Skip to content

Add CI workflow to release gems via Trusted Publishing#3015

Open
soutaro wants to merge 2 commits into
masterfrom
claude/release-method-782rxt
Open

Add CI workflow to release gems via Trusted Publishing#3015
soutaro wants to merge 2 commits into
masterfrom
claude/release-method-782rxt

Conversation

@soutaro

@soutaro soutaro commented Jun 23, 2026

Copy link
Copy Markdown
Member

Why

The rbs gem currently ships two platform variants — the default ruby gem (C extension) and the java/JRuby gem (bundling the WebAssembly parser + Chicory jars). rake release only handles the former, so the java gem must be built and pushed by hand. That manual step (plus version typos and releasing from a local environment) is exactly where release mistakes happen.

This adds a CI release workflow so publishing is reproducible and hard to get wrong.

What

New .github/workflows/release-gems.yml, triggered manually via workflow_dispatch:

  • Branch = version selection. Run it against master; the version is read from lib/rbs/version.rb (single source of truth — no free-form version input to mistype).
  • expected_version input — you type the version you intend to ship; CI fails if it doesn't match lib/rbs/version.rb. Guards against running on the wrong commit.
  • dry_run input (default true) — builds and verifies both gems but does not push. Lets you rehearse safely; flip to false for the real release.
  • Builds both platform gems before pushing either, so a release is all-or-nothing instead of leaving one platform behind.
  • Refuses to run if the vX.Y.Z tag already exists.
  • Trusted Publishing (OIDC) via rubygems/configure-rubygems-credentials — no long-lived RubyGems API token stored as a secret.
  • On a real run, pushes both gems and then the vX.Y.Z git tag.

The name is release-gems.yml (plural) to leave room for a separate crates.io release workflow later.

Scope: master only

Maintenance releases (e.g. 4.0.x cut from aaa-4.0.x) intentionally stay manual via rake release. They're infrequent, and keeping this workflow on master only avoids having to backport the workflow file to each maintenance branch (a workflow_dispatch run uses the workflow definition from the selected branch).

⚠️ One-time prerequisite before the first real run

Configure a Trusted Publisher for the rbs gem on RubyGems.org:

  • RubyGem: rbs
  • Owner: ruby
  • Repository: rbs
  • Workflow filename: release-gems.yml

Until that's set up, use dry_run: true (which never touches RubyGems).

Notes / possible follow-ups

  • The GitHub draft-release note generation (rake release:note, built from CHANGELOG.md) is not included here yet; it can be wired in as a follow-up if desired.
  • WASI SDK version is pinned to match wasm.yml / jruby.yml (33.0).

🤖 Generated with Claude Code

Generated by Claude Code

soutaro and others added 2 commits June 23, 2026 14:17
@soutaro @claude
Add CI workflow to publish gems via Trusted Publishing
a1f5d75 
Introduce `.github/workflows/release-gems.yml`, a manually-triggered
(workflow_dispatch) release workflow for the `rbs` gem on `master`.

It builds both platform gems (the default `ruby` C-extension gem and the
`java`/JRuby gem assembled from the WebAssembly parser + Chicory jars)
before pushing either, verifies that `lib/rbs/version.rb` matches the
operator-supplied `expected_version`, refuses to run if the tag already
exists, and supports a `dry_run` mode that builds and verifies without
publishing. Gems are pushed using RubyGems Trusted Publishing (OIDC) so
no long-lived API token is stored. On a real run it also pushes the
`vX.Y.Z` git tag.

Maintenance releases (e.g. 4.0.x from `aaa-4.0.x`) intentionally stay
manual via `rake release`.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01FerVMqvEagsGmDSRv7Ecz3
@soutaro @claude
Create a draft GitHub Release during the gem release
e0a2865 
After pushing the gems and the tag, create a draft GitHub Release whose
notes are the top section of CHANGELOG.md plus a link to the wiki release
note, matching the existing `rake release:note` behavior. Prerelease
versions are marked with --prerelease, and the release is left as a draft
for a human to review and publish. Gated on dry_run like the other
publishing steps.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01FerVMqvEagsGmDSRv7Ecz3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@soutaro