From 4a8a1451aa3d0d431a9865357c764c3bbaf8100a Mon Sep 17 00:00:00 2001
From: "M.P. Korstanje" <rien.korstanje@gmail.com>
Date: Mon, 11 May 2026 23:38:40 +0200
Subject: [PATCH] Use trusted publishing for Ruby

The `configure-rubygems-credentials` actions logs in on RubyGems using
OIDC. The `cucumber/action-publish-rubygem` action then publishes using
those credentials.

Additionally:

1. Use `ruby/setup-ruby` with Ruby 4.0.3 to make releases
2. Rename file to `.yaml` for consistency (file name matters for OIDC!)
3. Rename action to Release RubyGems for accuracy
---
 .github/workflows/release-ruby.yaml | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release-ruby.yaml b/.github/workflows/release-ruby.yaml
index 0f4e9d7..0a8f894 100644
--- a/.github/workflows/release-ruby.yaml
+++ b/.github/workflows/release-ruby.yaml
@@ -12,11 +12,15 @@ jobs:
     name: Publish Ruby Gem
     runs-on: ubuntu-latest
     environment: Release
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - name: Publish ruby gem
-        uses: cucumber/action-publish-rubygem@d8918cbdee789cfc78f346a96a59596b87795be1 # v1.0.0
+      - uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1.306.0
         with:
-          rubygems_api_key: ${{ secrets.RUBYGEMS_API_KEY }}
+          ruby-version: 4.0.3
+      - uses: rubygems/configure-rubygems-credentials@762a4b77c3300434bb57c7ce80b20e36231927aa # v2.0.0
+      - uses: cucumber/action-publish-rubygem@4e79bb9aed597c835e8438f57c04d0996ab80d72 # v2.0.0