Merge pull request #24 from github/release-updates

Release Updates

.github/workflows/acceptance.yml

@@ -17,7 +17,7 @@ jobs:
       has_change: ${{ steps.diff.outputs.has_change}}
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - id: fetch-base
         if: github.event_name == 'pull_request'
@@ -61,8 +61,9 @@ jobs:
       contents: read
 
     steps:
-      - uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@250fcd6a742febb1123a77a841497ccaa8b9e939 # pin@v1.152.0
         with:
+          bundler-cache: true
           ruby-version: ${{ matrix.ruby }}
 
       # If source files were not changed, we don't need the acceptance test suite
@@ -71,9 +72,9 @@ jobs:
         run: |
           echo "✅ Bypassing acceptance tests - they are not required for this change"
 
-      - name: Check out code
+      - name: checkout
         if: ${{ needs.changes.outputs.has_change == 'true' }}
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       # Use Docker layer caching for 'docker build' and 'docker-compose build' commands.
       # https://github.com/satackey/action-docker-layer-caching/releases/tag/v0.0.11

.github/workflows/build.yml

@@ -0,0 +1,41 @@
+name: build
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: build
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: checkout
+        uses: actions/checkout@v3
+
+      - uses: ruby/setup-ruby@250fcd6a742febb1123a77a841497ccaa8b9e939 # pin@v1.152.0
+        with:
+          bundler-cache: true
+
+      - name: bootstrap
+        run: script/bootstrap
+
+      - name: build
+        run: |
+          GEM_NAME=$(ls | grep gemspec | cut -d. -f1)
+          echo "Attempting to build gem $GEM_NAME..."
+          gem build $GEM_NAME
+          if [ $? -eq 0 ]; then
+            echo "Gem built successfully!"
+          else
+            echo "Gem build failed!"
+            exit 1
+          fi

.github/workflows/codeql-analysis.yml

@@ -1,4 +1,4 @@
-name: "CodeQL"
+name: CodeQL
 
 on:
   push:
@@ -24,8 +24,8 @@ jobs:
         language: [ 'ruby' ]
 
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v2
+    - name: checkout
+      uses: actions/checkout@v3
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/lint.yml

@@ -17,11 +17,12 @@ jobs:
       contents: read
 
     steps:
-      - name: Check out code
-        uses: actions/checkout@v2
+      - name: checkout
+        uses: actions/checkout@v3
 
-      - uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@250fcd6a742febb1123a77a841497ccaa8b9e939 # pin@v1.152.0
         with:
           ruby-version: ${{ matrix.ruby }}
           bundler-cache: true
+
       - run: bundle exec rubocop -c .rubocop.yml lib/ spec/

.github/workflows/release.yml

@@ -0,0 +1,61 @@
+name: release
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - lib/version.rb
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: checkout
+        uses: actions/checkout@v3
+
+      - uses: ruby/setup-ruby@250fcd6a742febb1123a77a841497ccaa8b9e939 # pin@v1.152.0
+        with:
+          bundler-cache: true
+
+      - name: bootstrap
+        run: script/bootstrap
+
+      - name: lint
+        run: bundle exec rubocop -c .rubocop.yml lib/ spec/
+
+      - name: test
+        run: script/test
+
+      - name: set GEM_NAME from gemspec
+        run: echo "GEM_NAME=$(ls | grep gemspec | cut -d. -f1)" >> $GITHUB_ENV
+
+        # builds the gem and saves the version to GITHUB_ENV
+      - name: build
+        run: echo "GEM_VERSION=$(gem build ${{ env.GEM_NAME }}.gemspec 2>&1 | grep Version | cut -d':' -f 2 | tr -d " \t\n\r")" >> $GITHUB_ENV
+
+      - name: publish to GitHub packages
+        run: |
+          export OWNER=$( echo ${{ github.repository }} | cut -d "/" -f 1 )
+          GEM_HOST_API_KEY=${{ secrets.GITHUB_TOKEN }} gem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} ${{ env.GEM_NAME }}-${{ env.GEM_VERSION }}.gem
+
+      - name: release
+        uses: ncipollo/release-action@a2e71bdd4e7dab70ca26a852f29600c98b33153e # pin@v1.12.0
+        with:
+          artifacts: "${{ env.GEM_NAME }}-${{ env.GEM_VERSION }}.gem"
+          tag: "v${{ env.GEM_VERSION }}"
+          generateReleaseNotes: true
+      
+      - name: Publish to RubyGems
+        run: |
+          mkdir -p ~/.gem
+          echo -e "---\n:rubygems_api_key: ${{ secrets.RUBYGEMS_API_KEY }}" > ~/.gem/credentials
+          chmod 0600 ~/.gem/credentials
+          gem push ${{ env.GEM_NAME }}-${{ env.GEM_VERSION }}.gem
+          rm ~/.gem/credentials

