ci: harden gem release + add RubyGems key verification#36
Closed
setoelkahfi wants to merge 4 commits into
Closed
Conversation
The push step swallowed every gem push failure as "may already exist" and exited 0, so a 401 from a missing RUBYGEMS_API_KEY looked like a successful, no-op release (v0.4.0–v0.4.3 reported green but published nothing). Now: - credentials step fails fast if RUBYGEMS_API_KEY is empty/unset - push step only skips a genuine "Repushing not allowed" response and fails the job on any other error (401, validation, 5xx) - new force_push_existing dispatch input runs the push against an already-published version to verify credentials without creating a new release (RubyGems rejects the re-push) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Validates the RUBYGEMS_API_KEY secret authenticates with RubyGems without building or publishing a gem. The release workflow builds native gems before pushing, so it is a slow and tag-coupled way to discover a bad/missing key. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The gem release workflow reported green while publishing nothing:
gem pushfailures (including a 401 from a missingRUBYGEMS_API_KEYsecret) were swallowed by|| echo "...may already exist..."and the job exited 0. That's whysmbcloud-authis still at 0.3.35 on RubyGems despite v0.4.0–v0.4.3 "succeeding".Changes
release-sdk-gem.ymlRUBYGEMS_API_KEYis empty/unset.force_push_existingdispatch input to attempt a push against an already-published version for credential testing (RubyGems rejects the re-push, so no new release is created).verify-rubygems-key.yml(new) — fast, no-build/no-publish check that the secret authenticates with RubyGems.Note
The 0.3.x tags can't be rebuilt on the current pipeline (the
smbcloud-auth-sdkcrate was split out at 0.4, sosmbcloud-auth-sdk 0.3.x404s on crates.io and the crate-wait step times out). Useverify-rubygems-key.ymlto validate the key, then cut 0.4.3.🤖 Generated with Claude Code