Fix release workflow to use OIDC credentials directly

[workos-sdk-automation]

Summary

• Replace rubygems/release-gem with manual build and push
• Use rubygems/configure-rubygems-credentials for OIDC authentication
• Run rake build instead of rake release to avoid git operations

Problem

The rubygems/release-gem action runs bundle exec rake release, which includes release:source_control_push that tries to push git tags. The publish job only has contents: read permission, causing the workflow to fail with:

remote: Permission to workos/workos-ruby.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/workos/workos-ruby/': The requested URL returned error: 403

The previous fix attempted to use a gem-push-command input, but that input doesn't exist in the rubygems/release-gem action.

Solution

Use rubygems/configure-rubygems-credentials to set up OIDC auth, then manually:

1. bundle exec rake build - builds the gem without git operations
2. gem push - pushes to RubyGems

Test plan

• Verify CI passes
• Trigger a release to confirm the workflow completes successfully

🤖 Generated with Claude Code

[greptile-apps]

Greptile Overview

Greptile Summary

This PR fixes the release workflow by replacing the rubygems/release-gem action with a manual gem build and publish process using OIDC authentication. The previous approach failed because rake release attempted git operations that required write permissions not available in the publish job.

Key Changes

• Added version output to create-release job to pass version information to the publish job
• Integrated rubygems/configure-rubygems-credentials action for OIDC-based authentication
• Replaced automated rubygems/release-gem with manual bundle exec rake build and gem push commands

Analysis

The solution properly separates concerns: git operations run in the create-release job with contents: write permission, while gem publishing runs in the publish job with id-token: write permission. The manual gem push approach avoids the git permission issues that caused previous workflow failures.

Confidence Score: 4/5

• This PR is safe to merge with minimal risk
• The changes properly fix the permission issue by separating git operations from gem publishing. The OIDC authentication approach is secure and the manual build/push commands are straightforward. One minor style concern is using @main instead of a pinned version for the credentials action.
• No files require special attention beyond the suggested version pinning improvement

Important Files Changed

Filename	Overview
.github/workflows/release.yml	Replaced rubygems/release-gem action with manual build and OIDC-based gem push, avoiding git permission issues

Sequence Diagram

sequenceDiagram
    participant PR as Pull Request
    participant CRJ as create-release Job
    participant GH as GitHub API
    participant PJ as publish Job
    participant OIDC as RubyGems OIDC
    participant RG as RubyGems

    PR->>CRJ: PR merged with version-bump label
    CRJ->>CRJ: Generate GitHub App token
    CRJ->>CRJ: Checkout repository
    CRJ->>CRJ: Extract version from version.rb
    CRJ->>GH: Create GitHub release with tag
    CRJ->>PJ: Pass version output
    
    PJ->>OIDC: Configure credentials (role-to-assume)
    OIDC-->>PJ: OIDC authentication complete
    PJ->>PJ: Checkout repository
    PJ->>PJ: Setup Ruby 3.2
    PJ->>PJ: Run bundle exec rspec
    PJ->>PJ: Run bundle exec rake build
    PJ->>RG: gem push pkg/workos-{version}.gem
    RG-->>PJ: Gem published successfully

Loading

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Consider pinning rubygems/configure-rubygems-credentials to a specific version tag instead of @main to prevent unexpected changes

Suggested change

	- name: Configure RubyGems credentials
	uses: rubygems/configure-rubygems-credentials@main
	with:
	role-to-assume: rg_oidc_akr_fn8dx45asckvmsnd2kka
	- name: Configure RubyGems credentials
	uses: rubygems/configure-rubygems-credentials@v1
	with:
	role-to-assume: rg_oidc_akr_fn8dx45asckvmsnd2kka

Prompt To Fix With AI

This is a comment left during a code review.
Path: .github/workflows/release.yml
Line: 56:59

Comment:
Consider pinning `rubygems/configure-rubygems-credentials` to a specific version tag instead of `@main` to prevent unexpected changes

```suggestion
      - name: Configure RubyGems credentials
        uses: rubygems/configure-rubygems-credentials@v1
        with:
          role-to-assume: rg_oidc_akr_fn8dx45asckvmsnd2kka
```

How can I resolve this? If you propose a fix, please make it concise.