From 2c26c1b20a13cffa3d8a8e32dd91a42f3fb1fd95 Mon Sep 17 00:00:00 2001
From: Yash Saraf <yash.s@browserstack.com>
Date: Fri, 5 Jun 2026 19:33:57 +0530
Subject: [PATCH] CD: switch gem-push to RubyGems Trusted Publishing (OIDC)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

`gem push` fails since MFA was enabled on the RubyGems account —
the API-key flow can't supply an OTP from a non-interactive
runner. Trusted publishing is the supported replacement and is
already configured on rubygems.org for this gem (pointed at this
workflow file, no GitHub Environment binding).

Changes:
- Add `id-token: write` to job permissions (required for the
  GitHub OIDC token exchange).
- Remove unused `packages: write` permission (was for GitHub
  Packages, never wired up).
- Replace the manual credentials-file dance + `GEM_HOST_API_KEY`
  env var with `rubygems/configure-rubygems-credentials@v2.0.0`
  (same action `rubygems/release-gem@v1` calls internally —
  verified by reading its action.yml). Existing `gem build` +
  `gem push` then read credentials the action sets up.

No new secrets. `RUBYGEMS_AUTH_TOKEN` becomes obsolete and should
be deleted from repo Settings → Secrets after the first green
dispatch.

Tracks LOC-6563.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/gem-push.yml | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/gem-push.yml b/.github/workflows/gem-push.yml
index 255de86..ec9028e 100644
--- a/.github/workflows/gem-push.yml
+++ b/.github/workflows/gem-push.yml
@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      packages: write
+      id-token: write
 
     steps:
     - uses: actions/checkout@v3
@@ -17,13 +17,9 @@ jobs:
       with:
         ruby-version: 2.6.10
 
-    - name: Publish to RubyGems
+    - uses: rubygems/configure-rubygems-credentials@v2.0.0
+    - name: Build and push gem
       run: |
-        mkdir -p $HOME/.gem
-        touch $HOME/.gem/credentials
-        chmod 0600 $HOME/.gem/credentials
-        printf -- "---\n:rubygems_api_key: ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials
         gem build *.gemspec
         gem push *.gem
-      env:
-        GEM_HOST_API_KEY: "${{secrets.RUBYGEMS_AUTH_TOKEN}}"
+      shell: bash