @username_env_var = "RUBYGEMS_USERNAME"
+        @password_env_var = "RUBYGEMS_PASSWORD"
+        @credential_store = CredentialStore.new
+      end
+
+      def define_tasks
+        task_instance = self
+        namespace namespace_name do
+          desc "Generate a new rubygems.org API key and store it in Woodpecker CI"
+          task(:renew_api_key) { task_instance.send(:run_renewal) }
+        end
+      end
+
+      def run_renewal
+        credential_store.apply_to_env(username_env_var: username_env_var, api_key_env_var: api_key_env_var)
+        abort_if_ci
+        username, password = prompt_credentials
+        prompt_otp_seed_if_missing
+        api_key = generate_api_key(username, password)
+        save_and_distribute(username, api_key)
+      end
+
+      def generate_api_key(username, password)
+        otp = OtpProvider.new.otp_for("rubygems")
+        RubyGemsApiKeyCreator.new(host: host).create(username, password, otp: otp)
+      end
+
+      def save_and_distribute(username, api_key)
+        puts "\n[INFO] New API key generated."
+        credential_store.update(username: username, api_key: api_key, api_key_env_var: api_key_env_var)
+        store_in_woodpecker(api_key)
+      end
+
+      def abort_if_ci
+        return unless ci_environment.ci?
+
+        missing = [username_env_var, password_env_var].select { |v| env_credential(v).nil? }
+        return if missing.empty?
+
+        abort "[ERROR] Set #{missing.join(' and ')} CI secrets to run renewal unattended."
+      end
+
+      def prompt_otp_seed_if_missing
+        return if (seed = ENV.fetch("RUBYGEMS_OTP_SEED", nil)) && !seed.empty?
+
+        print "rubygems.org OTP seed (TOTP secret, not a code): "
+        seed = $stdin.gets&.chomp
+        ENV["RUBYGEMS_OTP_SEED"] = seed if seed && !seed.empty?
+      end
+
+      def prompt_credentials
+        username = env_credential(username_env_var) || prompt_username
+        password = env_credential(password_env_var) || read_password("rubygems.org password: ")
+        [username, password]
+      end
+
+      def env_credential(env_var)
+        value = ENV.fetch(env_var, nil)
+        value&.empty? ? nil : value
+      end
+
+      def prompt_username
+        print "rubygems.org username: "
+        value = $stdin.gets&.chomp
+        abort "[ERROR] No username provided." if value.nil? || value.empty?
+        value
+      end
+
+      def read_password(prompt)
+        require "io/console"
+        print prompt
+        password = $stdin.noecho(&:gets)&.chomp
+        puts
+        password
+      rescue LoadError
+        print prompt
+        $stdin.gets&.chomp
+      end
+
+      def store_in_woodpecker(api_key)
+        unless woodpecker_server
+          puts "[INFO] Set WOODPECKER_SERVER to auto-store the key in Woodpecker CI."
+          puts "[INFO] New API key (store as secret '#{woodpecker_secret_name}'): #{api_key}"
+          return
+        end
+
+        token = read_woodpecker_token
+        abort "[ERROR] No Woodpecker token. Set WOODPECKER_TOKEN or run woodpecker-cli setup." unless token
+
+        WoodpeckerSecretStore.new(server: woodpecker_server, org: woodpecker_org, token: token)
+                             .store(woodpecker_secret_name, api_key)
+        puts "[SUCCESS] API key stored in Woodpecker secret '#{woodpecker_secret_name}'."
+      end
+
+      def read_woodpecker_token
+        ENV.fetch("WOODPECKER_TOKEN", nil) ||
+          File.read(File.expand_path("~/.config/woodpecker/token")).strip
+      rescue Errno::ENOENT
+        nil
+      end
+    end
+  end
+end

