Skip to content

Add shared release workflow from reissue#13

Open
cseeman wants to merge 1 commit into
mainfrom
add-shared-release-workflow
Open

Add shared release workflow from reissue#13
cseeman wants to merge 1 commit into
mainfrom
add-shared-release-workflow

Conversation

@cseeman

@cseeman cseeman commented Jan 30, 2026

Copy link
Copy Markdown

Summary

  • Adds shared release workflow from reissue for trusted publishing to RubyGems.org

Business Justification

Standardizes gem release process across SOFware repos using the shared reissue workflow, enabling automated trusted publishing to RubyGems.org via workflow_dispatch.

Technical Details

Adds .github/workflows/release.yml that calls SOFware/reissue/.github/workflows/shared-ruby-gem-release.yml@main

Comment thread .github/workflows/release.yml Fixed
@cseeman cseeman force-pushed the add-shared-release-workflow branch 2 times, most recently from 99a6411 to 05bb229 Compare January 30, 2026 22:43
@cseeman

cseeman commented Jan 30, 2026

Copy link
Copy Markdown
Author

Added on RubyGems Trusted Publishers
GitHub Repository: SOFware/contours
Workflow Filename: shared-ruby-gem-release.yml
Workflow Repository: SOFware/reissue

@cseeman cseeman marked this pull request as ready for review January 30, 2026 23:03
@cseeman cseeman requested a review from a team as a code owner January 30, 2026 23:03
saturnflyer
saturnflyer previously approved these changes Jan 31, 2026
Switch to using the shared gem release flow from reissue
for trusted publishing to RubyGems.org.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Comment on lines +8 to +12
uses: SOFware/reissue/.github/workflows/shared-ruby-gem-release.yml@main
with:
git_user_email: 'gems@sofwarellc.com'
git_user_name: 'SOFware'
ruby_version: '3.4'

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 5 months ago

In general, you should explicitly set permissions for the workflow or for individual jobs so that the GITHUB_TOKEN only has the minimal rights required. For a release workflow that primarily needs to read repository contents, a safe baseline is contents: read. If the reusable workflow already declares more specific permissions, this setting will only further restrict them; if it requires additional write permissions (for example, to push tags), you would need to add those explicitly instead of using the broad default.

The best low‑impact fix here is to add a root‑level permissions block (applies to all jobs) that restricts GITHUB_TOKEN to read access. This addresses CodeQL’s complaint without changing any of the existing jobs.release semantics, and it keeps the caller workflow simple when delegating to the reusable workflow. Concretely, in .github/workflows/release.yml, add:

permissions:
  contents: read

between the on: section and the jobs: section. No imports or additional methods are needed since this is purely a YAML configuration change.

Suggested changeset 1
.github/workflows/release.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,6 +3,9 @@
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   release:
     uses: SOFware/reissue/.github/workflows/shared-ruby-gem-release.yml@main
EOF
@@ -3,6 +3,9 @@
on:
workflow_dispatch:

permissions:
contents: read

jobs:
release:
uses: SOFware/reissue/.github/workflows/shared-ruby-gem-release.yml@main
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants