Skip to content

(maint) Authenticate to puppetcore in gem release workflows#181

Merged
david22swan merged 2 commits into
mainfrom
maint-puppetcore-auth-gem-release
Jun 25, 2026
Merged

(maint) Authenticate to puppetcore in gem release workflows#181
david22swan merged 2 commits into
mainfrom
maint-puppetcore-auth-gem-release

Conversation

@LukasAud

Copy link
Copy Markdown
Contributor

Problem

gem_release_prep.yml and gem_release.yml run bundle install (via ruby/setup-ruby@v1 with bundler-cache: true) but, unlike gem_ci.yml, never set the puppetcore credential.

As consuming gems adopt the Ruby 4 / Puppet 9 migration — which adds the authenticated rubygems-puppetcore.puppet.com source to their Gemfile — release prep and release start failing at the setup ruby step:

Authentication is required for rubygems-puppetcore.puppet.com.
Please supply credentials for this source. ...
##[error]The process '.../bundle' failed with exit code 17

First hit by puppet_litmus: its CAT-2588 PR (puppetcore source) merged to main on 2026-06-16, after the last release; the next Release Prep run then failed. gem_ci.yml is unaffected because it already exports the token. This will affect every puppetlabs gem repo as it picks up the puppetcore Gemfile change.

Fix

Add the same workflow-level env: that gem_ci.yml already uses to both release workflows, so the bundler install authenticates from the inherited PUPPET_FORGE_TOKEN secret:

env:
  PUPPET_FORGE_TOKEN: ${{ secrets.PUPPET_FORGE_TOKEN || secrets.PUPPET_FORGE_TOKEN_PUBLIC }}
  BUNDLE_RUBYGEMS___PUPPETCORE__PUPPET__COM: "forge-key:${{ secrets.PUPPET_FORGE_TOKEN || secrets.PUPPET_FORGE_TOKEN_PUBLIC }}"

Callers already pass secrets: inherit, so no downstream change is required. Repos whose Gemfile doesn't use the puppetcore source are unaffected (the var is simply unused).

Notes

  • Mirrors the existing pattern and forge-auth convention documented in gem_ci.yml / CLAUDE.md.
  • No input/interface changes, so no downstream caller updates needed.

gem_release_prep.yml and gem_release.yml run `bundle install` (via
setup-ruby with bundler-cache) but never set the puppetcore credential,
unlike gem_ci.yml. Once a consuming gem's Gemfile adds the authenticated
`rubygems-puppetcore.puppet.com` source (Ruby 4 / Puppet 9 migration),
`bundle lock` fails with "Authentication is required for
rubygems-puppetcore.puppet.com" / exit code 17 during release prep and
release.

Add the same workflow-level env that gem_ci.yml uses so the bundler
install authenticates from the inherited PUPPET_FORGE_TOKEN secret.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@LukasAud LukasAud requested review from a team as code owners June 25, 2026 14:42
@LukasAud LukasAud added the bug Something isn't working label Jun 25, 2026
gem_release_prep.yml and gem_release.yml run `bundle install` (via
setup-ruby with bundler-cache) but never set the puppetcore credential,
unlike gem_ci.yml. Once a consuming gem's Gemfile adds the authenticated
`rubygems-puppetcore.puppet.com` source (Ruby 4 / Puppet 9 migration),
`bundle lock` fails with "Authentication is required for
rubygems-puppetcore.puppet.com" / exit code 17 during release prep and
release.

Add the same workflow-level env that gem_ci.yml uses so the bundler
install authenticates from the inherited PUPPET_FORGE_TOKEN secret.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@david22swan david22swan merged commit b76b498 into main Jun 25, 2026
3 checks passed
@david22swan david22swan deleted the maint-puppetcore-auth-gem-release branch June 25, 2026 14:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants