Skip to content

Fix release workflow to use OIDC credentials directly #428

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gjtorikian wants to merge 1 commit into from
Closed

Fix release workflow to use OIDC credentials directly #428

gjtorikian wants to merge 1 commit into from
+10 −3

Conversation

@gjtorikian
Copy link
Contributor

@gjtorikian gjtorikian commented Feb 3, 2026

Summary

  • Replace rubygems/release-gem with manual build and push
  • Use rubygems/configure-rubygems-credentials for OIDC authentication
  • Run rake build instead of rake release to avoid git operations

Problem

The rubygems/release-gem action runs bundle exec rake release, which includes release:source_control_push that tries to push git tags. The publish job only has contents: read permission, causing the workflow to fail with:

remote: Permission to workos/workos-ruby.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/workos/workos-ruby/': The requested URL returned error: 403

The previous fix attempted to use a gem-push-command input, but that input doesn't exist in the rubygems/release-gem action.

Solution

Use rubygems/configure-rubygems-credentials to set up OIDC auth, then manually:

  1. bundle exec rake build - builds the gem without git operations
  2. gem push - pushes to RubyGems

Test plan

  • Verify CI passes
  • Trigger a release to confirm the workflow completes successfully

🤖 Generated with Claude Code

@gjtorikian @claude
Fix release workflow to use OIDC credentials directly
add2143 
Replace rubygems/release-gem with manual build and push to avoid
the rake release task attempting git operations (which fails due
to insufficient permissions in the publish job).

- Use rubygems/configure-rubygems-credentials for OIDC auth
- Run rake build to create the gem without git operations
- Push directly with gem push

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@gjtorikian gjtorikian requested a review from a team as a code owner February 3, 2026 16:58
@gjtorikian gjtorikian requested review from mthadley and removed request for a team February 3, 2026 16:58
@gjtorikian gjtorikian closed this Feb 3, 2026
@gjtorikian gjtorikian deleted the fix-release-oidc-publish branch February 3, 2026 16:58
@gjtorikian gjtorikian restored the fix-release-oidc-publish branch February 3, 2026 16:59
@greptile-apps
Copy link

greptile-apps bot commented Feb 3, 2026

Greptile Overview

Greptile Summary

Replaced the rubygems/release-gem action with manual gem build and push using OIDC authentication to resolve permission errors.

  • Added version output to create-release job to pass version to publish job
  • Configured RubyGems OIDC credentials using rubygems/configure-rubygems-credentials@main
  • Replaced rubygems/release-gem action with manual rake build and gem push commands
  • Avoided git operations by using rake build instead of rake release, preventing the 403 permission error

Confidence Score: 5/5

  • This PR is safe to merge - it fixes a critical workflow issue with a well-designed solution
  • The changes are minimal, focused, and directly address the permission issue. The solution uses OIDC authentication (more secure than tokens) and correctly passes the version between jobs. The workflow logic is sound.
  • No files require special attention

Important Files Changed

Filename Overview
.github/workflows/release.yml Replaced rubygems/release-gem action with manual OIDC-authenticated build and push to avoid git permission issues

Sequence Diagram

sequenceDiagram
    participant PR as Pull Request (merged)
    participant GH as GitHub Actions
    participant CreateRelease as create-release job
    participant Publish as publish job
    participant RubyGems as RubyGems.org
    
    PR->>GH: Trigger on PR merge with version-bump label
    GH->>CreateRelease: Start job
    CreateRelease->>CreateRelease: Generate GitHub App token
    CreateRelease->>CreateRelease: Checkout code
    CreateRelease->>CreateRelease: Extract version from version.rb
    CreateRelease->>CreateRelease: Create GitHub release with tag
    CreateRelease->>Publish: Pass version via outputs
    
    GH->>Publish: Start job (needs create-release)
    Publish->>RubyGems: Configure OIDC credentials
    RubyGems->>Publish: Return authentication token
    Publish->>Publish: Checkout code
    Publish->>Publish: Setup Ruby 3.2 with bundler cache
    Publish->>Publish: Run RSpec tests
    Publish->>Publish: Run rake build (creates gem in pkg/)
    Publish->>RubyGems: Push gem using OIDC auth
    RubyGems->>Publish: Confirm publish success
Loading

greptile-apps[bot]
greptile-apps bot reviewed Feb 3, 2026
View reviewed changes
Copy link

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 file reviewed, no comments

Edit Code Review Agent Settings | Greptile

@gjtorikian gjtorikian deleted the fix-release-oidc-publish branch February 3, 2026 17:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mthadley mthadley Awaiting requested review from mthadley mthadley is a code owner automatically assigned from workos/ruby

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gjtorikian