Skip to content

CD: switch gem-push to RubyGems Trusted Publishing (OIDC)#40

Merged
yashdsaraf merged 1 commit into
masterfrom
LOC-6563-rubygems-trusted-publishing
Jun 5, 2026
Merged

CD: switch gem-push to RubyGems Trusted Publishing (OIDC)#40
yashdsaraf merged 1 commit into
masterfrom
LOC-6563-rubygems-trusted-publishing

Conversation

@yashdsaraf
Copy link
Copy Markdown
Collaborator

@yashdsaraf yashdsaraf commented Jun 5, 2026
edited by atlassian Bot
Loading

Summary

The previous Ruby gem publish run failed at the gem push step because MFA was enabled on the RubyGems account — the RUBYGEMS_AUTH_TOKEN API-key flow can't supply an OTP from a non-interactive runner:

Pushing gem to https://rubygems.org...
You have enabled multi-factor authentication. Please enter OTP code.
You have enabled multifactor authentication but no OTP code provided. Please fill it and retry.
##[error]Process completed with exit code 1.

Trusted publishing on rubygems.org is already configured for this gem (pointed at gem-push.yml, no GitHub Environment binding). This PR flips the workflow's authentication from API-key to OIDC so the publish completes without needing an OTP.

Change

Single file: .github/workflows/gem-push.yml.

  • Add id-token: write to job permissions (required for OIDC token generation)
  • Remove unused packages: write (was for GitHub Packages, never wired up)
  • Replace the manual credentials-file dance + GEM_HOST_API_KEY env var with rubygems/configure-rubygems-credentials@v2.0.0 (the same action rubygems/release-gem@v1 calls internally — verified by reading its action.yml)
  • Existing gem build && gem push then reads credentials from where the action sets them up

Net diff: 4 insertions, 8 deletions.

Why not rubygems/release-gem@v1

The high-level action runs bundle exec rake release which auto-tags + auto-commits and is designed for tag-event triggers. Our workflow is workflow_dispatch with manual version management — using configure-rubygems-credentials directly keeps the trigger + manual flow intact.

Test plan

  • Merge
  • Trigger gem-push.yml via Actions UI or gh workflow run gem-push.yml --ref master --repo browserstack/browserstack-local-ruby
  • Confirm Configure RubyGems Credentials step succeeds (proves OIDC handshake → trusted publisher binding matched workflow filename + repo)
  • Confirm gem push shows Pushing gem to https://rubygems.org... followed by success, no MFA prompt
  • gem info -r browserstack-local confirms 1.5.0 is live

Cleanup (separate follow-up commit after one green dispatch)

  • Delete RUBYGEMS_AUTH_TOKEN from repo Secrets — now obsolete

Reference

🤖 Generated with Claude Code

@yashdsaraf @claude
CD: switch gem-push to RubyGems Trusted Publishing (OIDC)
2c26c1b 
`gem push` fails since MFA was enabled on the RubyGems account —
the API-key flow can't supply an OTP from a non-interactive
runner. Trusted publishing is the supported replacement and is
already configured on rubygems.org for this gem (pointed at this
workflow file, no GitHub Environment binding).

Changes:
- Add `id-token: write` to job permissions (required for the
  GitHub OIDC token exchange).
- Remove unused `packages: write` permission (was for GitHub
  Packages, never wired up).
- Replace the manual credentials-file dance + `GEM_HOST_API_KEY`
  env var with `rubygems/configure-rubygems-credentials@v2.0.0`
  (same action `rubygems/release-gem@v1` calls internally —
  verified by reading its action.yml). Existing `gem build` +
  `gem push` then read credentials the action sets up.

No new secrets. `RUBYGEMS_AUTH_TOKEN` becomes obsolete and should
be deleted from repo Settings → Secrets after the first green
dispatch.

Tracks LOC-6563.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@yashdsaraf yashdsaraf requested a review from a team as a code owner June 5, 2026 14:04
@yashdsaraf yashdsaraf merged commit e04e287 into master Jun 5, 2026
5 checks passed
@yashdsaraf yashdsaraf deleted the LOC-6563-rubygems-trusted-publishing branch June 5, 2026 14:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AdityaHirapara AdityaHirapara Awaiting requested review from AdityaHirapara AdityaHirapara is a code owner automatically assigned from browserstack/local-dev

@xxshubhamxx xxshubhamxx Awaiting requested review from xxshubhamxx xxshubhamxx is a code owner automatically assigned from browserstack/local-dev

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@yashdsaraf