Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
cseeman
force-pushed
the
add-shared-release-workflow
branch
2 times, most recently
from
fee11a7 to
6b691b3
Compare
|
Added on RubyGems Trusted Publishers |
Switch to using the shared gem release flow from reissue for trusted publishing to RubyGems.org. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
cseeman
force-pushed
the
add-shared-release-workflow
branch
from
6b691b3 to
3e5f880
Compare
| uses: SOFware/reissue/.github/workflows/shared-ruby-gem-release.yml@main | ||
| with: | ||
| git_user_email: 'gems@sofwarellc.com' | ||
| git_user_name: 'SOFware' | ||
| ruby_version: '3.4' |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
In general, the fix is to explicitly specify a permissions block for the workflow or for the release job so the GITHUB_TOKEN is not implicitly granted broad repository defaults. Since this workflow only delegates to a reusable workflow via uses:, the safest, non‑breaking approach is to define minimal permissions at the job level, letting the reusable workflow request any additional fine-grained permissions it truly needs (if it does so). As a conservative baseline consistent with GitHub’s recommendations, we can grant read-only access to repository contents (and nothing else) in this caller workflow.
Concretely, in .github/workflows/release.yml, within the jobs: section, add a permissions: block under the release job (i.e., at the same indentation level as uses:) with contents: read. This ensures that the release job’s GITHUB_TOKEN is limited unless the called workflow itself defines additional permissions. No imports or external methods are needed; this is a pure YAML configuration change. The only lines to change are around the release job definition, inserting the new permissions block without modifying the existing uses or with configuration.
| @@ -5,6 +5,8 @@ | ||
|
|
||
| jobs: | ||
| release: | ||
| permissions: | ||
| contents: read | ||
| uses: SOFware/reissue/.github/workflows/shared-ruby-gem-release.yml@main | ||
| with: | ||
| git_user_email: 'gems@sofwarellc.com' |
2 participants
Summary
Business Justification
Standardizes gem release process across SOFware repos using the shared reissue workflow, enabling automated trusted publishing to RubyGems.org via workflow_dispatch.
Technical Details
Adds
.github/workflows/release.ymlthat callsSOFware/reissue/.github/workflows/shared-ruby-gem-release.yml@main