rake-gem-maintenance 0.1.5 → 0.1.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4047b2b201af066a228e897999e10c6a4e09120f339d927850b73c6139d74cfc
-  data.tar.gz: 736acd4fa8374821c1fc2cdc457cebd5b3da05c3dd6663a8a216187be6817069
+  metadata.gz: 6dc9985cb348ee5f79a3170eb6ef534b5fe8bc1aad6361be15178f883ba22767
+  data.tar.gz: e819c2d3f58a936c59fb8caf620f84e92dc68bf59cee8f592bb852c03d02de62
 SHA512:
-  metadata.gz: 0a708f6a6ac58894aae62e941a45294dfc6dbb76f71d3d88af6e8d1e254602f5b9848411bf3cc6686271b71357854f00a8644785776f28da668a3e8cf29df7ad
-  data.tar.gz: ca9cf67f6d8cb9622c218eaf338e7f6e0c9c439c9934f199c1c45de0496e60c747289a11b2b96b35060c40bab167763062c61af2fa5d326b7bdfcff06af46641
+  metadata.gz: 43b4d7dec762bcefd6cd816f4c7a8c05a5e091929937f6e329801a6d4ff211fabdac4631f449d39501807b408f0f1411dc97637519857da49911cafa5bd108f6
+  data.tar.gz: 81d529473f1404940f0cc45d1011af5d1930506f972b2485cbe190f184cd53a820cbfaa683201ec0b8ef85e63f2d50714cf337780087a94704071a5ef82d735c

data/.woodpecker/publish.yml

@@ -0,0 +1,52 @@
+# publish.yml — build and publish rake-gem-maintenance to rubygems.org
+#
+# Triggers:
+#   - push to main (auto-publish on every merge)
+#   - manual (ad-hoc publish on demand)
+#
+# Required Woodpecker secrets (org-level cbp-org):
+#   rubygems_api_key    — rubygems.org API key (set at https://ci.cbp-org.internal)
+#   rubygems_otp_seed   — base32 TOTP seed for rubygems.org 2FA (already registered)
+#   badge_service_token — write token for badge.cbp-org.internal
+
+when:
+  event: [push, manual]
+  branch: main
+
+labels:
+  platform: linux
+
+clone:
+  git:
+    image: woodpeckerci/plugin-git:2.8.0
+    settings:
+      skip_verify: true
+
+steps:
+  - name: publish-gem
+    image: ruby:4.0.2-alpine
+    backend_options:
+      docker:
+        network_mode: host
+    environment:
+      GEM_HOST_API_KEY:
+        from_secret: rubygems_api_key
+      RUBYGEMS_OTP_SEED:
+        from_secret: rubygems_otp_seed
+    commands:
+      - apk add --no-cache build-base
+      - bundle install --jobs 4 --retry 3
+      - ruby scripts/ci_publish_rubygems.rb
+
+  - name: badge
+    image: docker-registry.cbp-org.internal/badge-reporter:latest
+    when:
+      status: [success, failure]
+    backend_options:
+      docker:
+        network_mode: host
+    environment:
+      BADGE_SECRET:
+        from_secret: badge_service_token
+    commands:
+      - badge report publish

data/.woodpecker/renew_api_key.yml

@@ -0,0 +1,47 @@
+when:
+  - event: cron
+    cron: monthly-renew-api-key
+  - event: manual
+
+labels:
+  platform: linux
+
+clone:
+  git:
+    image: woodpeckerci/plugin-git:2.8.0
+    settings:
+      skip_verify: true
+
+steps:
+  - name: renew-api-key
+    image: ruby:4.0.2-alpine
+    backend_options:
+      docker:
+        network_mode: host
+    environment:
+      RUBYGEMS_USERNAME:
+        from_secret: rubygems_username
+      RUBYGEMS_PASSWORD:
+        from_secret: rubygems_password
+      RUBYGEMS_OTP_SEED:
+        from_secret: rubygems_otp_seed
+      WOODPECKER_TOKEN:
+        from_secret: woodpecker_api_token
+      WOODPECKER_SERVER: "https://ci.cbp-org.internal"
+    commands:
+      - apk add --no-cache build-base
+      - bundle install --jobs 4 --retry 3
+      - bundle exec rake upgrade:renew_api_key
+
+  - name: badge
+    image: docker-registry.cbp-org.internal/badge-reporter:latest
+    when:
+      status: [success, failure]
+    backend_options:
+      docker:
+        network_mode: host
+    environment:
+      BADGE_SECRET:
+        from_secret: badge_service_token
+    commands:
+      - badge report renew-api-key

data/.woodpecker/verify.yml

@@ -0,0 +1,38 @@
+when:
+  event: [push, pull_request, manual]
+
+labels:
+  platform: linux
+
+clone:
+  git:
+    image: woodpeckerci/plugin-git:2.8.0
+    settings:
+      skip_verify: true
+
+steps:
+  - name: verify
+    image: ruby:4.0.2-alpine
+    backend_options:
+      docker:
+        network_mode: host
+    environment:
+      CUCUMBER_PUBLISH_QUIET: "true"
+    commands:
+      - apk add --no-cache build-base
+      - mkdir -p /root/.local/share/ruby-advisory-db/gems
+      - bundle install --jobs 4 --retry 3
+      - bundle exec rake verify
+
+  - name: badge
+    image: docker-registry.cbp-org.internal/badge-reporter:latest
+    when:
+      status: [success, failure]
+    backend_options:
+      docker:
+        network_mode: host
+    environment:
+      BADGE_SECRET:
+        from_secret: badge_service_token
+    commands:
+      - badge report verify

