rake-gem-maintenance 0.1.6 → 0.1.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6dc9985cb348ee5f79a3170eb6ef534b5fe8bc1aad6361be15178f883ba22767
-  data.tar.gz: e819c2d3f58a936c59fb8caf620f84e92dc68bf59cee8f592bb852c03d02de62
+  metadata.gz: 5b787e033da5eee96ab47d3b7aef6db19b4ba37cd00c5a6399df65382b7931cb
+  data.tar.gz: b621f3b580ade530a9da0848f65fa734f0bd5555cfb47ebed826ec91a9535727
 SHA512:
-  metadata.gz: 43b4d7dec762bcefd6cd816f4c7a8c05a5e091929937f6e329801a6d4ff211fabdac4631f449d39501807b408f0f1411dc97637519857da49911cafa5bd108f6
-  data.tar.gz: 81d529473f1404940f0cc45d1011af5d1930506f972b2485cbe190f184cd53a820cbfaa683201ec0b8ef85e63f2d50714cf337780087a94704071a5ef82d735c
+  metadata.gz: ccdac7428f63ab9a174667221f0071099784643d2a0087190fac484265cf8e54424c9f6b999778b5d00a5e1443f7f3eea307be8aa90599989d72d51aedac2487
+  data.tar.gz: 64c1c90ac23717da73b24edcb6b6753fd6f2fc5c6b1b0b1f090c43d5502c5f21ab549fee8bc3847ab705f335fc787d49732b9b5ccf2c9b198672576746fdde90

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    rake-gem-maintenance (0.1.6)
+    rake-gem-maintenance (0.1.7)
       bundler-audit
       gem-release
       rake
@@ -254,7 +254,7 @@ CHECKSUMS
   racc (1.8.1) sha256=4a7f6929691dbec8b5209a0b373bc2614882b55fc5d2e447a21aaa691303d62f
   rainbow (3.1.1) sha256=039491aa3a89f42efa1d6dec2fc4e62ede96eb6acd95e52f1ad581182b79bc6a
   rake (13.4.2) sha256=cb825b2bd5f1f8e91ca37bddb4b9aaf345551b4731da62949be002fa89283701
-  rake-gem-maintenance (0.1.6)
+  rake-gem-maintenance (0.1.7)
   rb-fsevent (0.11.2) sha256=43900b972e7301d6570f64b850a5aa67833ee7d87b458ee92805d56b7318aefe
   rb-inotify (0.11.1) sha256=a0a700441239b0ff18eb65e3866236cd78613d6b9f78fea1f9ac47a85e47be6e
   rdoc (7.2.0) sha256=8650f76cd4009c3b54955eb5d7e3a075c60a57276766ebf36f9085e8c9f23192

data/README.md

@@ -48,78 +48,72 @@ end
 
 ## Automated Publishing to rubygems.org
 
-Set two environment variables and `gem push` runs fully unattended — including TOTP 2FA code
-generation if your rubygems.org account has MFA enabled.
+### Step 1 — First-time setup (one-off, interactive)
 
-| Env var | Purpose |
-|---|---|
-| `GEM_HOST_API_KEY` | rubygems.org API key (scoped to push) |
-| `RUBYGEMS_OTP_SEED` | Base32 TOTP seed — auto-generates the 2FA code; omit if MFA is disabled |
-
-### Quick setup
-
-`require "rake/gem_maintenance/install_tasks"` pre-configures both env var names automatically —
-no extra Ruby needed. See [features/install_tasks.feature](features/install_tasks.feature) for
-the full workflow.
-
-### Custom env var names
-
-```ruby
-require "rake/gem/maintenance"
-
-Rake::GemMaintenance::Repos.rubygems_api_key_env_var  = "MY_RUBYGEMS_KEY"
-Rake::GemMaintenance::Repos.rubygems_otp_seed_env_var = "MY_OTP_SEED"
+Run the renewal task once on your local machine:
 
-Rake::GemMaintenance::UpgradeTask.new
+```bash
+rake upgrade:renew_api_key
 ```
 
-See [features/upgrade_task/repos_configuration.feature](features/upgrade_task/repos_configuration.feature)
-for all configuration options including geminabox and dual publishing.
+It will prompt for three things:
 
-### Local credential store
+| Prompt | What to enter |
+|---|---|
+| username | Your rubygems.org username or email |
+| password | Your rubygems.org password (never stored) |
+| OTP seed | The **base32 secret** from your authenticator app setup — the long code shown when you first enabled MFA, *not* the rotating 6-digit code. Omit (press Enter) if MFA is disabled. |
 
-After the first successful `upgrade:renew_api_key` run, the API key and OTP seed are saved to:
+After answering, the task generates a scoped API key and saves it locally alongside your
+username and OTP seed:
 
