Skip to content

docs: Improve the security of the example actions config in the README.#414

Merged
hsbt merged 2 commits into
rubygems:mainfrom
connorshea:main
Jun 15, 2026
Merged

docs: Improve the security of the example actions config in the README.#414
hsbt merged 2 commits into
rubygems:mainfrom
connorshea:main

Conversation

@connorshea

Copy link
Copy Markdown
Contributor

This PR updates the configuration example in the README with various security improvements:

  • Recommend using SHA hashes for action versions
  • Update the example workflow to use newer versions of the given actions.
  • Disable the bundler-cache in the example release workflow, to avoid any chance of cache poisoning attacks like those that have impacted various npm projects.
  • Bump Ruby to latest 4.x.
  • Ensure that the on: push trigger only triggers on tags, to avoid accidentally pushing a gem on every push to any branch in the repository.

This resolves various zizmor warnings that would otherwise occur when using this example config, and will hopefully make new gem release workflows more secure by default.

@hsbt hsbt enabled auto-merge June 15, 2026 04:20
@hsbt hsbt force-pushed the main branch 2 times, most recently from 17476c0 to 37c473c Compare June 15, 2026 06:20
- Recommend using SHA hashes for action versions
- Update the example workflow to use latest versions of the actions.
- Disable the bundler-cache in the example release workflow to avoid any chance of cache poisoning attacks.
- Bump Ruby to latest 4.x
- Ensure that the `on: push` trigger only triggers on tags, to avoid accidentally pushing a gem on every push to any branch in the repository.

This resolves various zizmor warnings that otherwise occur when using this example config, and so will hopefully make new gem release workflows more secure by default.
Still don't cache them as that opens us up to cache poisoning, but do install them.
hsbt added a commit to connorshea/configure-rubygems-credentials that referenced this pull request Jun 15, 2026
check-dist.yml ignores '**.md', so a docs-only PR never triggers it and
the required `check-dist` status stays pending forever (e.g. rubygems#414). This
companion runs on the complementary '**.md' path filter with a job named
`check-dist`, reporting that required context as success.

When a PR touches both .md and non-.md files, the real check-dist and this
companion both produce a `check-dist` run. That is fine: GitHub fails the
required context if any run fails, so the real check-dist stays authoritative.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@hsbt hsbt merged commit c34e0ca into rubygems:main Jun 15, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants