CycloneDX
Add automated release pipeline with prerelease support
Release Pipeline Implementation - COMPLETE ✅
All requirements have been successfully implemented and tested.
Implementation Summary
Files Created:
-
.github/workflows/release.yml- Automated release workflow -
.github/RELEASE.md- Comprehensive release documentation
Files Modified:
-
CONTRIBUTING.md- Added automated release process documentation -
.gitignore- Excluded generated checksums directory
Release Workflow Architecture
The workflow is split into 5 modular jobs for better separation of concerns:
-
validatejob:- Extracts version from tag
- Verifies version matches code
- Determines if prerelease
- Outputs:
versionandprereleasefor downstream jobs
-
testjob:- Runs full test suite (RSpec + Cucumber)
- Depends on:
validate
-
buildjob:- Builds gem package
- Generates SHA-512 checksums
- Uploads artifacts for downstream jobs
- Depends on:
test
-
release-githubjob:- Downloads build artifacts
- Creates GitHub Release with artifacts
- Runs in parallel with
release-rubygems - Requires:
contents: writepermission (only job with elevated permissions) - Depends on:
validate,build
-
release-rubygemsjob:- Downloads build artifacts
- Publishes to RubyGems.org
- Runs in parallel with
release-github - Repository-scoped (only runs on official repo)
- Depends on:
validate,build
Key Features
-
Trigger: Activated by pushing version tags (e.g.,
v1.2.0,v1.3.0-alpha.1) - Modular design: Each job has a single, clear responsibility
- Parallel execution: GitHub and RubyGems releases run simultaneously for faster completion
- Artifact reuse: Build artifacts are created once and shared between jobs
- Security hardened: Workflow-level permissions locked down, no bundler cache
- Version display: Custom run-name shows version/tag in workflow runs
Requirements Verification ✅
✅ Supports prereleases: Any version tag with content after MAJOR.MINOR.PATCH is automatically detected and marked as prerelease
- Examples:
v1.3.0-alpha.1,v1.2.3.rc1,v2.0.0-beta.2
✅ Tags releases in git: Workflow is triggered by version tags which serve as git release tags
✅ GitHub releases with artifacts: Each release includes:
- Gem package (
.gemfile) - SHA-512 checksum file (
.sha512file) - Auto-generated release notes
Testing & Validation ✅
- ✅ YAML syntax validated
- ✅ Gem build tested successfully
- ✅ Checksum generation tested successfully
- ✅ Full test suite passes (RSpec + Cucumber)
- ✅ Version verification logic tested
- ✅ Prerelease detection logic validated
- ✅ RuboCop linting passes
- ✅ CodeQL security scan passes (0 alerts)
Documentation ✅
- ✅ Automated release process in CONTRIBUTING.md
- ✅ Comprehensive release guide in .github/RELEASE.md
- ✅ Required secrets documented (RUBYGEMS_API_KEY)
- ✅ Troubleshooting guide included
Security Considerations ✅
- Version verification prevents accidental mismatched releases
- Secret validation before publishing
- Repository-scoped publishing (forks cannot publish)
- Tests must pass before release
- Least privilege permissions (workflow-level lockdown, only release-github has contents:write with clear explanation)
- No bundler cache to prevent supply chain attacks
- Explicit dependency installation
- Build artifacts shared securely between jobs
- No security vulnerabilities detected by CodeQL
Fixes CycloneDX/cyclonedx-ruby-gem#46
Original prompt
This section details on the original issue you should resolve
<issue_title>chore: create a release pipeline</issue_title> <issue_description>goal: have a working, state-of-the-art pipeline for building and releasing this package to rubygems.
Requirements:
- supports prereleases
- tags releases in git
optional:
- have releases on github with the build results as release artifacts. </issue_description>
Comments on the Issue (you are @copilot in this section)
- Fixes CycloneDX/cyclonedx-ruby-gem#46
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.