data/CLAUDE.md

@@ -54,6 +54,20 @@ Rake::GemMaintenance::UpgradeTask.new do |t|
 end
 ```
 
+## Repository & CI Workflow
+
+**GitHub** (`github.com/cbroult/rake-gem-maintenance`) is the canonical source.
+**Forgejo** (`git.cbp-org.internal/forgejo-admin/rake-gem-maintenance`) is a read-only pull mirror.
+
+- All pull requests go on **GitHub only**. Never open PRs on Forgejo.
+- Forgejo mirrors GitHub automatically every 10 minutes — never push to the `forgejo` remote manually.
+- **Woodpecker CI** (`ci.cbp-org.internal`) watches Forgejo and runs verify/publish/renew pipelines.
+- Local clone only needs the `origin` (GitHub) remote. Remove `forgejo` if present: `git remote remove forgejo`.
+
+## Code Style
+
+- Never add `# rubocop:disable` comments without explicit user permission.
+
 ## Commit Conventions
 
 - Use conventional commit format: `type(scope): subject`

data/Gemfile.lock

@@ -1,18 +1,20 @@
 PATH
   remote: .
   specs:
-    rake-gem-maintenance (0.1.5)
+    rake-gem-maintenance (0.1.6)
       bundler-audit
       gem-release
       rake
+      rotp
 
 GEM
   remote: https://rubygems.org/
   specs:
-    aruba (2.3.3)
+    aruba (2.4.0)
       bundler (>= 1.17)
       contracts (>= 0.16.0, < 0.18.0)
-      cucumber (>= 8.0, < 11.0)
+      cucumber (>= 8.0, < 12.0)
+      irb (~> 1.16)
       rspec-expectations (>= 3.4, < 5.0)
       thor (~> 1.0)
     ast (2.4.3)
@@ -24,18 +26,18 @@ GEM
       thor (~> 1.0)
     coderay (1.1.3)
     contracts (0.17.3)
-    cucumber (10.2.0)
+    cucumber (11.0.0)
       base64 (~> 0.2)
       builder (~> 3.2)
       cucumber-ci-environment (> 9, < 12)
-      cucumber-core (> 15, < 17)
+      cucumber-core (>= 16.2.0, < 17)
       cucumber-cucumber-expressions (> 17, < 20)
-      cucumber-html-formatter (> 21, < 23)
+      cucumber-html-formatter (> 21, < 24)
       diff-lcs (~> 1.5)
       logger (~> 1.6)
       mini_mime (~> 1.1)
       multi_test (~> 1.1)
-      sys-uname (~> 1.3)
+      sys-uname (~> 1.5)
     cucumber-ci-environment (11.0.0)
     cucumber-core (16.2.0)
       cucumber-gherkin (> 36, < 40)
@@ -43,16 +45,15 @@ GEM
       cucumber-tag-expressions (> 6, < 9)
     cucumber-cucumber-expressions (19.0.0)
       bigdecimal
-    cucumber-gherkin (39.0.0)
+    cucumber-gherkin (39.1.0)
       cucumber-messages (>= 31, < 33)
-    cucumber-html-formatter (22.3.0)
+    cucumber-html-formatter (23.1.0)
       cucumber-messages (> 23, < 33)
     cucumber-messages (32.3.1)
     cucumber-tag-expressions (8.1.0)
     date (3.5.1)
     diff-lcs (1.6.2)
     erb (6.0.4)
-    ffi (1.17.4-x64-mingw-ucrt)
     ffi (1.17.4-x86_64-linux-gnu)
     formatador (1.2.3)
       reline
@@ -83,7 +84,12 @@ GEM
       guard (~> 2.0)
       rubocop (< 2.0)
     io-console (0.8.2)
-    json (2.19.4)
+    irb (1.18.0)
+      pp (>= 0.6.0)
+      prism (>= 1.3.0)
+      rdoc (>= 4.0.0)
+      reline (>= 0.4.2)
+    json (2.19.5)
     language_server-protocol (3.17.0.5)
     lint_roller (1.1.0)
     listen (3.10.0)
@@ -105,6 +111,9 @@ GEM
     parser (3.3.11.1)
       ast (~> 2.4.1)
       racc
+    pp (0.6.3)
+      prettyprint
+    prettyprint (0.2.0)
     prism (1.9.0)
     pry (0.16.0)
       coderay (~> 1.1)
@@ -126,6 +135,7 @@ GEM
     regexp_parser (2.12.0)
     reline (0.6.3)
       io-console (~> 0.5)
+    rotp (6.3.0)
     rspec (3.13.2)
       rspec-core (~> 3.13.0)
       rspec-expectations (~> 3.13.0)
@@ -139,7 +149,7 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
     rspec-support (3.13.7)
-    rubocop (1.86.1)
+    rubocop (1.86.2)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)
@@ -165,19 +175,13 @@ GEM
     sys-uname (1.5.1)
       ffi (~> 1.1)
       memoist3 (~> 1.0.0)
-    sys-uname (1.5.1-universal-mingw32)
-      ffi (~> 1.1)
-      memoist3 (~> 1.0.0)
-      win32ole
     thor (1.5.0)
     tsort (0.2.0)
     unicode-display_width (3.2.0)
       unicode-emoji (~> 4.1)
     unicode-emoji (4.2.0)
-    win32ole (1.9.3)
 
 PLATFORMS
-  x64-mingw-ucrt
   x86_64-linux
 
 DEPENDENCIES
@@ -197,7 +201,7 @@ DEPENDENCIES
   rubocop-rspec
 
 CHECKSUMS
-  aruba (2.3.3) sha256=837a2f023368a75a38ad9be227e9738ab9af7df3b3f35afd8fb5fc5f7a93f1d4
+  aruba (2.4.0) sha256=92bb696efb06b1aa1dc3ff8b13ca71cd727e59d27572f9264216b9722b558299
   ast (2.4.3) sha256=954615157c1d6a382bc27d690d973195e79db7f55e9765ac7c481c60bdb4d383
   base64 (0.3.0) sha256=27337aeabad6ffae05c265c450490628ef3ebd4b67be58257393227588f5a97b
   bigdecimal (4.1.2) sha256=53d217666027eab4280346fba98e7d5b66baaae1b9c3c1c0ffe89d48188a3fbd
@@ -205,18 +209,17 @@ CHECKSUMS
   bundler-audit (0.9.3) sha256=81c8766c71e47d0d28a0f98c7eed028539f21a6ea3cd8f685eb6f42333c9b4e9
   coderay (1.1.3) sha256=dc530018a4684512f8f38143cd2a096c9f02a1fc2459edcfe534787a7fc77d4b
   contracts (0.17.3) sha256=e72e626413ea47099becb7b5683beb1c2ea902c69f5bad55c9258fe2b48314d7
-  cucumber (10.2.0) sha256=fdedbd31ecf40858b60f04853f2aa15c44f5c30bbac29c6a227fa1e7005a8158
+  cucumber (11.0.0) sha256=14bb964cc172999e9010fece2fad9f104044b055b3199230091894637a2a784c
   cucumber-ci-environment (11.0.0) sha256=0df79a9e1d0b015b3d9def680f989200d96fef206f4d19ccf86a338c4f71d1e2
   cucumber-core (16.2.0) sha256=592b58a95cf42feef8e5a349f68e363784ba3b6568ffbcf6776e38e136cf970b
   cucumber-cucumber-expressions (19.0.0) sha256=33208ff204732ac9bed42b46993a0a243054f71ece08579d57e53df6a1c9d93a
-  cucumber-gherkin (39.0.0) sha256=46f51d87e910f41c3c5cee3b500028ca2b2e7149a413a8280b9a58cee2593e55
-  cucumber-html-formatter (22.3.0) sha256=f9768ed05588dbd73a5f3824c2cc648bd86b00206e6972d743af8051281d0729
+  cucumber-gherkin (39.1.0) sha256=aed12a0c955d8563d80a012633c1a72075525f4d64d4cc983001df2181b379ed
+  cucumber-html-formatter (23.1.0) sha256=7789b4a792c876394b9604aeb66aa5cf4c61514473b7e712c76d5eaedcdd8cdf
   cucumber-messages (32.3.1) sha256=ddc88e4c1cf7afb96c06005b92a4a6f221a2fa435a8b4ca04677d215fd82771c
   cucumber-tag-expressions (8.1.0) sha256=9bd8c4b6654f8e5bf2a9c99329b6f32136a75e50cd39d4cfb3927d0fa9f52e21
   date (3.5.1) sha256=750d06384d7b9c15d562c76291407d89e368dda4d4fff957eb94962d325a0dc0
   diff-lcs (1.6.2) sha256=9ae0d2cba7d4df3075fe8cd8602a8604993efc0dfa934cff568969efb1909962
   erb (6.0.4) sha256=38e3803694be357fe2bfe312487c74beaf9fb4e5beb3e22498952fe1645b95d9
-  ffi (1.17.4-x64-mingw-ucrt) sha256=f6ff9618cfccc494138bddade27aa06c74c6c7bc367a1ea1103d80c2fcb9ed35
   ffi (1.17.4-x86_64-linux-gnu) sha256=9d3db14c2eae074b382fa9c083fe95aec6e0a1451da249eab096c34002bc752d
   formatador (1.2.3) sha256=19fa898133c2c26cdbb5d09f6998c1e137ad9427a046663e55adfe18b950d894
   gem-release (2.2.4) sha256=2f11124c1580c811507c3b47e875e420cf3ed792a98105b49df11971e6e94db3
@@ -227,7 +230,8 @@ CHECKSUMS
   guard-rspec (4.7.3) sha256=a47ba03cbd1e3c71e6ae8645cea97e203098a248aede507461a43e906e2f75ca
   guard-rubocop (1.5.0) sha256=3041d796dcb5ee31e352de74732250826f5f235b4ff48df9dbf424a6dc736251
   io-console (0.8.2) sha256=d6e3ae7a7cc7574f4b8893b4fca2162e57a825b223a177b7afa236c5ef9814cc
-  json (2.19.4) sha256=670a7d333fb3b18ca5b29cb255eb7bef099e40d88c02c80bd42a3f30fe5239ac
+  irb (1.18.0) sha256=de9454a0703a54704b9811a5ef31a60c86949fbf4013fcf244fabc7c775248e3
+  json (2.19.5) sha256=218a18553e4801d579ca7e0f5bc72bafd776d7397238a1fb4e74db5b0a812c59
   language_server-protocol (3.17.0.5) sha256=fd1e39a51a28bf3eec959379985a72e296e9f9acfce46f6a79d31ca8760803cc
   lint_roller (1.1.0) sha256=2c0c845b632a7d172cb849cc90c1bce937a28c5c8ccccb50dfd46a485003cc87
   listen (3.10.0) sha256=c6e182db62143aeccc2e1960033bebe7445309c7272061979bb098d03760c9d2
@@ -242,24 +246,27 @@ CHECKSUMS
   ostruct (0.6.3) sha256=95a2ed4a4bd1d190784e666b47b2d3f078e4a9efda2fccf18f84ddc6538ed912
   parallel (2.1.0) sha256=b35258865c2e31134c5ecb708beaaf6772adf9d5efae28e93e99260877b09356
   parser (3.3.11.1) sha256=d17ace7aabe3e72c3cc94043714be27cc6f852f104d81aa284c2281aecc65d54
+  pp (0.6.3) sha256=2951d514450b93ccfeb1df7d021cae0da16e0a7f95ee1e2273719669d0ab9df6
+  prettyprint (0.2.0) sha256=2bc9e15581a94742064a3cc8b0fb9d45aae3d03a1baa6ef80922627a0766f193
   prism (1.9.0) sha256=7b530c6a9f92c24300014919c9dcbc055bf4cdf51ec30aed099b06cd6674ef85
   pry (0.16.0) sha256=d76c69065698ed1f85e717bd33d7942c38a50868f6b0673c636192b3d1b6054e
   psych (5.3.1) sha256=eb7a57cef10c9d70173ff74e739d843ac3b2c019a003de48447b2963d81b1974
   racc (1.8.1) sha256=4a7f6929691dbec8b5209a0b373bc2614882b55fc5d2e447a21aaa691303d62f
   rainbow (3.1.1) sha256=039491aa3a89f42efa1d6dec2fc4e62ede96eb6acd95e52f1ad581182b79bc6a
   rake (13.4.2) sha256=cb825b2bd5f1f8e91ca37bddb4b9aaf345551b4731da62949be002fa89283701
-  rake-gem-maintenance (0.1.5)
+  rake-gem-maintenance (0.1.6)
   rb-fsevent (0.11.2) sha256=43900b972e7301d6570f64b850a5aa67833ee7d87b458ee92805d56b7318aefe
   rb-inotify (0.11.1) sha256=a0a700441239b0ff18eb65e3866236cd78613d6b9f78fea1f9ac47a85e47be6e
   rdoc (7.2.0) sha256=8650f76cd4009c3b54955eb5d7e3a075c60a57276766ebf36f9085e8c9f23192
   regexp_parser (2.12.0) sha256=35a916a1d63190ab5c9009457136ae5f3c0c7512d60291d0d1378ba18ce08ebb
   reline (0.6.3) sha256=1198b04973565b36ec0f11542ab3f5cfeeec34823f4e54cebde90968092b1835
+  rotp (6.3.0) sha256=75d40087e65ed0d8022c33055a6306c1c400d1c12261932533b5d6cbcd868854
   rspec (3.13.2) sha256=206284a08ad798e61f86d7ca3e376718d52c0bc944626b2349266f239f820587
   rspec-core (3.13.6) sha256=a8823c6411667b60a8bca135364351dda34cd55e44ff94c4be4633b37d828b2d
   rspec-expectations (3.13.5) sha256=33a4d3a1d95060aea4c94e9f237030a8f9eae5615e9bd85718fe3a09e4b58836
   rspec-mocks (3.13.8) sha256=086ad3d3d17533f4237643de0b5c42f04b66348c28bf6b9c2d3f4a3b01af1d47
   rspec-support (3.13.7) sha256=0640e5570872aafefd79867901deeeeb40b0c9875a36b983d85f54fb7381c47c
-  rubocop (1.86.1) sha256=44415f3f01d01a21e01132248d2fd0867572475b566ca188a0a42133a08d4531
+  rubocop (1.86.2) sha256=bb2e97f635eda42c448f2588f4a6ff78f221b8bdfdf65b1e9b07fbd57521b45d
   rubocop-ast (1.49.1) sha256=4412f3ee70f6fe4546cc489548e0f6fcf76cafcfa80fa03af67098ffed755035
   rubocop-rake (0.7.1) sha256=3797f2b6810c3e9df7376c26d5f44f3475eda59eb1adc38e6f62ecf027cbae4d
   rubocop-rspec (3.9.0) sha256=8fa70a3619408237d789aeecfb9beef40576acc855173e60939d63332fdb55e2
@@ -267,12 +274,10 @@ CHECKSUMS
   shellany (0.0.1) sha256=0e127a9132698766d7e752e82cdac8250b6adbd09e6c0a7fbbb6f61964fedee7
   stringio (3.2.0) sha256=c37cb2e58b4ffbd33fe5cd948c05934af997b36e0b6ca6fdf43afa234cf222e1
   sys-uname (1.5.1) sha256=784d7e6491b0393c25cbbe5ac38324ac7be9fda083a6094832648af669386d7b
-  sys-uname (1.5.1-universal-mingw32) sha256=aceb618e3276da5eae0ce368e9f6fae8c1f3e9ef23a0595cb88db7b6ecd45f62
   thor (1.5.0) sha256=e3a9e55fe857e44859ce104a84675ab6e8cd59c650a49106a05f55f136425e73
   tsort (0.2.0) sha256=9650a793f6859a43b6641671278f79cfead60ac714148aabe4e3f0060480089f
   unicode-display_width (3.2.0) sha256=0cdd96b5681a5949cdbc2c55e7b420facae74c4aaf9a9815eee1087cb1853c42
   unicode-emoji (4.2.0) sha256=519e69150f75652e40bf736106cfbc8f0f73aa3fb6a65afe62fefa7f80b0f80f
-  win32ole (1.9.3) sha256=01f43dc5dc13806e6e58204f538b4a28f3d85968ea89074abc9a3cd118e94d96
 
 BUNDLED WITH
   4.0.4

data/README.md

@@ -46,6 +46,81 @@ Rake::GemMaintenance::VersionBumpTask.new do |t|
 end
 ```
 
