From 31e0eaba52f59876ce383c646a035069a0b119c0 Mon Sep 17 00:00:00 2001
From: Duncan Smith <duncan.smith@freeagent.com>
Date: Wed, 10 Jul 2024 10:45:47 +0100
Subject: [PATCH] Update release mechanism to use RubyGem Trusted OIDC flow

---
 .github/workflows/freeagent-gem.yml | 60 +++++++++--------------------
 1 file changed, 19 insertions(+), 41 deletions(-)

diff --git a/.github/workflows/freeagent-gem.yml b/.github/workflows/freeagent-gem.yml
index f33d26c..45a7cfe 100644
--- a/.github/workflows/freeagent-gem.yml
+++ b/.github/workflows/freeagent-gem.yml
@@ -1,58 +1,36 @@
-# Build, test and push gems to the FreeAgent registry.
-# https://github.com/orgs/fac/packages?ecosystem=rubygems
-# https://www.notion.so/freeagent/Internal-gems-5c8098501fcc48e4921be31aa9b4d495
 name: FreeAgent Gem
+
 on:
   push:
     branches: [master]
   pull_request:
 
 jobs:
-  # Install the bundle and run the gems test suite.
   tests:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
-    - uses: ruby/setup-ruby@v1 # .ruby-version
-      with:
-        bundler-cache: true # bundle install
+      - uses: actions/checkout@v4
+      - uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: true
 
-    - name: Test
-      run: bundle exec rake
+      - name: Test
+        run: bundle exec rake
 
-  # Builds that pass testing above, will trigger a build and push of the new
-  # gem version to the registry. If the version.rb has not been bumped since
-  # the last release, the push will no-op.
   release:
-    needs:   tests
+    needs: tests
+    if: github.ref == 'refs/heads/master'
     runs-on: ubuntu-latest
 
+    permissions:
+      id-token: write
+      contents: write
+
     steps:
-    - uses: fac/ruby-gem-setup-credentials-action@v2
-      with:
-        user: ""
-        key: rubygems
-        token: ${{ secrets.FAC_RUBYGEMS_KEY }}
-
-    # Build the gem package
-    - uses: actions/checkout@v2
-    - uses: ruby/setup-ruby@v1
-      with:
-        bundler-cache: true
-    - run: bundle exec rake build
-
-    # Release production gem version from default branch
-    - name: Release
-      if:   github.ref == 'refs/heads/master'
-      uses: fac/ruby-gem-push-action@v2
-      with:
-        key: rubygems
-
-    # PR branch builds will release pre-release gems
-    - name: Pre-Release
-      if:   github.ref != 'refs/heads/master'
-      uses: fac/ruby-gem-push-action@v2
-      with:
-        key: rubygems
-        pre-release: true
+      - uses: actions/checkout@v4
+      - uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: true
+
+      - uses: rubygems/release-gem@v1