.github/workflows/test.yml

@@ -17,11 +17,12 @@ jobs:
       contents: read
 
     steps:
-      - name: Check out code
-        uses: actions/checkout@v2
+      - name: checkout
+        uses: actions/checkout@v3
 
-      - uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@250fcd6a742febb1123a77a841497ccaa8b9e939 # pin@v1.152.0
         with:
           ruby-version: ${{ matrix.ruby }}
           bundler-cache: true
+
       - run: script/test -d

.rubocop.yml

@@ -3,10 +3,12 @@ inherit_gem:
     - config/default.yml
 
 AllCops:
+  SuggestExtensions: false
   DisplayCopNames: true
   TargetRubyVersion: 3.1.2
   Exclude:
     - 'bin/*'
+    - 'vendor/**/*'
     - 'spec/acceptance/fixtures/**/*'
     - 'spec/unit/fixtures/**/*'
     - 'vendor/gems/**/*'

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    entitlements-app (0.2.1)
+    entitlements-app (0.3.0)
       concurrent-ruby (= 1.1.9)
       faraday (~> 2.0)
       net-ldap (~> 0.17)
@@ -11,50 +11,52 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (7.0.3.1)
+    activesupport (7.0.7.2)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
       tzinfo (~> 2.0)
-    addressable (2.8.1)
+    addressable (2.8.5)
       public_suffix (>= 2.0.2, < 6.0)
     ast (2.4.2)
     concurrent-ruby (1.1.9)
     crack (0.4.5)
       rexml
-    debug (1.6.2)
-      irb (>= 1.3.6)
+    debug (1.8.0)
+      irb (>= 1.5.0)
       reline (>= 0.3.1)
     diff-lcs (1.5.0)
     docile (1.4.0)
-    faraday (2.7.4)
+    faraday (2.7.10)
       faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
     faraday-net_http (3.0.2)
     hashdiff (1.0.1)
-    i18n (1.12.0)
+    i18n (1.14.1)
       concurrent-ruby (~> 1.0)
-    io-console (0.5.11)
-    irb (1.4.1)
-      reline (>= 0.3.0)
-    json (2.6.2)
-    minitest (5.16.3)
-    net-ldap (0.17.1)
+    io-console (0.6.0)
+    irb (1.7.4)
+      reline (>= 0.3.6)
+    json (2.6.3)
+    minitest (5.19.0)
+    net-ldap (0.18.0)
     octokit (4.25.1)
       faraday (>= 1, < 3)
       sawyer (~> 0.9)
     optimist (3.0.0)
-    parallel (1.22.1)
-    parser (3.1.2.1)
+    parallel (1.23.0)
+    parser (3.2.2.3)
       ast (~> 2.4.1)
-    public_suffix (5.0.0)
-    rack (2.2.4)
+      racc
+    public_suffix (5.0.3)
+    racc (1.7.1)
+    rack (3.0.8)
     rainbow (3.1.1)
     rake (13.0.6)
-    regexp_parser (2.5.0)
-    reline (0.3.1)
+    regexp_parser (2.8.1)
+    reline (0.3.8)
       io-console (~> 0.5)
-    rexml (3.2.5)
+    rexml (3.2.6)
     rspec (3.8.0)
       rspec-core (~> 3.8.0)
       rspec-expectations (~> 3.8.0)
@@ -77,8 +79,8 @@ GEM
       rubocop-ast (>= 1.17.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.21.0)
-      parser (>= 3.1.1.0)
+    rubocop-ast (1.29.0)
+      parser (>= 3.2.1.0)
     rubocop-github (0.17.0)
       rubocop
       rubocop-performance
@@ -90,7 +92,7 @@ GEM
       activesupport (>= 4.2.0)
       rack (>= 1.1)
       rubocop (>= 1.7.0, < 2.0)
-    ruby-progressbar (1.11.0)
+    ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
     rugged (0.27.5)
     sawyer (0.9.2)
@@ -103,9 +105,9 @@ GEM
     simplecov-erb (1.0.1)
       simplecov (< 1.0)
     simplecov-html (0.10.2)
-    tzinfo (2.0.5)
+    tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    unicode-display_width (2.2.0)
+    unicode-display_width (2.4.2)
     vcr (4.0.0)
     webmock (3.4.2)
       addressable (>= 2.3.6)