data/lib/rake/gem/maintenance/repos.rb

@@ -14,35 +14,74 @@ module Rake
     #     t.gem_repositories = Rake::GemMaintenance::Repos.all
     #   end
     #
+    # @example Use local geminabox only
+    #   Rake::GemMaintenance::GeminaboxUpgradeTask.new
+    #
+    # @example Dual publishing: geminabox + rubygems.org
+    #   Rake::GemMaintenance::UpgradeTask.new do |t|
+    #     t.gem_repositories = Rake::GemMaintenance::Repos.geminabox +
+    #                          Rake::GemMaintenance::Repos.rubygems
+    #   end
+    #
     # @example Reconfigure internal URL
     #   Rake::GemMaintenance::Repos.internal_url = "https://my-internal-gem.example.com"
+    #
+    # @example Configure API key and TOTP seed env vars
+    #   Rake::GemMaintenance::Repos.rubygems_api_key_env_var = "GEM_HOST_API_KEY"
+    #   Rake::GemMaintenance::Repos.rubygems_otp_seed_env_var = "RUBYGEMS_OTP_SEED"
+    #   Rake::GemMaintenance::Repos.geminabox_url = "http://localhost:9292"
     module Repos
       @internal_url = "https://gems.cbp-org.internal"
       @rubygems_url = "https://rubygems.org"
+      @geminabox_url = "http://localhost:9292"
+
+      @rubygems_api_key_env_var = nil
+      @internal_api_key_env_var = nil
+      @geminabox_api_key_env_var = nil
+
+      @rubygems_otp_seed_env_var = nil
+      @internal_otp_seed_env_var = nil
+      @geminabox_otp_seed_env_var = nil
 
       class << self
-        attr_accessor :internal_url, :rubygems_url
+        attr_accessor :internal_url, :rubygems_url, :geminabox_url,
+                      :rubygems_api_key_env_var, :internal_api_key_env_var,
+                      :geminabox_api_key_env_var,
+                      :rubygems_otp_seed_env_var, :internal_otp_seed_env_var,
+                      :geminabox_otp_seed_env_var
       end
 
       # Publish only to internal repository
       # @return [Array<Hash>] repository configuration
       def self.internal
-        [{ name: "cbp-org", url: internal_url }]
+        base = { name: "cbp-org", url: internal_url }
+        base[:api_key_env_var] = internal_api_key_env_var if internal_api_key_env_var
+        base[:otp_seed_env_var] = internal_otp_seed_env_var if internal_otp_seed_env_var
+        [base]
       end
 
       # Publish to both rubygems.org and internal repository
       # @return [Array<Hash>] repository configuration
       def self.all
-        [
-          { name: "rubygems", url: rubygems_url },
-          { name: "cbp-org", url: internal_url }
-        ]
+        rubygems + internal
       end
 
       # Publish only to rubygems.org (the default)
       # @return [Array<Hash>] repository configuration
       def self.rubygems
-        [{ name: "rubygems", url: rubygems_url }]
+        base = { name: "rubygems", url: rubygems_url }
+        base[:api_key_env_var] = rubygems_api_key_env_var if rubygems_api_key_env_var
+        base[:otp_seed_env_var] = rubygems_otp_seed_env_var if rubygems_otp_seed_env_var
+        [base]
+      end
+
+      # Publish only to a local geminabox instance
+      # @return [Array<Hash>] repository configuration
+      def self.geminabox
+        base = { name: "geminabox", url: geminabox_url }
+        base[:api_key_env_var] = geminabox_api_key_env_var if geminabox_api_key_env_var
+        base[:otp_seed_env_var] = geminabox_otp_seed_env_var if geminabox_otp_seed_env_var
+        [base]
       end
 