 ```
 ~/.config/rake-gem-maintenance/credentials.yml   # Linux / Mac  (respects $XDG_CONFIG_HOME)
 %APPDATA%\rake-gem-maintenance\credentials.yml   # Windows
 ```
 
-The file is created with `0600` permissions (owner-read-only on Unix). It stores `username`,
-`gem_host_api_key`, and `rubygems_otp_seed` — **never the password**. Any project using
-`require "rake/gem_maintenance/install_tasks"` automatically loads the key and OTP seed from
-this file at startup, so `gem push` works without any manual env-var setup.
+The file is `0600` (owner-read-only on Unix). The **password is never written to disk**.
+
+### Step 2 — All future local runs are automatic
+
+Any project using `require "rake/gem_maintenance/install_tasks"` automatically reads the
+credential file at startup and sets `GEM_HOST_API_KEY` and `RUBYGEMS_OTP_SEED` in the process
+environment. Running `rake upgrade` needs no manual credential setup from this point on.
 
 See [features/upgrade_task/credential_store.feature](features/upgrade_task/credential_store.feature)
 for the full behaviour specification.
 
-### API key renewal
+### Step 3 — CI setup (Woodpecker / GitHub Actions)
 
-API keys can be rotated in two ways:
+Set the following as CI secrets:
 
-**Automatic** — when `gem push` returns a 401/403, the publisher transparently obtains a new
-key using `RUBYGEMS_USERNAME` + `RUBYGEMS_PASSWORD` (+ TOTP from `RUBYGEMS_OTP_SEED` if MFA is
-enabled), then retries the push once. No intervention needed.
+| Secret / env var | Purpose |
+|---|---|
+| `RUBYGEMS_USERNAME` | rubygems.org username |
+| `RUBYGEMS_PASSWORD` | rubygems.org password |
+| `RUBYGEMS_OTP_SEED` | Same base32 seed as above |
+| `GEM_HOST_API_KEY` | The API key generated in Step 1 (for the initial push) |
 
-**On-demand** — run the task explicitly to rotate ahead of expiry:
+On subsequent runs the key is renewed automatically: when `gem push` returns 401/403, the
+publisher transparently calls `upgrade:renew_api_key` and retries. The refreshed key is written
+back to the `rubygems_api_key` CI secret (requires `WOODPECKER_TOKEN` + `WOODPECKER_SERVER`
+when running under Woodpecker CI).
 
-```bash
-rake upgrade:renew_api_key
-```
+See [features/upgrade_task/renew_api_key.feature](features/upgrade_task/renew_api_key.feature).
 
-Locally this prompts for credentials interactively. In CI, supply all three env vars for
-unattended operation:
+### Custom env var names
 
-| Env var | Purpose |
-|---|---|
-| `RUBYGEMS_USERNAME` | rubygems.org account username or email |
-| `RUBYGEMS_PASSWORD` | rubygems.org account password |
-| `RUBYGEMS_OTP_SEED` | Same TOTP seed as above — reused here to authenticate the key-creation request |
+```ruby
+require "rake/gem/maintenance"
 
-The new key is written back to the `GEM_HOST_API_KEY` CI secret automatically (requires
-`WOODPECKER_TOKEN` and `WOODPECKER_SERVER` when running under Woodpecker CI).
+Rake::GemMaintenance::Repos.rubygems_api_key_env_var  = "MY_RUBYGEMS_KEY"
+Rake::GemMaintenance::Repos.rubygems_otp_seed_env_var = "MY_OTP_SEED"
 
-See [features/upgrade_task/renew_api_key.feature](features/upgrade_task/renew_api_key.feature).
+Rake::GemMaintenance::UpgradeTask.new
+```
+
+See [features/upgrade_task/repos_configuration.feature](features/upgrade_task/repos_configuration.feature)
+for all configuration options including geminabox and dual publishing.
 
 ## License
 

data/lib/rake/gem/maintenance/renew_api_key_task.rb

@@ -57,7 +57,7 @@ module Rake
       end
 
       def generate_api_key(username, password)
-        otp = OtpProvider.new.otp_for("rubygems")
+        otp = OtpProvider.new.otp_for("rubygems", otp_seed_env_var: "RUBYGEMS_OTP_SEED")
         RubyGemsApiKeyCreator.new(host: host).create(username, password, otp: otp)
       end
 

data/lib/rake/gem/maintenance/version.rb

@@ -2,6 +2,6 @@
 
 module Rake
   module GemMaintenance
-    VERSION = "0.1.6"
+    VERSION = "0.1.7"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rake-gem-maintenance
 version: !ruby/object:Gem::Version
-  version: 0.1.6
+  version: 0.1.7
 platform: ruby
 authors:
 - Christophe Broult
@@ -125,7 +125,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.11
+rubygems_version: 4.0.10
 specification_version: 4
 summary: 'Rake tasks for gem maintenance: dependency upgrades and version bumps.'
 test_files: []