Add shared release workflow from reissue#13
Conversation
99a6411 to
05bb229
Compare
|
Added on RubyGems Trusted Publishers |
Switch to using the shared gem release flow from reissue for trusted publishing to RubyGems.org. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
05bb229 to
728be44
Compare
| uses: SOFware/reissue/.github/workflows/shared-ruby-gem-release.yml@main | ||
| with: | ||
| git_user_email: 'gems@sofwarellc.com' | ||
| git_user_name: 'SOFware' | ||
| ruby_version: '3.4' |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
In general, you should explicitly set permissions for the workflow or for individual jobs so that the GITHUB_TOKEN only has the minimal rights required. For a release workflow that primarily needs to read repository contents, a safe baseline is contents: read. If the reusable workflow already declares more specific permissions, this setting will only further restrict them; if it requires additional write permissions (for example, to push tags), you would need to add those explicitly instead of using the broad default.
The best low‑impact fix here is to add a root‑level permissions block (applies to all jobs) that restricts GITHUB_TOKEN to read access. This addresses CodeQL’s complaint without changing any of the existing jobs.release semantics, and it keeps the caller workflow simple when delegating to the reusable workflow. Concretely, in .github/workflows/release.yml, add:
permissions:
contents: readbetween the on: section and the jobs: section. No imports or additional methods are needed since this is purely a YAML configuration change.
| @@ -3,6 +3,9 @@ | ||
| on: | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| release: | ||
| uses: SOFware/reissue/.github/workflows/shared-ruby-gem-release.yml@main |
Summary
Business Justification
Standardizes gem release process across SOFware repos using the shared reissue workflow, enabling automated trusted publishing to RubyGems.org via workflow_dispatch.
Technical Details
Adds
.github/workflows/release.ymlthat callsSOFware/reissue/.github/workflows/shared-ruby-gem-release.yml@main