+## Automated Publishing to rubygems.org
+
+Set two environment variables and `gem push` runs fully unattended — including TOTP 2FA code
+generation if your rubygems.org account has MFA enabled.
+
+| Env var | Purpose |
+|---|---|
+| `GEM_HOST_API_KEY` | rubygems.org API key (scoped to push) |
+| `RUBYGEMS_OTP_SEED` | Base32 TOTP seed — auto-generates the 2FA code; omit if MFA is disabled |
+
+### Quick setup
+
+`require "rake/gem_maintenance/install_tasks"` pre-configures both env var names automatically —
+no extra Ruby needed. See [features/install_tasks.feature](features/install_tasks.feature) for
+the full workflow.
+
+### Custom env var names
+
+```ruby
+require "rake/gem/maintenance"
+
+Rake::GemMaintenance::Repos.rubygems_api_key_env_var  = "MY_RUBYGEMS_KEY"
+Rake::GemMaintenance::Repos.rubygems_otp_seed_env_var = "MY_OTP_SEED"
+
+Rake::GemMaintenance::UpgradeTask.new
+```
+
+See [features/upgrade_task/repos_configuration.feature](features/upgrade_task/repos_configuration.feature)
+for all configuration options including geminabox and dual publishing.
+
+### Local credential store
+
+After the first successful `upgrade:renew_api_key` run, the API key and OTP seed are saved to:
+
+```
+~/.config/rake-gem-maintenance/credentials.yml   # Linux / Mac  (respects $XDG_CONFIG_HOME)
+%APPDATA%\rake-gem-maintenance\credentials.yml   # Windows
+```
+
+The file is created with `0600` permissions (owner-read-only on Unix). It stores `username`,
+`gem_host_api_key`, and `rubygems_otp_seed` — **never the password**. Any project using
+`require "rake/gem_maintenance/install_tasks"` automatically loads the key and OTP seed from
+this file at startup, so `gem push` works without any manual env-var setup.
+
+See [features/upgrade_task/credential_store.feature](features/upgrade_task/credential_store.feature)
+for the full behaviour specification.
+
+### API key renewal
+
+API keys can be rotated in two ways:
+
+**Automatic** — when `gem push` returns a 401/403, the publisher transparently obtains a new
+key using `RUBYGEMS_USERNAME` + `RUBYGEMS_PASSWORD` (+ TOTP from `RUBYGEMS_OTP_SEED` if MFA is
+enabled), then retries the push once. No intervention needed.
+
+**On-demand** — run the task explicitly to rotate ahead of expiry:
+
+```bash
+rake upgrade:renew_api_key
+```
+
+Locally this prompts for credentials interactively. In CI, supply all three env vars for
+unattended operation:
+
+| Env var | Purpose |
+|---|---|
+| `RUBYGEMS_USERNAME` | rubygems.org account username or email |
+| `RUBYGEMS_PASSWORD` | rubygems.org account password |
+| `RUBYGEMS_OTP_SEED` | Same TOTP seed as above — reused here to authenticate the key-creation request |
+
+The new key is written back to the `GEM_HOST_API_KEY` CI secret automatically (requires
+`WOODPECKER_TOKEN` and `WOODPECKER_SERVER` when running under Woodpecker CI).
+
+See [features/upgrade_task/renew_api_key.feature](features/upgrade_task/renew_api_key.feature).
+
 ## License
 
 The gem is available as open source under the terms of the [MIT License](LICENSE.txt).

data/lib/rake/gem/maintenance/api_key_renewer.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module Rake
+  module GemMaintenance
+    # Renews a rubygems.org API key using credentials from env vars and
+    # persists the new key to Woodpecker CI when server details are available.
+    class ApiKeyRenewer
+      def initialize(otp_provider:,
+                     username_env_var: "RUBYGEMS_USERNAME",
+                     password_env_var: "RUBYGEMS_PASSWORD")
+        @otp_provider = otp_provider
+        @username_env_var = username_env_var
+        @password_env_var = password_env_var
+      end
+
+      def renew(repository)
+        username = env_credential(@username_env_var)
+        password = env_credential(@password_env_var)
+        return nil if username.nil? || password.nil?
+
+        otp = @otp_provider.otp_for(repository[:name], otp_seed_env_var: repository[:otp_seed_env_var])
+        new_key = RubyGemsApiKeyCreator.new(host: repository.fetch(:url, "https://rubygems.org"))
+                                       .create(username, password, otp: otp)
+        persist_to_woodpecker(new_key)
+        new_key
+      rescue StandardError
+        nil
+      end
+
+      private
+
+      def env_credential(var)
+        value = ENV.fetch(var, nil)
+        value&.empty? ? nil : value
+      end
+
+      def persist_to_woodpecker(new_key)
+        server = ENV.fetch("WOODPECKER_SERVER", nil)
+        token = ENV.fetch("WOODPECKER_TOKEN", nil)
+        return unless server && token
+
+        org = ENV.fetch("WOODPECKER_ORG", "cbp-org")
+        WoodpeckerSecretStore.new(server: server, org: org, token: token)
+                             .store("rubygems_api_key", new_key)
+      end
+    end
+  end
+end

data/lib/rake/gem/maintenance/ci_environment.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module Rake
+  module GemMaintenance
+    # Detects whether the current process is running inside a CI environment.
+    module CIEnvironment
+      def self.ci?
+        ENV["CI"].to_s != ""
+      end
+    end
+  end
+end

data/lib/rake/gem/maintenance/credential_store.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require "yaml"
+require "fileutils"
+require "rubygems"
+
+module Rake
+  module GemMaintenance
+    # Persists rubygems.org credentials (username, API key, OTP seed) to a local config file.
+    class CredentialStore
+      def self.default_path
+        base = if Gem.win_platform?
+                 ENV.fetch("APPDATA", File.expand_path("~"))
+               else
+                 ENV.fetch("XDG_CONFIG_HOME", File.join(Dir.home, ".config"))
+               end
+        File.join(base, "rake-gem-maintenance", "credentials.yml")
+      end
+
+      def initialize(path: self.class.default_path)
+        @path = path
+      end
+
+      attr_reader :path
+
+      def read
+        return {} unless File.exist?(@path)
+
+        YAML.safe_load_file(@path, symbolize_names: true) || {}
+      rescue StandardError
+        {}
+      end
+
+      def write(credentials)
+        FileUtils.mkdir_p(File.dirname(@path))
+        File.write(@path, credentials.transform_keys(&:to_s).to_yaml)
+        File.chmod(0o600, @path) unless Gem.win_platform?
+      end
+
+      def apply_to_env(username_env_var:, api_key_env_var:)
+        creds = read
+        set_env_if_absent(username_env_var, creds[:username])
+        set_env_if_absent("RUBYGEMS_OTP_SEED", creds[:rubygems_otp_seed])
+        set_env_if_absent(api_key_env_var, creds[:gem_host_api_key])
+      end
+
+      def update(username:, api_key:, api_key_env_var:)
+        otp_seed = ENV.fetch("RUBYGEMS_OTP_SEED", nil)
+        updated = read.merge(username: username, gem_host_api_key: api_key)
+        updated[:rubygems_otp_seed] = otp_seed if otp_seed && !otp_seed.empty?
+        write(updated)
+        ENV[api_key_env_var] = api_key
+      end
+
+      private
+
+      def set_env_if_absent(env_var, value)
+        return unless value && !value.empty?
+        return if (existing = ENV.fetch(env_var, nil)) && !existing.empty?
+
+        ENV[env_var] = value
+      end
+    end
+  end
+end

data/lib/rake/gem/maintenance/gem_publisher.rb

@@ -9,8 +9,12 @@ module Rake
     class GemPublisher
       attr_reader :repositories, :warnings, :failed_repositories, :successful_repos
 
-      def initialize(repositories = default_repositories)
+      def initialize(repositories = default_repositories,
+                     otp_provider: OtpProvider.new,
+                     ci_environment: CIEnvironment)
         @repositories = repositories
+        @otp_provider = otp_provider
+        @ci_environment = ci_environment
         @warnings = []
         @failed_pushes = []
         @failed_repositories = []
@@ -76,16 +80,23 @@ module Rake
       end
 
       def push(gem_file, repository:)
-        cmd = "gem push #{gem_file} --host #{repository[:url]}"
-        result = system(cmd)
-        if result
-          @published_files << gem_file
-          @successful_repos << repository[:name]
-        end
+        result = GemPush.new(gem_file, repository, @otp_provider).attempt
+        return record_success(gem_file, repository) if result.success
+
+        record_push_failure(repository, result.error)
       rescue StandardError => e
         @failed_pushes << { repository: repository[:name], error: e.message }
       end
 
+      def record_success(gem_file, repository)
+        @published_files << gem_file
+        @successful_repos << repository[:name]
+      end
+
+      def record_push_failure(repository, message)
+        @failed_pushes << { repository: repository[:name], error: message.strip }
+      end
+
       def version_exists_on_all_repos?(gem_name, version)
         repositories.all? do |repo|
           versions_on_repository(gem_name, repo).include?(version.to_s)

data/lib/rake/gem/maintenance/gem_push.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require "open3"
+
+module Rake
+  module GemMaintenance
+    # Pushes a single gem file to one repository, retrying with a renewed API key on auth failure.
+    class GemPush
+      Result = Struct.new(:success, :error)
+
+      def initialize(gem_file, repository, otp_provider)
+        @gem_file = gem_file
+        @repository = repository
+        @otp_provider = otp_provider
+      end
+
+      def attempt
+        out_err, status = Open3.capture2e(env, command)
+        return Result.new(true, nil) if status.success?
+        return retry_with_renewed_key if auth_failure?(out_err)
+
+        Result.new(false, out_err)
+      end
+
+      private
+
+      def command
+        cmd = "gem push #{@gem_file} --host #{@repository[:url]}"
+        otp = @otp_provider.otp_for(@repository[:name], otp_seed_env_var: @repository[:otp_seed_env_var])
+        cmd += " --otp #{otp}" if otp
+        cmd
+      end
+
+      def env
+        env_var = @repository[:api_key_env_var]
+        return {} unless env_var
+
+        key = ENV.fetch(env_var, nil)
+        return {} if key.nil? || key.empty?
+
+        { "GEM_HOST_API_KEY" => key }
+      end
+
+      def auth_failure?(output)
+        output.match?(/unauthorized|api.key|forbidden/i) ||
+          output.include?("401") || output.include?("403")
+      end
+
+      def retry_with_renewed_key
+        new_key = ApiKeyRenewer.new(otp_provider: @otp_provider).renew(@repository)
+        return Result.new(false, "Auth failed and renewal credentials unavailable.") unless new_key
+
+        _out_err, status = Open3.capture2e(env.merge("GEM_HOST_API_KEY" => new_key), command)
+        if status.success?
+          Result.new(true, nil)
+        else
+          Result.new(false, "Push failed after key renewal.")
+        end
+      end
+    end
+  end
+end

data/lib/rake/gem/maintenance/install_tasks.rb

@@ -2,5 +2,13 @@
 
 require_relative "../maintenance"
 
+Rake::GemMaintenance::Repos.rubygems_api_key_env_var = "GEM_HOST_API_KEY"
+Rake::GemMaintenance::Repos.rubygems_otp_seed_env_var = "RUBYGEMS_OTP_SEED"
+
 Rake::GemMaintenance::UpgradeTask.new
 Rake::GemMaintenance::VersionBumpTask.new
+
+Rake::GemMaintenance::CredentialStore.new.apply_to_env(
+  username_env_var: "RUBYGEMS_USERNAME",
+  api_key_env_var: "GEM_HOST_API_KEY"
+)

data/lib/rake/gem/maintenance/otp_provider.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module Rake
+  module GemMaintenance
+    # Resolves a 2FA OTP code for gem push, either from the environment or interactively.
+    # Resolution order for otp_for:
+    #   1. RUBYGEMS_OTP env var set → use raw code (works in CI and locally)
+    #   2. otp_seed_env_var provided and env var set → generate TOTP code (works in CI and locally)
+    #   3. CI environment → nil (gate only interactive prompt)
+    #   4. Interactive prompt
+    class OtpProvider
+      def initialize(ci_environment: CIEnvironment, input: $stdin)
+        @ci_environment = ci_environment
+        @input = input
+      end
+
+      def otp_for(repository_name, otp_seed_env_var: nil)
+        env_otp = ENV.fetch("RUBYGEMS_OTP", nil)
+        return env_otp if env_otp && !env_otp.empty?
+
+        if otp_seed_env_var
+          seed = ENV.fetch(otp_seed_env_var, nil)
+          return generate_totp(seed) if seed && !seed.empty?
+        end
+
+        return nil if @ci_environment.ci?
+
+        prompt_for_otp(repository_name)
+      end
+
+      private
+
+      def generate_totp(seed)
+        require "rotp"
+        ::ROTP::TOTP.new(seed).now
+      end
+
+      def prompt_for_otp(repository_name)
+        print "Enter OTP for #{repository_name} (blank to skip): "
+        value = @input.gets&.chomp
+        value&.empty? ? nil : value
+      end
+    end
+  end
+end

