The idea behind trusted publishing is that you can release via GitHub Actions (or other providers) and provide some sort of traceability. The primary aim is to increase protection against supply chain attacks.
Trusted Publishing - RubyGems Guides describes it for Rubygems, but if you look at their example of it uses a fairly large flow that you need to maintain:
This uses the rubygems/release-gem action which mandates that use you rake which also sets requirements on the environment, like installing all gems. This is something I wanted to avoid because I didn’t like it when I first played with it a year ago (see Support releasing without rake · Issue #3 · rubygems/release-gem · GitHub as well). While testing this I had hoped to come up with an easy reusable workflow like we use today with release-gem.yaml but in my experimentation I found that you can’t use reusable workflows because it messes up the tokens, which is fair because that’s what it implements.
Luckily they have designed their actions more modular and there’s rubygems/configure-rubygems-credentials that only sets up credentials. And that works, but there’s still a decent amount of config you’re copying over between repositories. With dozens of gems it’s a pain to keep them in sync.
My proposal is to convert all existing usage of our reusable action and retire it. Then we can start mandating MFA for our gems, which was a big reason for the investigation in the first place.
While I don’t want to mandate using this action now, I’d certainly encourage everyone to adopt it. Today we sometimes see that people forget to push a tag, but if pushing a tag is the mandatory step to release it’s rather hard to forget.
Makes me wonder if we should look into the list of owners, too.
I enabled MFA for my account after reading your post and looked at the 2 gems I am owner. I see Greg still being an owner for foreman_monitoring and smart_proxy_monitoring who could perhaps be removed.
So I looked also at others and I see also people no longer working on the project on the one side and on the other side some being owned by “theforeman”. Thinking about plugins breaking Foreman like currently dhcp_browser, would it make sense to get this owner in place everywhere allowing for a release by the release owner / packaging team?
I have also contemplated removing people and it’s probably a good thing though I’d prefer to have that as a separate discussion.
What IMHO is mandatory is that any gem that lives in our GitHub namespace is at least owned by theforeman on Rubygems. For others I’d say it’s recommended. There is a shared repository where a few people have access to the credentials so we can manage it.
I have decided to transfer the repository to GitHub - voxpupuli/ruby-release: Release Ruby gems with minimal tooling so a larger organization can maintain it. I debated whether it should be voxpupuli or theforeman, but decided to go for the former so there’s a larger organization behind it.