       # Default configuration: rubygems.org only

data/lib/rake/gem/maintenance/ruby_gems_api_key_creator.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module Rake
+  module GemMaintenance
+    # Creates a new scoped API key on rubygems.org via the v2 API.
+    # Handles OTP header injection and maps HTTP error codes to actionable messages.
+    class RubyGemsApiKeyCreator
+      def initialize(host: "https://rubygems.org")
+        @host = host
+      end
+
+      def create(username, password, otp: nil)
+        require "net/http"
+
+        request = build_request(username, password, otp)
+        response = http_client.request(request)
+        parse_response(response)
+      end
+
+      private
+
+      def build_request(username, password, otp)
+        uri = URI("#{@host}/api/v1/api_key")
+        key_name = "rake-gem-maintenance-ci-#{Time.now.strftime('%Y%m%d')}"
+        req = Net::HTTP::Post.new(uri)
+        req.basic_auth(username, password)
+        req["OTP"] = otp if otp
+        req["Content-Type"] = "application/x-www-form-urlencoded"
+        req.body = "name=#{key_name}&push_rubygem=true"
+        req
+      end
+
+      def http_client
+        uri = URI(@host)
+        http = Net::HTTP.new(uri.hostname, uri.port)
+        http.use_ssl = true
+        http
+      end
+
+      def parse_response(response)
+        case response.code.to_i
+        when 200, 201 then response.body.strip
+        when 401 then abort "[ERROR] Invalid credentials for #{@host}."
+        when 403 then abort "[ERROR] Forbidden. Check your MFA settings on #{@host}."
+        when 449 then abort "[ERROR] OTP required by #{@host}. Set RUBYGEMS_OTP_SEED and retry."
+        else abort "[ERROR] #{@host} returned #{response.code}: #{response.body.strip}"
+        end
+      end
+    end
+  end
+end

data/lib/rake/gem/maintenance/upgrade_task.rb

@@ -3,6 +3,9 @@
 require "net/http"
 require "rake"
 require "rake/tasklib"
+require_relative "ci_environment"
+require_relative "otp_provider"
+require_relative "renew_api_key_task"
 require_relative "gem_publisher"
 require_relative "repos"
 
@@ -20,6 +23,12 @@ module Rake
                     :run_bundle_audit, :auto_pipeline, :gem_repositories,
                     :gem_publisher_class, :gem_name, :gem_version
 
+      attr_writer :renew_api_key_task_class
+
+      def renew_api_key_task_class
+        @renew_api_key_task_class || RenewApiKeyTask
+      end
+
       def initialize(name = :upgrade)
         super()
         apply_default_configuration(name)
@@ -85,6 +94,7 @@ module Rake
         define_gems_task
         define_commit_task
         define_push_task
+        define_renew_api_key_task
       end
 
       def define_info_tasks
@@ -186,6 +196,10 @@ module Rake
         end
       end
 
+      def define_renew_api_key_task
+        renew_api_key_task_class.new(name)
+      end
+
       def pipeline_tasks
         return auto_pipeline if auto_pipeline
 
@@ -294,5 +308,14 @@ module Rake
         @gem_repositories = Repos.all
       end
     end
+
+    # Upgrades gems and publishes to a local geminabox instance only.
+    # Uses Repos.geminabox as default repositories.
+    class GeminaboxUpgradeTask < UpgradeTask
+      def apply_default_configuration(name)
+        super
+        @gem_repositories = Repos.geminabox
+      end
+    end
   end
 end

data/lib/rake/gem/maintenance/version.rb

@@ -2,6 +2,6 @@
 
 module Rake
   module GemMaintenance
-    VERSION = "0.1.4"
+    VERSION = "0.1.6"
   end
 end