data/lib/rake/gem/maintenance/renew_api_key_task.rb

@@ -0,0 +1,139 @@
+# frozen_string_literal: true
+
+require "rake"
+require "rake/tasklib"
+require_relative "credential_store"
+
+module Rake
+  module GemMaintenance
+    # Generates a new rubygems.org API key via the rubygems.org API and stores
+    # it in a Woodpecker CI org-level secret. Intended for local developer use only.
+    #
+    # Creates: <namespace>:renew_api_key
+    #
+    # Reads WOODPECKER_SERVER and WOODPECKER_TOKEN (or ~/.config/woodpecker/token)
+    # from the environment.
+    class RenewApiKeyTask < ::Rake::TaskLib
+      attr_accessor :namespace_name, :host, :api_key_env_var, :ci_environment,
+                    :woodpecker_server, :woodpecker_org, :woodpecker_secret_name,
+                    :username_env_var, :password_env_var, :credential_store
+
+      def initialize(namespace_name = :upgrade)
+        super()
+        apply_defaults(namespace_name)
+        define_tasks
+      end
+
+      private
+
+      def apply_defaults(namespace_name)
+        @namespace_name = namespace_name
+        @host = "https://rubygems.org"
+        @api_key_env_var = "GEM_HOST_API_KEY"
+        @ci_environment = CIEnvironment
+        @woodpecker_server = ENV.fetch("WOODPECKER_SERVER", nil)
+        @woodpecker_org = ENV.fetch("WOODPECKER_ORG", "cbp-org")
+        @woodpecker_secret_name = "rubygems_api_key"
+        @username_env_var = "RUBYGEMS_USERNAME"
+        @password_env_var = "RUBYGEMS_PASSWORD"
+        @credential_store = CredentialStore.new
+      end
+
+      def define_tasks
+        task_instance = self
+        namespace namespace_name do
+          desc "Generate a new rubygems.org API key and store it in Woodpecker CI"
+          task(:renew_api_key) { task_instance.send(:run_renewal) }
+        end
+      end
+
+      def run_renewal
+        credential_store.apply_to_env(username_env_var: username_env_var, api_key_env_var: api_key_env_var)
+        abort_if_ci
+        username, password = prompt_credentials
+        prompt_otp_seed_if_missing
+        api_key = generate_api_key(username, password)
+        save_and_distribute(username, api_key)
+      end
+
+      def generate_api_key(username, password)
+        otp = OtpProvider.new.otp_for("rubygems")
+        RubyGemsApiKeyCreator.new(host: host).create(username, password, otp: otp)
+      end
+
+      def save_and_distribute(username, api_key)
+        puts "\n[INFO] New API key generated."
+        credential_store.update(username: username, api_key: api_key, api_key_env_var: api_key_env_var)
+        store_in_woodpecker(api_key)
+      end
+
+      def abort_if_ci
+        return unless ci_environment.ci?
+
+        missing = [username_env_var, password_env_var].select { |v| env_credential(v).nil? }
+        return if missing.empty?
+
+        abort "[ERROR] Set #{missing.join(' and ')} CI secrets to run renewal unattended."
+      end
+
+      def prompt_otp_seed_if_missing
+        return if (seed = ENV.fetch("RUBYGEMS_OTP_SEED", nil)) && !seed.empty?
+
+        print "rubygems.org OTP seed (TOTP secret, not a code): "
+        seed = $stdin.gets&.chomp
+        ENV["RUBYGEMS_OTP_SEED"] = seed if seed && !seed.empty?
+      end
+
+      def prompt_credentials
+        username = env_credential(username_env_var) || prompt_username
+        password = env_credential(password_env_var) || read_password("rubygems.org password: ")
+        [username, password]
+      end
+
+      def env_credential(env_var)
+        value = ENV.fetch(env_var, nil)
+        value&.empty? ? nil : value
+      end
+
+      def prompt_username
+        print "rubygems.org username: "
+        value = $stdin.gets&.chomp
+        abort "[ERROR] No username provided." if value.nil? || value.empty?
+        value
+      end
+
+      def read_password(prompt)
+        require "io/console"
+        print prompt
+        password = $stdin.noecho(&:gets)&.chomp
+        puts
+        password
+      rescue LoadError
+        print prompt
+        $stdin.gets&.chomp
+      end
+
+      def store_in_woodpecker(api_key)
+        unless woodpecker_server
+          puts "[INFO] Set WOODPECKER_SERVER to auto-store the key in Woodpecker CI."
+          puts "[INFO] New API key (store as secret '#{woodpecker_secret_name}'): #{api_key}"
+          return
+        end
+
+        token = read_woodpecker_token
+        abort "[ERROR] No Woodpecker token. Set WOODPECKER_TOKEN or run woodpecker-cli setup." unless token
+
+        WoodpeckerSecretStore.new(server: woodpecker_server, org: woodpecker_org, token: token)
+                             .store(woodpecker_secret_name, api_key)
+        puts "[SUCCESS] API key stored in Woodpecker secret '#{woodpecker_secret_name}'."
+      end
+
+      def read_woodpecker_token
+        ENV.fetch("WOODPECKER_TOKEN", nil) ||
+          File.read(File.expand_path("~/.config/woodpecker/token")).strip
+      rescue Errno::ENOENT
+        nil
+      end
+    end
+  end
+end

data/lib/rake/gem/maintenance/repos.rb

@@ -14,35 +14,74 @@ module Rake
     #     t.gem_repositories = Rake::GemMaintenance::Repos.all
     #   end
     #
+    # @example Use local geminabox only
+    #   Rake::GemMaintenance::GeminaboxUpgradeTask.new
+    #
+    # @example Dual publishing: geminabox + rubygems.org
+    #   Rake::GemMaintenance::UpgradeTask.new do |t|
+    #     t.gem_repositories = Rake::GemMaintenance::Repos.geminabox +
+    #                          Rake::GemMaintenance::Repos.rubygems
+    #   end
+    #
     # @example Reconfigure internal URL
     #   Rake::GemMaintenance::Repos.internal_url = "https://my-internal-gem.example.com"
+    #
+    # @example Configure API key and TOTP seed env vars
+    #   Rake::GemMaintenance::Repos.rubygems_api_key_env_var = "GEM_HOST_API_KEY"
+    #   Rake::GemMaintenance::Repos.rubygems_otp_seed_env_var = "RUBYGEMS_OTP_SEED"
+    #   Rake::GemMaintenance::Repos.geminabox_url = "http://localhost:9292"
     module Repos
       @internal_url = "https://gems.cbp-org.internal"
       @rubygems_url = "https://rubygems.org"
+      @geminabox_url = "http://localhost:9292"
+
+      @rubygems_api_key_env_var = nil
+      @internal_api_key_env_var = nil
+      @geminabox_api_key_env_var = nil
+
+      @rubygems_otp_seed_env_var = nil
+      @internal_otp_seed_env_var = nil
+      @geminabox_otp_seed_env_var = nil
 
       class << self
-        attr_accessor :internal_url, :rubygems_url
+        attr_accessor :internal_url, :rubygems_url, :geminabox_url,
+                      :rubygems_api_key_env_var, :internal_api_key_env_var,
+                      :geminabox_api_key_env_var,
+                      :rubygems_otp_seed_env_var, :internal_otp_seed_env_var,
+                      :geminabox_otp_seed_env_var
       end
 