README.md

@@ -1,6 +1,6 @@
 # entitlements-app
 
-[![acceptance](https://github.com/github/entitlements-app/actions/workflows/acceptance.yml/badge.svg)](https://github.com/github/entitlements-app/actions/workflows/acceptance.yml) [![test](https://github.com/github/entitlements-app/actions/workflows/test.yml/badge.svg)](https://github.com/github/entitlements-app/actions/workflows/test.yml) [![lint](https://github.com/github/entitlements-app/actions/workflows/lint.yml/badge.svg)](https://github.com/github/entitlements-app/actions/workflows/lint.yml) [![coverage](https://img.shields.io/badge/coverage-100%25-success)](https://img.shields.io/badge/coverage-100%25-success) [![style](https://img.shields.io/badge/code%20style-rubocop--github-blue)](https://github.com/github/rubocop-github)
+[![acceptance](https://github.com/github/entitlements-app/actions/workflows/acceptance.yml/badge.svg)](https://github.com/github/entitlements-app/actions/workflows/acceptance.yml) [![test](https://github.com/github/entitlements-app/actions/workflows/test.yml/badge.svg)](https://github.com/github/entitlements-app/actions/workflows/test.yml) [![lint](https://github.com/github/entitlements-app/actions/workflows/lint.yml/badge.svg)](https://github.com/github/entitlements-app/actions/workflows/lint.yml) [![build](https://github.com/github/entitlements-app/actions/workflows/build.yml/badge.svg)](https://github.com/github/entitlements-app/actions/workflows/build.yml) [![release](https://github.com/github/entitlements-app/actions/workflows/release.yml/badge.svg)](https://github.com/github/entitlements-app/actions/workflows/release.yml) [![codeql](https://github.com/github/entitlements-app/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/github/entitlements-app/actions/workflows/codeql-analysis.yml) [![coverage](https://img.shields.io/badge/coverage-100%25-success)](https://img.shields.io/badge/coverage-100%25-success) [![style](https://img.shields.io/badge/code%20style-rubocop--github-blue)](https://github.com/github/rubocop-github)
 
 `entitlements-app` is a Ruby gem which provides git-managed LDAP group configuration and access provisioning to your declared resources. It powers Entitlements, GitHub's internal Identity and Access Management (IAM) system. Entitlements is a pluggable system designed to alleviate IAM pain points.
 
@@ -8,11 +8,11 @@
 
 See [getting started](docs/getting-started.md) for quick start, and [entitlements-config](https://github.com/github/entitlements-config) for example configuration.
 
-# Inputs
+## Inputs
 
 Entitlements currently supports a single input option of configuration files in the form of `.txt`, `.rb` and `.yaml`.
 
-## Git-managed config
+### Git-managed config
 
 Entitlements receives input from configuration files. By using git to back the config files, every file has a complete and visible audit trail.
 
@@ -48,15 +48,15 @@ For examples on filters, see [filters](docs/filters.md)
 
 There is an example configuration repo [here](https://github.com/github/entitlements-config)
 
-# Outputs
+## Outputs
 
-## LDAP
+### LDAP
 
 Out of the box, Entitlements will output your sets to LDAP.
 
 See the [OpenLDAP documentation](https://www.openldap.org/doc/) for more on LDAP.
 
-# Plugins
+## Plugins
 
 Entitlements is a pluggable system. Plugins can be built for additional inputs and outputs.
 
@@ -69,3 +69,13 @@ Please see [CONTRIBUTING](CONTRIBUTING.md) for details.
 ## Security
 
 We take security very seriously. Please see [SECURITY](SECURITY.md) for details on how to proceed if you find a security issue.
+
+## Release 🚀
+
+To release a new version of this Gem, do the following:
+
+1. Update the version number in the [`lib/version.rb`](lib/version.rb) file
+2. Run `bundle install` to update the `Gemfile.lock` file with the new version
+3. Commit your changes, push them to GitHub, and open a PR
+
+Once your PR is approved and the changes are merged, a new release will be created automatically by the [`release.yml`](.github/workflows/release.yml) workflow. The latest version of the Gem will be published to the GitHub Package Registry and RubyGems.

