.github/workflows/release.yml

name: Release

on:
  release:
    types:
      - published

permissions:
  contents: read

jobs:
  build:
    name: Build and sign artifacts
    runs-on: ubuntu-latest
    permissions:
      id-token: write
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
      built-gems: ${{ steps.list-gems.outputs.gems }}
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

      - uses: ruby/setup-ruby@f2f42b7848feff522ffa488a5236ba0a73bccbdd # v1.219.0
        with:
          # NOTE: We intentionally don't use a cache in the release step,
          # to reduce the risk of cache poisoning.
          ruby-version: "3.3"
          bundler-cache: false

      - name: deps
        run: bundle install --jobs 4 --retry 3

      - name: Set source date epoch
        run: |
          # Set SOURCE_DATE_EPOCH to the commit date of the last commit.
          export SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)
          echo "SOURCE_DATE_EPOCH=$SOURCE_DATE_EPOCH" >> $GITHUB_ENV

      - name: build
        run: bin/rake build

      - name: List built gems
        id: list-gems
        run: |
          echo "gems=$(find pkg -type f -name '*.gem' -print0 | xargs -0 jq --compact-output --null-input --args '[$ARGS.positional[]]')" >> $GITHUB_OUTPUT

      - name: Check release and tag name match built version
        run: |
          for gem in ${BUILT_GEMS}; do
            gemspec_version=$(gem spec ${gem} version | ruby -ryaml -e 'puts YAML.safe_load(ARGF.read, permitted_classes: [Gem::Version])')
            if [ "${RELEASE_TAG_NAME}" != "v${gemspec_version}" ]; then
              echo "Release tag name '${RELEASE_TAG_NAME}' does not match gemspec version 'v${gemspec_version}'"
              exit 1
            fi
          done
        env:
          RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
          BUILT_GEMS: ${{ join(fromJson(steps.list-gems.outputs.gems), ' ') }}

      - name: sign
        run: |
          ./bin/smoketest ${BUILT_GEMS}
        env:
          BUILT_GEMS: ${{ join(fromJson(steps.list-gems.outputs.gems), ' ') }}

      - name: Generate hashes for provenance
        shell: bash
        id: hash
        working-directory: pkg
        run: |
          # sha256sum generates sha256 hash for all artifacts.
          # base64 -w0 encodes to base64 and outputs on a single line.
          # sha256sum artifact1 artifact2 ... | base64 -w0
          echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT

      - name: Save hashes
        run: echo "$HASHES" | base64 -d > pkg/sha256sum.txt
        env:
          HASHES: ${{ steps.hash.outputs.hashes }}

      - name: Upload built packages
        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        with:
          name: built-packages
          path: ./pkg/
          if-no-files-found: warn

      - name: Upload smoketest-artifacts
        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
        with:
          name: smoketest-artifacts
          path: smoketest-artifacts/
          if-no-files-found: warn

  generate-provenance:
    needs: [build]
    name: Generate build provenance
    permissions:
      actions: read # To read the workflow path.
      id-token: write # To sign the provenance.
      contents: write # To add assets to a release.
    # Currently this action needs to be referred by tag. More details at:
    # https://github.com/slsa-framework/slsa-github-generator#verification-of-provenance
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
    with:
      provenance-name: provenance-sigstore-${{ github.event.release.tag_name }}.intoto.jsonl
      base64-subjects: "${{ needs.build.outputs.hashes }}"
      upload-assets: true

  release-rubygems:
    needs: [build, generate-provenance]
    runs-on: ubuntu-latest
    permissions:
      # Used to authenticate to RubyGems.org via OIDC.
      id-token: write
    strategy:
      matrix:
        built-gem: ${{ fromJson(needs.build.outputs.built-gems) }}
    concurrency:
      group: release-rubygems
    name: Publish ${{ matrix.built-gem }} to RubyGems
    steps:
      - name: Download artifacts directories # goes to current working directory
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8

      - name: Set up Ruby
        uses: ruby/setup-ruby@f2f42b7848feff522ffa488a5236ba0a73bccbdd # v1.219.0
        with:
          ruby-version: "3.3"
          bundler-cache: false

      - name: Clone rubygems HEAD
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          repository: rubygems/rubygems
          persist-credentials: false
          fetch-depth: 0
          ref: a5412d9a0e358893e20ac69a4c6c0c2bac59d888
          path: rubygems

      - name: Install rubygems HEAD
        run: ruby setup.rb
        working-directory: rubygems

      - name: Configure RubyGems credentials
        uses: rubygems/configure-rubygems-credentials@f456a002d58f0de60b44383d10ae82316b18a166 # main
        with:
          trusted-publisher: true

      - name: publish
        run: |
          gem push "built-packages/$(basename $BUILT_GEM)" --attestation "smoketest-artifacts/$(basename $BUILT_GEM).sigstore.json"
        env:
          BUILT_GEM: ${{ matrix.built-gem }}

  release-github:
    needs: [build, generate-provenance]
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload release assets.
      contents: write
    steps:
      - name: Download artifacts directories # goes to current working directory
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8

      - name: Upload artifacts to github
        # Confusingly, this action also supports updating releases, not
        # just creating them. This is what we want here, since we've manually
        # created the release that triggered the action.
        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
        with:
          # smoketest-artifacts/ contains the signatures and certificates.
          files: |
            built-packages/*
            smoketest-artifacts/*