data/lib/rake/gem/maintenance/woodpecker_secret_store.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+module Rake
+  module GemMaintenance
+    # Creates or updates an org-level secret in a Woodpecker CI server.
+    # SSL verification is disabled because Woodpecker is typically served
+    # on an internal network with a private CA.
+    class WoodpeckerSecretStore
+      def initialize(server:, org:, token:)
+        @server = server
+        @org = org
+        @token = token
+      end
+
+      def store(secret_name, value, events: %w[push tag manual])
+        org_id = find_org_id
+        abort "[ERROR] Woodpecker org '#{@org}' not found on #{@server}." unless org_id
+
+        if secret_exists?(org_id, secret_name)
+          patch("/api/orgs/#{org_id}/secrets/#{secret_name}",
+                { value: value, events: events, images: [] })
+        else
+          post("/api/orgs/#{org_id}/secrets",
+               { name: secret_name, value: value, events: events, images: [] })
+        end
+      end
+
+      private
+
+      def find_org_id
+        orgs = get("/api/orgs")
+        orgs&.find { |o| o["name"] == @org }&.fetch("id", nil)
+      end
+
+      def secret_exists?(org_id, secret_name)
+        secrets = get("/api/orgs/#{org_id}/secrets")
+        secrets&.any? { |s| s["name"] == secret_name }
+      end
+
+      def get(path)
+        require "json"
+        response = request(Net::HTTP::Get, path)
+        JSON.parse(response.body) if response.is_a?(Net::HTTPSuccess)
+      end
+
+      def post(path, body)
+        request(Net::HTTP::Post, path, body)
+      end
+
+      def patch(path, body)
+        request(Net::HTTP::Patch, path, body)
+      end
+
+      def request(klass, path, body = nil)
+        require "net/http"
+        require "json"
+        require "openssl"
+
+        uri = URI("#{@server}#{path}")
+        http.request(build_req(klass, uri, body))
+      end
+
+      def http
+        uri = URI(@server)
+        h = Net::HTTP.new(uri.hostname, uri.port)
+        h.use_ssl = (uri.scheme == "https")
+        h.verify_mode = OpenSSL::SSL::VERIFY_NONE
+        h
+      end
+
+      def build_req(klass, uri, body)
+        req = klass.new(uri)
+        req["Authorization"] = "Bearer #{@token}"
+        if body
+          req["Content-Type"] = "application/json"
+          req.body = JSON.generate(body)
+        end
+        req
+      end
+
+      def build_http(uri)
+        http = Net::HTTP.new(uri.hostname, uri.port)
+        http.use_ssl = (uri.scheme == "https")
+        http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+        http
+      end
+    end
+  end
+end

data/lib/rake/gem/maintenance.rb

@@ -2,6 +2,14 @@
 
 require_relative "maintenance/version"
 require_relative "maintenance/version_bump_task"
+require_relative "maintenance/ci_environment"
+require_relative "maintenance/credential_store"
+require_relative "maintenance/otp_provider"
+require_relative "maintenance/ruby_gems_api_key_creator"
+require_relative "maintenance/woodpecker_secret_store"
+require_relative "maintenance/api_key_renewer"
+require_relative "maintenance/renew_api_key_task"
+require_relative "maintenance/gem_push"
 require_relative "maintenance/gem_publisher"
 require_relative "maintenance/repos"
 require_relative "maintenance/upgrade_task"

data/scripts/ci_publish_rubygems.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+# ci-publish-rubygems.rb — build and push this gem to rubygems.org
+#
+# Required env:
+#   GEM_HOST_API_KEY    rubygems.org API key   (from Woodpecker secret rubygems_api_key)
+#   RUBYGEMS_OTP_SEED   base32 TOTP seed       (from Woodpecker secret rubygems_otp_seed)
+
+$LOAD_PATH.unshift File.join(__dir__, "..", "lib")
+require "rake/gem/maintenance"
+
+Rake::GemMaintenance::Repos.rubygems_api_key_env_var = "GEM_HOST_API_KEY"
+Rake::GemMaintenance::Repos.rubygems_otp_seed_env_var = "RUBYGEMS_OTP_SEED"
+
+gemspec_file = Dir["*.gemspec"].first
+abort "ERROR: No gemspec found in #{Dir.pwd}" unless gemspec_file
+
+system("gem build #{gemspec_file}") or abort "ERROR: gem build failed"
+
+gem_file = Dir["*.gem"].max_by { |f| File.mtime(f) }
+abort "ERROR: No .gem file found after build" unless gem_file
+
+puts "Publishing #{gem_file} to rubygems.org..."
+publisher = Rake::GemMaintenance::GemPublisher.new(Rake::GemMaintenance::Repos.rubygems)
+publisher.publish(gem_file)
+
+abort "ERROR: Failed to publish #{gem_file} to rubygems.org" if publisher.successful_repos.empty?
+
+puts "Published #{gem_file} successfully to: #{publisher.successful_repos.join(', ')}"