Fix release workflow to use OIDC credentials directly

[gjtorikian]

Summary

• Replace rubygems/release-gem with manual build and push
• Use rubygems/configure-rubygems-credentials for OIDC authentication
• Run rake build instead of rake release to avoid git operations

Problem

The rubygems/release-gem action runs bundle exec rake release, which includes release:source_control_push that tries to push git tags. The publish job only has contents: read permission, causing the workflow to fail with:

remote: Permission to workos/workos-ruby.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/workos/workos-ruby/': The requested URL returned error: 403

The previous fix attempted to use a gem-push-command input, but that input doesn't exist in the rubygems/release-gem action.

Solution

Use rubygems/configure-rubygems-credentials to set up OIDC auth, then manually:

1. bundle exec rake build - builds the gem without git operations
2. gem push - pushes to RubyGems

Test plan

• Verify CI passes
• Trigger a release to confirm the workflow completes successfully

🤖 Generated with Claude Code

[greptile-apps]

Greptile Overview

Greptile Summary

Replaced the rubygems/release-gem action with manual gem build and push using OIDC authentication to resolve permission errors.

• Added version output to create-release job to pass version to publish job
• Configured RubyGems OIDC credentials using rubygems/configure-rubygems-credentials@main
• Replaced rubygems/release-gem action with manual rake build and gem push commands
• Avoided git operations by using rake build instead of rake release, preventing the 403 permission error

Confidence Score: 5/5

• This PR is safe to merge - it fixes a critical workflow issue with a well-designed solution
• The changes are minimal, focused, and directly address the permission issue. The solution uses OIDC authentication (more secure than tokens) and correctly passes the version between jobs. The workflow logic is sound.
• No files require special attention

Important Files Changed

Filename	Overview
.github/workflows/release.yml	Replaced rubygems/release-gem action with manual OIDC-authenticated build and push to avoid git permission issues

Sequence Diagram

sequenceDiagram
    participant PR as Pull Request (merged)
    participant GH as GitHub Actions
    participant CreateRelease as create-release job
    participant Publish as publish job
    participant RubyGems as RubyGems.org
    
    PR->>GH: Trigger on PR merge with version-bump label
    GH->>CreateRelease: Start job
    CreateRelease->>CreateRelease: Generate GitHub App token
    CreateRelease->>CreateRelease: Checkout code
    CreateRelease->>CreateRelease: Extract version from version.rb
    CreateRelease->>CreateRelease: Create GitHub release with tag
    CreateRelease->>Publish: Pass version via outputs
    
    GH->>Publish: Start job (needs create-release)
    Publish->>RubyGems: Configure OIDC credentials
    RubyGems->>Publish: Return authentication token
    Publish->>Publish: Checkout code
    Publish->>Publish: Setup Ruby 3.2 with bundler cache
    Publish->>Publish: Run RSpec tests
    Publish->>Publish: Run rake build (creates gem in pkg/)
    Publish->>RubyGems: Push gem using OIDC auth
    RubyGems->>Publish: Confirm publish success

Loading

[greptile-apps]

_{1 file reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}