From 904f16c0bdcb96795ab129360ba837175767592e Mon Sep 17 00:00:00 2001 From: Lukas Audzevicius Date: Thu, 25 Jun 2026 15:42:35 +0100 Subject: [PATCH 1/2] (maint) Authenticate to puppetcore in gem release workflows gem_release_prep.yml and gem_release.yml run `bundle install` (via setup-ruby with bundler-cache) but never set the puppetcore credential, unlike gem_ci.yml. Once a consuming gem's Gemfile adds the authenticated `rubygems-puppetcore.puppet.com` source (Ruby 4 / Puppet 9 migration), `bundle lock` fails with "Authentication is required for rubygems-puppetcore.puppet.com" / exit code 17 during release prep and release. Add the same workflow-level env that gem_ci.yml uses so the bundler install authenticates from the inherited PUPPET_FORGE_TOKEN secret. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/gem_release.yml | 7 +++++++ .github/workflows/gem_release_prep.yml | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/.github/workflows/gem_release.yml b/.github/workflows/gem_release.yml index 32042447..5737c499 100644 --- a/.github/workflows/gem_release.yml +++ b/.github/workflows/gem_release.yml @@ -12,6 +12,13 @@ on: default: "main" type: "string" +# ENABLE PUPPETCORE. The calling workflow must set `secrets: inherit` and a valid +# PUPPET_FORGE_TOKEN secret so `bundle install` can authenticate to the +# rubygems-puppetcore.puppet.com source when the Gemfile uses it. +env: + PUPPET_FORGE_TOKEN: ${{ secrets.PUPPET_FORGE_TOKEN || secrets.PUPPET_FORGE_TOKEN_PUBLIC }} + BUNDLE_RUBYGEMS___PUPPETCORE__PUPPET__COM: "forge-key:${{ secrets.PUPPET_FORGE_TOKEN || secrets.PUPPET_FORGE_TOKEN_PUBLIC }}" + jobs: release: name: "Release" diff --git a/.github/workflows/gem_release_prep.yml b/.github/workflows/gem_release_prep.yml index 4cdfbc15..29ac70db 100644 --- a/.github/workflows/gem_release_prep.yml +++ b/.github/workflows/gem_release_prep.yml @@ -17,6 +17,13 @@ on: required: true type: "string" +# ENABLE PUPPETCORE. The calling workflow must set `secrets: inherit` and a valid +# PUPPET_FORGE_TOKEN secret so `bundle install` can authenticate to the +# rubygems-puppetcore.puppet.com source when the Gemfile uses it. +env: + PUPPET_FORGE_TOKEN: ${{ secrets.PUPPET_FORGE_TOKEN || secrets.PUPPET_FORGE_TOKEN_PUBLIC }} + BUNDLE_RUBYGEMS___PUPPETCORE__PUPPET__COM: "forge-key:${{ secrets.PUPPET_FORGE_TOKEN || secrets.PUPPET_FORGE_TOKEN_PUBLIC }}" + jobs: release_prep: name: "Release Prep" From 8282ad04ab3859a2345a3bddab5b53914b7e0bc2 Mon Sep 17 00:00:00 2001 From: Lukas Audzevicius Date: Thu, 25 Jun 2026 15:45:13 +0100 Subject: [PATCH 2/2] (maint) Authenticate to puppetcore in gem release workflows gem_release_prep.yml and gem_release.yml run `bundle install` (via setup-ruby with bundler-cache) but never set the puppetcore credential, unlike gem_ci.yml. Once a consuming gem's Gemfile adds the authenticated `rubygems-puppetcore.puppet.com` source (Ruby 4 / Puppet 9 migration), `bundle lock` fails with "Authentication is required for rubygems-puppetcore.puppet.com" / exit code 17 during release prep and release. Add the same workflow-level env that gem_ci.yml uses so the bundler install authenticates from the inherited PUPPET_FORGE_TOKEN secret. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/gem_release.yml | 3 --- .github/workflows/gem_release_prep.yml | 3 --- 2 files changed, 6 deletions(-) diff --git a/.github/workflows/gem_release.yml b/.github/workflows/gem_release.yml index 5737c499..1a3a9173 100644 --- a/.github/workflows/gem_release.yml +++ b/.github/workflows/gem_release.yml @@ -12,9 +12,6 @@ on: default: "main" type: "string" -# ENABLE PUPPETCORE. The calling workflow must set `secrets: inherit` and a valid -# PUPPET_FORGE_TOKEN secret so `bundle install` can authenticate to the -# rubygems-puppetcore.puppet.com source when the Gemfile uses it. env: PUPPET_FORGE_TOKEN: ${{ secrets.PUPPET_FORGE_TOKEN || secrets.PUPPET_FORGE_TOKEN_PUBLIC }} BUNDLE_RUBYGEMS___PUPPETCORE__PUPPET__COM: "forge-key:${{ secrets.PUPPET_FORGE_TOKEN || secrets.PUPPET_FORGE_TOKEN_PUBLIC }}" diff --git a/.github/workflows/gem_release_prep.yml b/.github/workflows/gem_release_prep.yml index 29ac70db..1976e258 100644 --- a/.github/workflows/gem_release_prep.yml +++ b/.github/workflows/gem_release_prep.yml @@ -17,9 +17,6 @@ on: required: true type: "string" -# ENABLE PUPPETCORE. The calling workflow must set `secrets: inherit` and a valid -# PUPPET_FORGE_TOKEN secret so `bundle install` can authenticate to the -# rubygems-puppetcore.puppet.com source when the Gemfile uses it. env: PUPPET_FORGE_TOKEN: ${{ secrets.PUPPET_FORGE_TOKEN || secrets.PUPPET_FORGE_TOKEN_PUBLIC }} BUNDLE_RUBYGEMS___PUPPETCORE__PUPPET__COM: "forge-key:${{ secrets.PUPPET_FORGE_TOKEN || secrets.PUPPET_FORGE_TOKEN_PUBLIC }}"