From 53e0f1c5575cf03c286b3b2eeaa0c85c40ee5cb3 Mon Sep 17 00:00:00 2001 From: keypair34 <216233964+keypair34@users.noreply.github.com> Date: Wed, 17 Jun 2026 15:48:51 +0200 Subject: [PATCH 1/3] Disable apple check for now --- .github/workflows/verify-sdk-apple.yml | 44 ++++++++++++++------------ 1 file changed, 24 insertions(+), 20 deletions(-) diff --git a/.github/workflows/verify-sdk-apple.yml b/.github/workflows/verify-sdk-apple.yml index 19223ad..f5fabc4 100644 --- a/.github/workflows/verify-sdk-apple.yml +++ b/.github/workflows/verify-sdk-apple.yml @@ -8,27 +8,31 @@ name: Apple Bridge SDK Verification # UniFFI Swift bindings, assembles a local XCFramework, and uploads the # generated artifacts for inspection. +# Temporarily disabled (2026-06-17): the automatic push/pull_request triggers +# are commented out so this no longer runs as a PR/push check. It stays +# available on demand via "Run workflow" (workflow_dispatch). To re-enable, +# uncomment the push and pull_request blocks below. on: - push: - paths: - - ".github/workflows/verify-sdk-apple.yml" - - "Cargo.toml" - - "Cargo.lock" - - "rust-toolchain.toml" - - "crates/smbcloud-auth-sdk-apple/**" - - "crates/smbcloud-auth-sdk/**" - - "crates/smbcloud-model/**" - - "crates/smbcloud-network/**" - pull_request: - paths: - - ".github/workflows/verify-sdk-apple.yml" - - "Cargo.toml" - - "Cargo.lock" - - "rust-toolchain.toml" - - "crates/smbcloud-auth-sdk-apple/**" - - "crates/smbcloud-auth-sdk/**" - - "crates/smbcloud-model/**" - - "crates/smbcloud-network/**" + # push: + # paths: + # - ".github/workflows/verify-sdk-apple.yml" + # - "Cargo.toml" + # - "Cargo.lock" + # - "rust-toolchain.toml" + # - "crates/smbcloud-auth-sdk-apple/**" + # - "crates/smbcloud-auth-sdk/**" + # - "crates/smbcloud-model/**" + # - "crates/smbcloud-network/**" + # pull_request: + # paths: + # - ".github/workflows/verify-sdk-apple.yml" + # - "Cargo.toml" + # - "Cargo.lock" + # - "rust-toolchain.toml" + # - "crates/smbcloud-auth-sdk-apple/**" + # - "crates/smbcloud-auth-sdk/**" + # - "crates/smbcloud-model/**" + # - "crates/smbcloud-network/**" workflow_dispatch: permissions: From 7582f45278a5fe2463079887c762262c30950847 Mon Sep 17 00:00:00 2001 From: keypair34 <216233964+keypair34@users.noreply.github.com> Date: Wed, 17 Jun 2026 16:09:08 +0200 Subject: [PATCH 2/3] ci(gem-release): fail loudly on push errors; add credential-test toggle MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The push step swallowed every gem push failure as "may already exist" and exited 0, so a 401 from a missing RUBYGEMS_API_KEY looked like a successful, no-op release (v0.4.0–v0.4.3 reported green but published nothing). Now: - credentials step fails fast if RUBYGEMS_API_KEY is empty/unset - push step only skips a genuine "Repushing not allowed" response and fails the job on any other error (401, validation, 5xx) - new force_push_existing dispatch input runs the push against an already-published version to verify credentials without creating a new release (RubyGems rejects the re-push) Co-Authored-By: Claude Opus 4.8 --- .github/workflows/release-sdk-gem.yml | 53 +++++++++++++++++++++++---- 1 file changed, 45 insertions(+), 8 deletions(-) diff --git a/.github/workflows/release-sdk-gem.yml b/.github/workflows/release-sdk-gem.yml index 8151ecd..613c6d5 100644 --- a/.github/workflows/release-sdk-gem.yml +++ b/.github/workflows/release-sdk-gem.yml @@ -13,6 +13,11 @@ on: tag: description: "Release tag (e.g. v0.3.35)" required: true + force_push_existing: + description: "Attempt the push even if this version is already on RubyGems. Credential test only — RubyGems rejects re-push, so no new release is created." + type: boolean + default: false + required: false permissions: contents: read @@ -206,7 +211,10 @@ jobs: id: rubygems-check shell: bash run: | - if curl -fsS \ + if [[ "${{ github.event.inputs.force_push_existing }}" == "true" ]]; then + echo "force_push_existing is set — running the push even if the version exists (credential test)." + echo "exists=false" >> "$GITHUB_OUTPUT" + elif curl -fsS \ "https://rubygems.org/api/v2/rubygems/smbcloud-auth/versions/${RELEASE_VERSION}.json" \ >/dev/null 2>&1; then echo "smbcloud-auth ${RELEASE_VERSION} already exists on RubyGems, skipping publish" @@ -232,20 +240,49 @@ jobs: - name: Configure RubyGems credentials if: steps.rubygems-check.outputs.exists != 'true' shell: bash + env: + RUBYGEMS_API_KEY: ${{ secrets.RUBYGEMS_API_KEY }} run: | + # Fail fast and loudly if the secret is missing or empty. Without this + # guard, gem push gets blank credentials, returns 401, and the push + # step used to disguise that as "already exists" — silently shipping + # nothing while the run stayed green. + if [ -z "${RUBYGEMS_API_KEY}" ]; then + echo "::error::RUBYGEMS_API_KEY secret is empty or unset. Add a RubyGems API key with push scope as the RUBYGEMS_API_KEY repository secret." + exit 1 + fi mkdir -p "${HOME}/.gem" - echo ":rubygems_api_key: ${{ secrets.RUBYGEMS_API_KEY }}" > "${HOME}/.gem/credentials" + printf ':rubygems_api_key: %s\n' "${RUBYGEMS_API_KEY}" > "${HOME}/.gem/credentials" chmod 0600 "${HOME}/.gem/credentials" - # Push each .gem file individually. Platform-specific gems that are already - # published (e.g. from a re-run) emit a warning and continue rather than - # failing the whole job. + # Push each .gem file individually. A version that is genuinely already + # published (e.g. a partial re-run) is skipped; any other failure — + # bad credentials, validation errors, server errors — fails the job. - name: Push gems to RubyGems if: steps.rubygems-check.outputs.exists != 'true' shell: bash run: | + set -uo pipefail + push_failed=0 for gem_file in gems/*.gem; do - echo "Pushing $(basename "${gem_file}")…" - gem push "${gem_file}" \ - || echo "::warning::$(basename "${gem_file}") may already exist for this version — skipping." + name="$(basename "${gem_file}")" + echo "Pushing ${name}…" + if push_output="$(gem push "${gem_file}" 2>&1)"; then + echo "${push_output}" + echo "Pushed ${name}." + continue + fi + echo "${push_output}" + # The only acceptable failure is the version already existing on + # RubyGems; repushing is rejected with this specific message. + if echo "${push_output}" | grep -qiE "Repushing of gem versions is not allowed|has already been pushed"; then + echo "::notice::${name} is already published for this version — skipping." + continue + fi + echo "::error::Failed to push ${name}." + push_failed=1 done + if [ "${push_failed}" -ne 0 ]; then + echo "::error::One or more gems failed to push (see logs above). The release did not fully publish." + exit 1 + fi From 72c46e3506136d79705f337d51281d33f7fd5d78 Mon Sep 17 00:00:00 2001 From: keypair34 <216233964+keypair34@users.noreply.github.com> Date: Wed, 17 Jun 2026 16:16:45 +0200 Subject: [PATCH 3/3] ci: add fast RubyGems key verification workflow Validates the RUBYGEMS_API_KEY secret authenticates with RubyGems without building or publishing a gem. The release workflow builds native gems before pushing, so it is a slow and tag-coupled way to discover a bad/missing key. Co-Authored-By: Claude Opus 4.8 --- .github/workflows/verify-rubygems-key.yml | 40 +++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 .github/workflows/verify-rubygems-key.yml diff --git a/.github/workflows/verify-rubygems-key.yml b/.github/workflows/verify-rubygems-key.yml new file mode 100644 index 0000000..15f120d --- /dev/null +++ b/.github/workflows/verify-rubygems-key.yml @@ -0,0 +1,40 @@ +name: Verify RubyGems Key + +# Fast, no-publish check that the RUBYGEMS_API_KEY secret is present and +# authenticates with RubyGems.org. Use this to validate the secret before +# cutting a gem release (the release workflow builds native gems first, so it +# is a slow way to discover a bad key). + +on: + workflow_dispatch: + +permissions: + contents: read + +jobs: + verify: + name: Verify RUBYGEMS_API_KEY + runs-on: ubuntu-latest + steps: + - name: Check the key authenticates with RubyGems + env: + RUBYGEMS_API_KEY: ${{ secrets.RUBYGEMS_API_KEY }} + shell: bash + run: | + if [ -z "${RUBYGEMS_API_KEY}" ]; then + echo "::error::RUBYGEMS_API_KEY secret is empty or unset." + exit 1 + fi + + code="$(curl -s -o /tmp/me.json -w '%{http_code}' \ + -H "Authorization: ${RUBYGEMS_API_KEY}" \ + https://rubygems.org/api/v1/profile/me.json)" + echo "RubyGems profile API returned HTTP ${code}" + + if [ "${code}" != "200" ]; then + echo "::error::Key did NOT authenticate (HTTP ${code}). Check the RUBYGEMS_API_KEY secret value and that it has push scope." + exit 1 + fi + + handle="$(python3 -c 'import json; print(json.load(open("/tmp/me.json")).get("handle",""))' 2>/dev/null || true)" + echo "✅ Key authenticates as: ${handle:-}"