Exchange a Buildkite OIDC token with Rubygems as a trusted provider, via an OIDC API Key Role, to securely push Rubygems from your Buildkite pipelines.
Is the exchange is successful, a short lifetime rubygems API Token will be
exported to the GEM_HOST_API_KEY environment variable. The gem cli tool
will detect and use that variable automatically.
Basic usage, which requires the gem command to be available in the agent environment:
steps:
- label: ":rubygems: Build and push to Rubygems"
plugins:
- rubygems-oidc#v0.1.0:
role: rg_oidc_akr_...
command: |
gem build "*.gemspec"
gem push "*.gem"If the gem command is not available on the agents, this plugin can be combined with the docker plugin:
steps:
- label: ":rubygems: Build and push to Rubygems"
plugins:
- rubygems-oidc#v0.1.0:
role: "rg_oidc_akr_..."
- docker#v5.12.0:
image: "ruby:slim"
command: ["/bin/bash", "-c", "gem build *.gemspec && gem push *.gem"]
environment:
- GEM_HOST_API_KEYThe OIDC API Key Role token provided by rubygems.org.
Example: rg_oidc_akr_1a02be62783ebc2783ff
The hostname to use when requesting a temporary API token from rubygems. Defaults to https://rubygems.org and only needs to be changed in testing situations.
Example: https://example.com
The audience to use when requesting an OIDC token from Buildkite. Defaults to https://rubygems.org and typically won't need to be customised.
Example: example.com
The number of seconds the requested Buildkite OIDC token will be valid for. Defaults to 60 seconds.
Example: 60
Inspired by https://github.com/rubygems/configure-rubygems-credentials