Add release workflow

[dosas]

If this gets merged someone with admin rights needs to set the api key for rubygems in the github settings.

[geemus]

@dosas Hey, could you give me a little more context on how we would use this and the advantages? I've been fine with just doing it locally so far and I'm also not sure how a workflow would work with 2FA, so would appreciate your help understanding the options. Thanks!

[dosas]

I shamelessly copied the workflow from https://github.com/theforeman/actions/blob/v0/.github/workflows/release-gem.yml

Sadly I have no github project where I have admin rights, so I never configured these settings. @sbernhard I think you configured these settings once, maybe you can add some context here?

I suppose when using a token there is usually no need for 2FA.

The biggest advantage I see as opposed to doing it manual locally is automation (pushing a tag should then automatically trigger a release) and a single source of truth for gems, the CI.

[sbernhard]

The advantage of this is, you set a tag and its automatically pushed to rubygems. Pretty easy to setup. Just add the RUBYGEMS_API_KEY in the settings:

Its possible to set the secret for the organization or per repository.

[geemus]

I think since I have 2FA turned on this wouldn't work. Looking at their docs it looks like in addition to the API token you need to set an OTP header: https://guides.rubygems.org/rubygems-org-api/. I don't think there is an easy way to do that here, unless I'm missing something. So maybe it's best for me to stick with the more manual process, where I can respond to the 2FA prompt inline. Do let me know if I'm missing something, as I don't want to disable 2FA.

[dosas]

@geemus I will see if I can change this PR to trusted publishing. Would this be an acceptable solution for you.

In the meantime, could you publish a new version of https://github.com/fog/fog-ovirt ?

[geemus]

@dosas I need to read up and think about trusted publishing a bit more to decide. I'm certainly happy to publish directly in the mean time, I'll try to do that presently.

[geemus]

I pushed a PR with version bump/etc, looks like fog-ovirt is setup to require reviews, so I'll wait for that and then try to get it all released soon.

[dosas]

@geemus Here is a nice RFC about trusted publishing using voxpopuli template

[geemus]

@dosas thanks again for the link, it took a while for me to find time to dig through it, but I read over it last weekend. It sounds great broadly, but I don't feel totally confident that I know what permissions I should set on the repository to keep the workflow safe. I think right now more people would have permission to execute that than there are people who have gem publishing permissions for instance. I tried a little to see suggestions/best practices, but didn't have too much luck. Do you have any advice or sources for that I could check out?