(opendal) branch main updated: ci: Add patch file to Ruby release workflow (#6592)

[xuanwo]

This is an automated email from the ASF dual-hosted git repository.

xuanwo pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/opendal.git


The following commit(s) were added to refs/heads/main by this push:
     new e9c3ca8da ci: Add patch file to Ruby release workflow (#6592)
e9c3ca8da is described below

commit e9c3ca8da09ab28e8f72b061f44b3384c6ef962d
Author: Erick Guan <297343+erickg...@users.noreply.github.com>
AuthorDate: Tue Sep 30 15:55:33 2025 +0200

    ci: Add patch file to Ruby release workflow (#6592)
    
    Add patch file
---
 .github/workflows/release_ruby.yml | 57 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)

diff --git a/.github/workflows/release_ruby.yml 
b/.github/workflows/release_ruby.yml
index 16926ea28..aab851d09 100644
--- a/.github/workflows/release_ruby.yml
+++ b/.github/workflows/release_ruby.yml
@@ -191,6 +191,63 @@ jobs:
           EOF
           git config --local credential.helper 'cache --timeout=300'
 
+      # Patch file copied from
+      # 
https://github.com/rubygems/release-gem/blob/a25424ba2ba8b387abc8ef40807c2c85b96cbe32/rubygems-attestation-patch.rb
+      - name: Amend patch file
+        run: |
+          cat <<EOF >> rubygems-attestation-patch.rb
+          # frozen_string_literal: true
+
+          return if RUBY_ENGINE == "jruby"
+          return unless defined?(Gem)
+
+          require "rubygems/commands/push_command"
+
+          Gem::Commands::PushCommand.prepend(Module.new do
+            def send_push_request(name, args)
+              return super if options[:attestations]&.any? || @host != 
"https://rubygems.org";
+
+              begin
+                send_push_request_with_attestation(name, args)
+              rescue StandardError => e
+                alert_warning "Failed to push with attestation, retrying 
without attestation.\n#{e.full_message}"
+                super
+              end
+            end
+
+            def send_push_request_with_attestation(name, args)
+              attestation = attest!(name)
+              if options[:attestations]
+                options[:attestations] << attestation
+                send_push_request(name, args)
+              else
+                rubygems_api_request(*args, scope: get_push_scope) do |request|
+                  request.set_form([
+                                    ["gem", Gem.read_binary(name), { filename: 
name, content_type: "application/octet-stream" }],
+                                    ["attestations", 
"[#{Gem.read_binary(attestation)}]", { content_type: "application/json" }]
+                                  ], "multipart/form-data")
+                  request.add_field "Authorization", api_key
+                end
+              end
+            end
+
+            def attest!(name)
+              require "open3"
+              bundle = "#{name}.sigstore.json"
+              env = defined?(Bundler.unbundled_env) ? Bundler.unbundled_env : 
ENV.to_h
+              out, st = Open3.capture2e(
+                env,
+                Gem.ruby, "-S", "gem", "exec",
+                "sigstore-cli:0.2.1", "sign", name, "--bundle", bundle,
+                unsetenv_others: true
+              )
+              raise Gem::Exception, "Failed to sign gem:\n\n#{out}" unless 
st.success?
+
+              bundle
+            end
+          end)
+          EOF
+
       - name: Configure trusted publishing credentials
         uses: rubygems/configure-rubygems-credentials@v1.0.0