Commit 644ef7b
authored
chore(ruby): [NO-TICKET] Fix signing of libdatadog Ruby releases (#1470)
chore(ruby): [NO-TICKET] Fix signing of libdatadog Ruby releases
**What does this PR do?**
This PR updates the Ruby "release-gem" library we use for publishing
Ruby releases via GitHub actions (see #1070) for details, so as to solve
this issue (from
https://github.com/DataDog/libdatadog/actions/runs/21279887010/job/61247081910):
```
/home/runner/work/_actions/rubygems/release-gem/a25424ba2ba8b387abc8ef40807c2c85b96cbe32/rubygems-attestation-patch.rb:46:in 'attest!': Failed to sign gem: (Gem::Exception)
Unsupported key type PKIX_ED25519 (Sigstore::Error::UnsupportedKeyType)
from /home/runner/work/_actions/rubygems/release-gem/a25424ba2ba8b387abc8ef40807c2c85b96cbe32/rubygems-attestation-patch.rb:21:in 'send_push_request_with_attestation'
from /home/runner/work/_actions/rubygems/release-gem/a25424ba2ba8b387abc8ef40807c2c85b96cbe32/rubygems-attestation-patch.rb:13:in 'send_push_request'
from /opt/hostedtoolcache/Ruby/3.4.3/x64/lib/ruby/3.4.0/rubygems/commands/push_command.rb:87:in 'Gem::Commands::PushCommand#send_gem'
from /opt/hostedtoolcache/Ruby/3.4.3/x64/lib/ruby/3.4.0/rubygems/commands/push_command.rb:72:in 'Gem::Commands::PushCommand#execute'
from /opt/hostedtoolcache/Ruby/3.4.3/x64/lib/ruby/3.4.0/rubygems/command.rb:326:in 'Gem::Command#invoke_with_build_args'
from /opt/hostedtoolcache/Ruby/3.4.3/x64/lib/ruby/3.4.0/rubygems/command_manager.rb:253:in 'Gem::CommandManager#invoke_command'
from /opt/hostedtoolcache/Ruby/3.4.3/x64/lib/ruby/3.4.0/rubygems/command_manager.rb:194:in 'Gem::CommandManager#process_args'
from /opt/hostedtoolcache/Ruby/3.4.3/x64/lib/ruby/3.4.0/rubygems/command_manager.rb:152:in 'Gem::CommandManager#run'
from /opt/hostedtoolcache/Ruby/3.4.3/x64/lib/ruby/3.4.0/rubygems/gem_runner.rb:57:in 'Gem::GemRunner#run'
from /opt/hostedtoolcache/Ruby/3.4.3/x64/bin/gem:12:in '<main>'
```
The upstream issue for this is
rubygems/release-gem#24 and the
fixed release changelog
https://github.com/rubygems/release-gem/releases/tag/v1.1.2 .
**Motivation:**
[Trusted publishing](https://guides.rubygems.org/trusted-publishing/)
allows our libdatadog Ruby releases to get signed and that shows up
on rubygems.org as a "Provenance" section at the bottom of the gem
info page that customers can use to validate that a release really did
come from us:
<https://rubygems.org/gems/libdatadog/versions/22.0.1.1.0-x86_64-linux>.
**Additional Notes:**
I've also gone ahead and updated the allow-list in
https://github.com/DataDog/libdatadog/settings/actions with the new
hash.
This had actually been failing for a while, but since it doesn't
prevent releases we had not looked into it yet.
**How to test the change?**
We'll only be able to know for sure if this is fixed once we do the
next libdatadog Ruby release, but worst case we can revert to the
older v1.1.1 so this is very low-risk.
Merge branch 'main' into ivoanjo/fix-ruby-attestations
Co-authored-by: ivo.anjo <ivo.anjo@datadoghq.com>1 parent f131aaa commit 644ef7b
1 file changed
Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
24 | 24 | | |
25 | 25 | | |
26 | 26 | | |
27 | | - | |
| 27 | + | |
0 commit comments