Skip to content

Commit 644ef7b

Browse files
authored
chore(ruby): [NO-TICKET] Fix signing of libdatadog Ruby releases (#1470)
chore(ruby): [NO-TICKET] Fix signing of libdatadog Ruby releases **What does this PR do?** This PR updates the Ruby "release-gem" library we use for publishing Ruby releases via GitHub actions (see #1070) for details, so as to solve this issue (from https://github.com/DataDog/libdatadog/actions/runs/21279887010/job/61247081910): ``` /home/runner/work/_actions/rubygems/release-gem/a25424ba2ba8b387abc8ef40807c2c85b96cbe32/rubygems-attestation-patch.rb:46:in 'attest!': Failed to sign gem: (Gem::Exception) Unsupported key type PKIX_ED25519 (Sigstore::Error::UnsupportedKeyType) from /home/runner/work/_actions/rubygems/release-gem/a25424ba2ba8b387abc8ef40807c2c85b96cbe32/rubygems-attestation-patch.rb:21:in 'send_push_request_with_attestation' from /home/runner/work/_actions/rubygems/release-gem/a25424ba2ba8b387abc8ef40807c2c85b96cbe32/rubygems-attestation-patch.rb:13:in 'send_push_request' from /opt/hostedtoolcache/Ruby/3.4.3/x64/lib/ruby/3.4.0/rubygems/commands/push_command.rb:87:in 'Gem::Commands::PushCommand#send_gem' from /opt/hostedtoolcache/Ruby/3.4.3/x64/lib/ruby/3.4.0/rubygems/commands/push_command.rb:72:in 'Gem::Commands::PushCommand#execute' from /opt/hostedtoolcache/Ruby/3.4.3/x64/lib/ruby/3.4.0/rubygems/command.rb:326:in 'Gem::Command#invoke_with_build_args' from /opt/hostedtoolcache/Ruby/3.4.3/x64/lib/ruby/3.4.0/rubygems/command_manager.rb:253:in 'Gem::CommandManager#invoke_command' from /opt/hostedtoolcache/Ruby/3.4.3/x64/lib/ruby/3.4.0/rubygems/command_manager.rb:194:in 'Gem::CommandManager#process_args' from /opt/hostedtoolcache/Ruby/3.4.3/x64/lib/ruby/3.4.0/rubygems/command_manager.rb:152:in 'Gem::CommandManager#run' from /opt/hostedtoolcache/Ruby/3.4.3/x64/lib/ruby/3.4.0/rubygems/gem_runner.rb:57:in 'Gem::GemRunner#run' from /opt/hostedtoolcache/Ruby/3.4.3/x64/bin/gem:12:in '<main>' ``` The upstream issue for this is rubygems/release-gem#24 and the fixed release changelog https://github.com/rubygems/release-gem/releases/tag/v1.1.2 . **Motivation:** [Trusted publishing](https://guides.rubygems.org/trusted-publishing/) allows our libdatadog Ruby releases to get signed and that shows up on rubygems.org as a "Provenance" section at the bottom of the gem info page that customers can use to validate that a release really did come from us: <https://rubygems.org/gems/libdatadog/versions/22.0.1.1.0-x86_64-linux>. **Additional Notes:** I've also gone ahead and updated the allow-list in https://github.com/DataDog/libdatadog/settings/actions with the new hash. This had actually been failing for a while, but since it doesn't prevent releases we had not looked into it yet. **How to test the change?** We'll only be able to know for sure if this is fixed once we do the next libdatadog Ruby release, but worst case we can revert to the older v1.1.1 so this is very low-risk. Merge branch 'main' into ivoanjo/fix-ruby-attestations Co-authored-by: ivo.anjo <ivo.anjo@datadoghq.com>
1 parent f131aaa commit 644ef7b

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

.github/workflows/publish-ruby.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,4 +24,4 @@ jobs:
2424
bundler-cache: true
2525
- name: Install dependencies
2626
run: bundle install
27-
- uses: rubygems/release-gem@a25424ba2ba8b387abc8ef40807c2c85b96cbe32 # v1.1.1
27+
- uses: rubygems/release-gem@1c162a739e8b4cb21a676e97b087e8268d8fc40b # v1.1.2

0 commit comments

Comments
 (0)