Trusted Publishing with reusable workflow

[segiddins]

          Hi. Let me ask about Trusted Publishing here since I can't find where to ask.

(Please tell me a different place if my question is inappropriate 🙏🏼 )

First, my try in the suggested way by the RubyGems document was successful! 🎉
(For details, see my repo's Actions log)

---

However, my try through a reusable workflow failed, unfortunately. I'm not sure about the failure cause, but rubygems/configure-rubygems-credentials failed with the following error:

No trusted publisher configured for this workflow found on https://rubygems.org/ for audience rubygems.org

See also the failure Actions log.

Here's a part of my Actions workflow settings:

# .github/workflows/release.yml in the gem repository
jobs:
  release:
    uses: ybiquitous/.github/.github/workflows/ruby-release-reusable.yml@new-ruby-release

# The sharable workflow in a different repository
jobs:
  release:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      id-token: write
    timeout-minutes: 10
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Set up Ruby ${{ inputs.ruby-version }}
        uses: ruby/setup-ruby@v1
        with:
          ruby-version: ${{ inputs.ruby-version }}
          bundler-cache: true
      - name: Publish gem to RubyGems.org
        uses: rubygems/release-gem@v1

For the sharable workflow code, see https://github.com/ybiquitous/.github/pull/31/files.

In short, is Trusted Publishing unsupported in a sharable workflow?

---

Last, this feature is fantastic! Thanks a lot. 👏🏼

Originally posted by @ybiquitous in #4285 (comment)

[segiddins]

https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/using-openid-connect-with-reusable-workflows#how-the-token-works-with-reusable-workflows dropping this here for my future reference.

[woodruffw]

Another possibly useful cross-reference: pypi/warehouse#11096

[segiddins]

@ybiquitous there's some work we'd have to do here to support re-usable workflows outside of the calling repository.

Likely this will involve an extra (optional) input field for the reusable workflow, and the existing field will continue to refer to the calling (top-level) workflow (and be the job_workflow_ref as well if the reusable workflow is not specified).

[ybiquitous]

Likely this will involve an extra (optional) input field for the reusable workflow, and the existing field will continue to refer to the calling (top-level) workflow

I'm okay if reusable workflows are supported. 👌🏼