Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trusted Publishing with reusable workflow #4294

Open
segiddins opened this issue Dec 15, 2023 · 4 comments
Open

Trusted Publishing with reusable workflow #4294

segiddins opened this issue Dec 15, 2023 · 4 comments
Assignees
@segiddins

Comments

@segiddins
Copy link
Member 

          Hi. Let me ask about Trusted Publishing here since I can't find where to ask.

(Please tell me a different place if my question is inappropriate 🙏🏼 )

First, my try in the suggested way by the RubyGems document was successful! 🎉
(For details, see my repo's Actions log)

However, my try through a reusable workflow failed, unfortunately. I'm not sure about the failure cause, but rubygems/configure-rubygems-credentials failed with the following error:

No trusted publisher configured for this workflow found on https://rubygems.org/ for audience rubygems.org

See also the failure Actions log.

Here's a part of my Actions workflow settings:

# .github/workflows/release.yml in the gem repository
jobs:
  release:
    uses: ybiquitous/.github/.github/workflows/ruby-release-reusable.yml@new-ruby-release
# The sharable workflow in a different repository
jobs:
  release:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      id-token: write
    timeout-minutes: 10
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Set up Ruby ${{ inputs.ruby-version }}
        uses: ruby/setup-ruby@v1
        with:
          ruby-version: ${{ inputs.ruby-version }}
          bundler-cache: true
      - name: Publish gem to RubyGems.org
        uses: rubygems/release-gem@v1

For the sharable workflow code, see https://github.com/ybiquitous/.github/pull/31/files.

In short, is Trusted Publishing unsupported in a sharable workflow?

Last, this feature is fantastic! Thanks a lot. 👏🏼

Originally posted by @ybiquitous in #4285 (comment)
@segiddins
Copy link
Member Author

https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/using-openid-connect-with-reusable-workflows#how-the-token-works-with-reusable-workflows dropping this here for my future reference.

@woodruffw
Copy link

Another possibly useful cross-reference: pypi/warehouse#11096

@segiddins
Copy link
Member Author

@ybiquitous there's some work we'd have to do here to support re-usable workflows outside of the calling repository.

Likely this will involve an extra (optional) input field for the reusable workflow, and the existing field will continue to refer to the calling (top-level) workflow (and be the job_workflow_ref as well if the reusable workflow is not specified).

@ybiquitous ybiquitous mentioned this issue Dec 20, 2023
Open
@ybiquitous
Copy link
Contributor

Likely this will involve an extra (optional) input field for the reusable workflow, and the existing field will continue to refer to the calling (top-level) workflow

I'm okay if reusable workflows are supported. 👌🏼

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@segiddins segiddins

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ybiquitous @segiddins @woodruffw and others