Use gem-push-command to skip git push in release workflow

[workos-sdk-automation]

Summary

• Uses gem-push-command input for rubygems/release-gem@v1 to skip git operations

Problem

The release workflow failed because rake release tries to push tags to GitHub, but the publish job only has contents: read permission:

remote: Permission to workos/workos-ruby.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/workos/workos-ruby/': The requested URL returned error: 403

See: https://github.com/workos/workos-ruby/actions/runs/21636125105/job/62362010013

The create-release job already handles creating the GitHub release and tags, so the publish job only needs to push the gem to RubyGems.

Solution

Use bundle exec rake build release:rubygem_push which only builds the gem and pushes to RubyGems without attempting git operations.

Test plan

• Verify CI passes
• Trigger a release to confirm the workflow completes successfully

🤖 Generated with Claude Code

[greptile-apps]

Greptile Overview

Greptile Summary

This PR fixes the release workflow by configuring the rubygems/release-gem@v1 action to skip git operations that were failing due to insufficient permissions. The publish job only has contents: read permission (required for RubyGems OIDC), while git push operations require contents: write. Since the create-release job already handles GitHub release creation and tagging with appropriate permissions, the publish job only needs to build and push the gem to RubyGems.

Changes:

• Added gem-push-command: bundle exec rake build release:rubygem_push to the rubygems/release-gem@v1 action
• This uses bundler's gem tasks to build and push only to RubyGems without attempting git operations

Verification needed:

• Confirm that release:rubygem_push is a valid rake task provided by bundler/gem_tasks (the Rakefile includes this)
• Test the workflow in a real release to ensure the custom command works as expected

Confidence Score: 4/5

• This PR is safe to merge with minimal risk - it addresses a clear permissions issue with a targeted fix
• The change correctly addresses the documented permissions error by separating git operations from gem publishing. However, slight uncertainty remains about whether release:rubygem_push is the correct task name for bundler gem tasks, as this should be verified in a test release
• No files require special attention - the workflow change is straightforward

Important Files Changed

Filename	Overview
.github/workflows/release.yml	Added gem-push-command parameter to skip git operations and only push to RubyGems, addressing permissions issue

Sequence Diagram

sequenceDiagram
    participant PR as Pull Request (merged)
    participant CRJ as create-release Job
    participant GH as GitHub API
    participant PJ as publish Job
    participant RGA as rubygems/release-gem Action
    participant RG as RubyGems.org

    PR->>CRJ: Trigger (version-bump label)
    activate CRJ
    Note over CRJ: permissions: contents: write
    CRJ->>GH: Create GitHub Release & Tag
    GH-->>CRJ: Release created
    deactivate CRJ
    
    CRJ->>PJ: Job dependency satisfied
    activate PJ
    Note over PJ: permissions: contents: read
    PJ->>PJ: Checkout code
    PJ->>PJ: Run tests
    PJ->>RGA: Execute gem-push-command
    activate RGA
    RGA->>RGA: bundle exec rake build
    RGA->>RGA: bundle exec rake release:rubygem_push
    Note over RGA: Skips git operations
    RGA->>RG: Push gem to RubyGems
    RG-->>RGA: Gem published
    deactivate RGA
    deactivate PJ

Loading

[greptile-apps]

_{1 file reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}