       # Publish only to internal repository
       # @return [Array<Hash>] repository configuration
       def self.internal
-        [{ name: "cbp-org", url: internal_url }]
+        base = { name: "cbp-org", url: internal_url }
+        base[:api_key_env_var] = internal_api_key_env_var if internal_api_key_env_var
+        base[:otp_seed_env_var] = internal_otp_seed_env_var if internal_otp_seed_env_var
+        [base]
       end
 
       # Publish to both rubygems.org and internal repository
       # @return [Array<Hash>] repository configuration
       def self.all
-        [
-          { name: "rubygems", url: rubygems_url },
-          { name: "cbp-org", url: internal_url }
-        ]
+        rubygems + internal
       end
 
       # Publish only to rubygems.org (the default)
       # @return [Array<Hash>] repository configuration
       def self.rubygems
-        [{ name: "rubygems", url: rubygems_url }]
+        base = { name: "rubygems", url: rubygems_url }
+        base[:api_key_env_var] = rubygems_api_key_env_var if rubygems_api_key_env_var
+        base[:otp_seed_env_var] = rubygems_otp_seed_env_var if rubygems_otp_seed_env_var
+        [base]
+      end
+
+      # Publish only to a local geminabox instance
+      # @return [Array<Hash>] repository configuration
+      def self.geminabox
+        base = { name: "geminabox", url: geminabox_url }
+        base[:api_key_env_var] = geminabox_api_key_env_var if geminabox_api_key_env_var
+        base[:otp_seed_env_var] = geminabox_otp_seed_env_var if geminabox_otp_seed_env_var
+        [base]
       end
 
       # Default configuration: rubygems.org only

data/lib/rake/gem/maintenance/ruby_gems_api_key_creator.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module Rake
+  module GemMaintenance
+    # Creates a new scoped API key on rubygems.org via the v2 API.
+    # Handles OTP header injection and maps HTTP error codes to actionable messages.
+    class RubyGemsApiKeyCreator
+      def initialize(host: "https://rubygems.org")
+        @host = host
+      end
+
+      def create(username, password, otp: nil)
+        require "net/http"
+
+        request = build_request(username, password, otp)
+        response = http_client.request(request)
+        parse_response(response)
+      end
+
+      private
+
+      def build_request(username, password, otp)
+        uri = URI("#{@host}/api/v1/api_key")
+        key_name = "rake-gem-maintenance-ci-#{Time.now.strftime('%Y%m%d')}"
+        req = Net::HTTP::Post.new(uri)
+        req.basic_auth(username, password)
+        req["OTP"] = otp if otp
+        req["Content-Type"] = "application/x-www-form-urlencoded"
+        req.body = "name=#{key_name}&push_rubygem=true"
+        req
+      end
+
+      def http_client
+        uri = URI(@host)
+        http = Net::HTTP.new(uri.hostname, uri.port)
+        http.use_ssl = true
+        http
+      end
+
+      def parse_response(response)
+        case response.code.to_i
+        when 200, 201 then response.body.strip
+        when 401 then abort "[ERROR] Invalid credentials for #{@host}."
+        when 403 then abort "[ERROR] Forbidden. Check your MFA settings on #{@host}."
+        when 449 then abort "[ERROR] OTP required by #{@host}. Set RUBYGEMS_OTP_SEED and retry."
+        else abort "[ERROR] #{@host} returned #{response.code}: #{response.body.strip}"
+        end
+      end
+    end
+  end
+end

data/lib/rake/gem/maintenance/upgrade_task.rb

@@ -3,6 +3,9 @@
 require "net/http"
 require "rake"
 require "rake/tasklib"
+require_relative "ci_environment"
+require_relative "otp_provider"
+require_relative "renew_api_key_task"
 require_relative "gem_publisher"
 require_relative "repos"
 
@@ -20,6 +23,12 @@ module Rake
                     :run_bundle_audit, :auto_pipeline, :gem_repositories,
                     :gem_publisher_class, :gem_name, :gem_version
 
+      attr_writer :renew_api_key_task_class
+
+      def renew_api_key_task_class
+        @renew_api_key_task_class || RenewApiKeyTask
+      end
+
       def initialize(name = :upgrade)
         super()
         apply_default_configuration(name)
@@ -85,6 +94,7 @@ module Rake
         define_gems_task
         define_commit_task
         define_push_task
+        define_renew_api_key_task
       end
 
       def define_info_tasks
@@ -186,6 +196,10 @@ module Rake
         end
       end
 
+      def define_renew_api_key_task
+        renew_api_key_task_class.new(name)
+      end
+
       def pipeline_tasks
         return auto_pipeline if auto_pipeline
 
@@ -294,5 +308,14 @@ module Rake
         @gem_repositories = Repos.all
       end
     end
+
+    # Upgrades gems and publishes to a local geminabox instance only.
+    # Uses Repos.geminabox as default repositories.
+    class GeminaboxUpgradeTask < UpgradeTask
+      def apply_default_configuration(name)
+        super
+        @gem_repositories = Repos.geminabox
+      end
+    end
   end
 end

data/lib/rake/gem/maintenance/version.rb

@@ -2,6 +2,6 @@
 
 module Rake
   module GemMaintenance
-    VERSION = "0.1.5"
+    VERSION = "0.1.6"
   end
 end

data/lib/rake/gem/maintenance/woodpecker_secret_store.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+module Rake
+  module GemMaintenance
+    # Creates or updates an org-level secret in a Woodpecker CI server.
+    # SSL verification is disabled because Woodpecker is typically served
+    # on an internal network with a private CA.
+    class WoodpeckerSecretStore
+      def initialize(server:, org:, token:)
+        @server = server
+        @org = org
+        @token = token
+      end
+
+      def store(secret_name, value, events: %w[push tag manual])
+        org_id = find_org_id
+        abort "[ERROR] Woodpecker org '#{@org}' not found on #{@server}." unless org_id
+
+        if secret_exists?(org_id, secret_name)
+          patch("/api/orgs/#{org_id}/secrets/#{secret_name}",
+                { value: value, events: events, images: [] })
+        else
+          post("/api/orgs/#{org_id}/secrets",
+               { name: secret_name, value: value, events: events, images: [] })
+        end
+      end
+
+      private
+
+      def find_org_id
+        orgs = get("/api/orgs")
+        orgs&.find { |o| o["name"] == @org }&.fetch("id", nil)
+      end
+
+      def secret_exists?(org_id, secret_name)
+        secrets = get("/api/orgs/#{org_id}/secrets")
+        secrets&.any? { |s| s["name"] == secret_name }
+      end
+
+      def get(path)
+        require "json"
+        response = request(Net::HTTP::Get, path)
+        JSON.parse(response.body) if response.is_a?(Net::HTTPSuccess)
+      end
+
+      def post(path, body)
+        request(Net::HTTP::Post, path, body)
+      end
+
+      def patch(path, body)
+        request(Net::HTTP::Patch, path, body)
+      end
+
+      def request(klass, path, body = nil)
+        require "net/http"
+        require "json"
+        require "openssl"
+
+        uri = URI("#{@server}#{path}")
+        http.request(build_req(klass, uri, body))
+      end
+
+      def http
+        uri = URI(@server)
+        h = Net::HTTP.new(uri.hostname, uri.port)
+        h.use_ssl = (uri.scheme == "https")
+        h.verify_mode = OpenSSL::SSL::VERIFY_NONE
+        h
+      end
+
+      def build_req(klass, uri, body)
+        req = klass.new(uri)
+        req["Authorization"] = "Bearer #{@token}"
+        if body
+          req["Content-Type"] = "application/json"
+          req.body = JSON.generate(body)
+        end
+        req
+      end
+
+      def build_http(uri)
+        http = Net::HTTP.new(uri.hostname, uri.port)
+        http.use_ssl = (uri.scheme == "https")
+        http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+        http
+      end
+    end
+  end
+end

