From add2143b590356cf70b41b50354cd6a5e16aaeb2 Mon Sep 17 00:00:00 2001
From: "Garen J. Torikian" <gjtorikian@users.noreply.github.com>
Date: Tue, 3 Feb 2026 11:57:42 -0500
Subject: [PATCH] Fix release workflow to use OIDC credentials directly

Replace rubygems/release-gem with manual build and push to avoid
the rake release task attempting git operations (which fails due
to insufficient permissions in the publish job).

- Use rubygems/configure-rubygems-credentials for OIDC auth
- Run rake build to create the gem without git operations
- Push directly with gem push

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .github/workflows/release.yml | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 26e4e34c..fa922ca4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -16,6 +16,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+    outputs:
+      version: ${{ steps.get-version.outputs.version }}
     steps:
       - name: Generate token
         id: generate-token
@@ -51,6 +53,11 @@ jobs:
       id-token: write
       contents: read
     steps:
+      - name: Configure RubyGems credentials
+        uses: rubygems/configure-rubygems-credentials@main
+        with:
+          role-to-assume: rg_oidc_akr_fn8dx45asckvmsnd2kka
+
       - name: Checkout
         uses: actions/checkout@v6
 
@@ -64,6 +71,6 @@ jobs:
         run: bundle exec rspec
 
       - name: Publish to RubyGems
-        uses: rubygems/release-gem@v1
-        with:
-          gem-push-command: bundle exec rake build release:rubygem_push
+        run: |
+          bundle exec rake build
+          gem push pkg/workos-${{ needs.create-release.outputs.version }}.gem --host https://rubygems.org