VERSION

@@ -1 +0,0 @@
-0.2.1

entitlements-app.gemspec

@@ -1,14 +1,16 @@
 # frozen_string_literal: true
 
+require_relative "lib/version"
+
 Gem::Specification.new do |s|
-  s.name = ENV['GEM_NAME'] ? ENV['GEM_NAME'] : 'entitlements-app'
-  s.version = File.read("VERSION").chomp
+  s.name = ENV["GEM_NAME"] ? ENV["GEM_NAME"] : "entitlements-app"
+  s.version = Entitlements::Version::VERSION
   s.summary = "git-managed LDAP group configurations"
   s.description = "The Ruby Gem that Powers Entitlements - GitHub's Identity and Access Management System"
   s.authors = ["GitHub, Inc. Security Ops"]
   s.email = "opensource+entitlements-app@github.com"
   s.license = "MIT"
-  s.files = Dir.glob("lib/**/*") + %w[bin/deploy-entitlements VERSION]
+  s.files = Dir.glob("lib/**/*") + %w[bin/deploy-entitlements]
   s.homepage = "https://github.com/github/entitlements-app"
   s.executables = %w[deploy-entitlements]
 

lib/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Entitlements
+  module Version
+    VERSION = "0.3.0"
+  end
+end

script/release

@@ -1,42 +0,0 @@
-#!/bin/bash
-# Tag and push a release.
-
-set -e
-set -x
-
-# Make sure we're in the project root.
-
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && cd .. && pwd )"
-cd ${DIR}
-
-# Build a new gem archive.
-rm -rf entitlements-*.gem
-
-GEM_NAME='entitlements' gem build -q entitlements-app.gemspec
-gem build -q entitlements-app.gemspec
-
-# Make sure we're on the main branch.
-
-(git branch --no-color | grep -q '* main') || {
-  echo "Only release from the main branch."
-  exit 1
-}
-
-# Figure out what version we're releasing.
-
-tag=v`ls entitlements-app-*.gem | sed 's/^entitlements-app-\(.*\)\.gem$/\1/'`
-
-# Make sure we haven't released this version before.
-
-git fetch -t origin
-
-(git tag -l | grep -q "$tag") && {
-  echo "Whoops, there's already a '${tag}' tag."
-  exit 1
-}
-
-# Tag it and bag it.
-
-gem push entitlements-app-*.gem && rm -f entitlements-app-*.gem
-gem push entitlements-*.gem && rm -f entitlements-*.gem
-git tag "$tag" &&  git push origin main &&  git push origin "$tag"

spec/acceptance/Dockerfile.entitlements-app

@@ -22,7 +22,8 @@ RUN gem install bundler
 # Bootstrap files and caching for speed
 COPY "vendor/cache/" "/data/entitlements-app/vendor/cache/"
 COPY "script/" "/data/entitlements-app/script/"
-COPY [".rubocop.yml", ".ruby-version", "entitlements-app.gemspec", "Gemfile", "Gemfile.lock", "VERSION", "/data/entitlements-app/"]
+COPY [".rubocop.yml", ".ruby-version", "entitlements-app.gemspec", "Gemfile", "Gemfile.lock", "/data/entitlements-app/"]
+COPY "lib/version.rb" "/data/entitlements/lib/version.rb"
 
 # Source Files
 COPY "bin/" "/data/entitlements-app/bin/"

spec/acceptance/Dockerfile.entitlements-app-ruby2

@@ -17,7 +17,8 @@ RUN gem install bundler
 # Bootstrap files and caching for speed
 COPY "vendor/cache/" "/data/entitlements-app/vendor/cache/"
 COPY "script/" "/data/entitlements-app/script/"
-COPY [".rubocop.yml", ".ruby-version", "entitlements-app.gemspec", "Gemfile", "Gemfile.lock", "VERSION", "/data/entitlements-app/"]
+COPY [".rubocop.yml", ".ruby-version", "entitlements-app.gemspec", "Gemfile", "Gemfile.lock", "/data/entitlements-app/"]
+COPY "lib/version.rb" "/data/entitlements/lib/version.rb"
 
 # Source Files
 COPY "bin/" "/data/entitlements-app/bin/"