data/lib/rake/gem/maintenance.rb

@@ -2,6 +2,14 @@
 
 require_relative "maintenance/version"
 require_relative "maintenance/version_bump_task"
+require_relative "maintenance/ci_environment"
+require_relative "maintenance/credential_store"
+require_relative "maintenance/otp_provider"
+require_relative "maintenance/ruby_gems_api_key_creator"
+require_relative "maintenance/woodpecker_secret_store"
+require_relative "maintenance/api_key_renewer"
+require_relative "maintenance/renew_api_key_task"
+require_relative "maintenance/gem_push"
 require_relative "maintenance/gem_publisher"
 require_relative "maintenance/repos"
 require_relative "maintenance/upgrade_task"

data/scripts/ci_publish_rubygems.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+# ci-publish-rubygems.rb — build and push this gem to rubygems.org
+#
+# Required env:
+#   GEM_HOST_API_KEY    rubygems.org API key   (from Woodpecker secret rubygems_api_key)
+#   RUBYGEMS_OTP_SEED   base32 TOTP seed       (from Woodpecker secret rubygems_otp_seed)
+
+$LOAD_PATH.unshift File.join(__dir__, "..", "lib")
+require "rake/gem/maintenance"
+
+Rake::GemMaintenance::Repos.rubygems_api_key_env_var = "GEM_HOST_API_KEY"
+Rake::GemMaintenance::Repos.rubygems_otp_seed_env_var = "RUBYGEMS_OTP_SEED"
+
+gemspec_file = Dir["*.gemspec"].first
+abort "ERROR: No gemspec found in #{Dir.pwd}" unless gemspec_file
+
+system("gem build #{gemspec_file}") or abort "ERROR: gem build failed"
+
+gem_file = Dir["*.gem"].max_by { |f| File.mtime(f) }
+abort "ERROR: No .gem file found after build" unless gem_file
+
+puts "Publishing #{gem_file} to rubygems.org..."
+publisher = Rake::GemMaintenance::GemPublisher.new(Rake::GemMaintenance::Repos.rubygems)
+publisher.publish(gem_file)
+
+abort "ERROR: Failed to publish #{gem_file} to rubygems.org" if publisher.successful_repos.empty?
+
+puts "Published #{gem_file} successfully to: #{publisher.successful_repos.join(', ')}"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rake-gem-maintenance
 version: !ruby/object:Gem::Version
-  version: 0.1.5
+  version: 0.1.6
 platform: ruby
 authors:
 - Christophe Broult
@@ -51,6 +51,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rotp
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Provides reusable Rake::TaskLib subclasses for upgrading gem dependencies
   and bumping versions.
 email:
@@ -61,6 +75,9 @@ extra_rdoc_files: []
 files:
 - ".rspec"
 - ".rubocop.yml"
+- ".woodpecker/publish.yml"
+- ".woodpecker/renew_api_key.yml"
+- ".woodpecker/verify.yml"
 - CLAUDE.md
 - Gemfile
 - Gemfile.lock
@@ -71,13 +88,21 @@ files:
 - TODO.md
 - cucumber.yml
 - lib/rake/gem/maintenance.rb
+- lib/rake/gem/maintenance/api_key_renewer.rb
+- lib/rake/gem/maintenance/ci_environment.rb
+- lib/rake/gem/maintenance/credential_store.rb
 - lib/rake/gem/maintenance/gem_publisher.rb
+- lib/rake/gem/maintenance/gem_push.rb
 - lib/rake/gem/maintenance/install_tasks.rb
+- lib/rake/gem/maintenance/otp_provider.rb
+- lib/rake/gem/maintenance/renew_api_key_task.rb
 - lib/rake/gem/maintenance/repos.rb
+- lib/rake/gem/maintenance/ruby_gems_api_key_creator.rb
 - lib/rake/gem/maintenance/upgrade_task.rb
 - lib/rake/gem/maintenance/version.rb
 - lib/rake/gem/maintenance/version_bump_task.rb
-- rake-gem-maintenance.gemspec
+- lib/rake/gem/maintenance/woodpecker_secret_store.rb
+- scripts/ci_publish_rubygems.rb
 homepage: https://github.com/cbroult/rake-gem-maintenance
 licenses:
 - MIT

data/rake-gem-maintenance.gemspec

@@ -1,32 +0,0 @@
-# frozen_string_literal: true
-
-require_relative "lib/rake/gem/maintenance/version"
-
-Gem::Specification.new do |spec|
-  spec.name = "rake-gem-maintenance"
-  spec.version = Rake::GemMaintenance::VERSION
-  spec.authors = ["Christophe Broult"]
-  spec.email = ["cbroult@yahoo.com"]
-
-  spec.summary = "Rake tasks for gem maintenance: dependency upgrades and version bumps."
-  spec.description = "Provides reusable Rake::TaskLib subclasses for upgrading gem dependencies and bumping versions."
-  spec.homepage = "https://github.com/cbroult/rake-gem-maintenance"
-  spec.license = "MIT"
-  spec.required_ruby_version = ">= 3.3.7"
-
-  spec.metadata["allowed_push_host"] = "https://rubygems.org"
-  spec.metadata["homepage_uri"] = spec.homepage
-  spec.metadata["changelog_uri"] = File.join(spec.homepage, "Changelog")
-  spec.metadata["rubygems_mfa_required"] = "true"
-
-  spec.files = Dir.chdir(File.expand_path(__dir__)) do
-    `git ls-files -z`.split("\x0").reject do |f|
-      (f == __FILE__) || f.match(%r{\A(?:(?:test|spec|features)/|\.(?:git|travis|circleci)|appveyor)})
-    end
-  end
-  spec.require_paths = ["lib"]
-
-  spec.add_dependency "bundler-audit"
-  spec.add_dependency "gem-release"
-  spec.add_dependency "rake"
-end