Updates to DBX Ruby release process

ruby/build/action.yml

@@ -0,0 +1,83 @@
+name: Build Gem
+description: Build a gem for a DBX Ruby project
+inputs:
+  app_id:
+    description: The APP_ID defined for this project
+    required: true
+  app_private_key:
+    description: The APP_PRIVATE_KEY defined for this project
+    required: true
+  artifact:
+    description: The name to give the generated artifact (e.g. "ruby" or "jruby")
+    required: false
+    default: ruby
+  bundler_cache_version:
+    description: The cache-version to use for the bundler cache
+    required: false
+    default: '0'
+  gem_name:
+    description: The name (sans extension) of the gemspec file (e.g. "mongo")
+    required: true
+  ref:
+    description: The reference to checkout (branch, tag, sha, etc)
+    required: true
+  ruby_version:
+    description: The version of Ruby to use (see setup-ruby/action.yml)
+    default: '3.2'
+    required: false
+  rubygems_version:
+    description: The version of Rubygems to use (see setup-ruby/action.yml)
+    required: false
+    default: latest
+
+runs:
+  using: composite
+  steps:
+    - name: Check out the repository
+      # 58501b85eae697e451b5d1d7dba53f69f65d1909 => the 'v2' tag as of 2025-07-28
+      uses: mongodb-labs/drivers-github-tools/secure-checkout@58501b85eae697e451b5d1d7dba53f69f65d1909
+      with:
+        app_id: ${{ inputs.app_id }}
+        private_key: ${{ inputs.app_private_key }}
+        ref: ${{ inputs.ref }}
+        submodules: true
+
+    - name: Setup Ruby
+      # bb6434c747fa7022e12fa1cae2a0951fcffcff26 => the 'v1' branch as of 2025-07-28
+      uses: ruby/setup-ruby@a9bfc2ecf3dd40734a9418f89a7e9d484c32b990
+      with:
+        ruby-version: ${{ inputs.ruby_version }}
+        rubygems: ${{ inputs.rubygems_version }}
+        bundler-cache: true
+        cache-version: ${{ inputs.bundler_cache_version }}
+
+    - name: Get the release version
+      id: release_version
+      shell: bash
+      run: echo "version=$(bundle exec rake version)" >> "$GITHUB_OUTPUT"
+
+    - name: Get the gem file name
+      shell: bash
+      id: gem_name
+      env:
+        GEM_NAME: ${{ inputs.gem_name }}
+        ACTION_PATH: ${{ github.action_path }}
+        RELEASE_VERSION: ${{ steps.release_version.outputs.version }}
+      run: echo "name=$(ruby ${ACTION_PATH}/gem_name.rb ${GEM_NAME} ${RELEASE_VERSION})" >> "$GITHUB_OUTPUT"
+
+    - name: Build the gem
+      shell: bash
+      env:
+        GEM_NAME: ${{ inputs.gem_name }}
+        GEM_FILE_NAME: ${{ steps.gem_name.outputs.name }}
+      run: |
+        bundle exec rake build GEMSPEC="${GEM_NAME}.gemspec" GEM_FILE_NAME="${GEM_FILE_NAME}"
+
+    - name: Save the generated gem file for later
+      # ea165f8d65b6e75b540449e92b4886f43607fa02 => the 'v4' tag as of 2025-07-28
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+      with:
+        name: ${{ inputs.artifact }}
+        path: ${{ steps.gem_name.outputs.name }}
+        retention-days: 1
+        overwrite: true

ruby/build/gem_name.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+# This script generates the name of a gem file based on the provided
+# gem name and version. It takes into account whether it is running
+# under JRuby to append "-java" to the gem name if necessary.
+#
+# Usage:
+# ruby gem_name.rb <gem_name> <gem_version>
+
+if ARGV.length != 2
+  puts "Usage: ruby gem_name.rb <gem_name> <gem_version>"
+  exit 1
+end
+
+gem_name = ARGV.first
+gem_version = ARGV.last
+
+base_name = "#{gem_name}-#{gem_version}"
+base_name = "#{base_name}-java" if defined?(JRUBY_VERSION)
+
+puts "#{base_name}.gem"

ruby/cleanup/action.yml

@@ -15,7 +15,8 @@ runs:
   using: composite
   steps:
     - name: 'Check out the repository'
-      uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
+      # 58501b85eae697e451b5d1d7dba53f69f65d1909 => the 'v2' tag as of 2025-07-28
+      uses: mongodb-labs/drivers-github-tools/secure-checkout@58501b85eae697e451b5d1d7dba53f69f65d1909
       with:
         app_id: ${{ inputs.app_id }}
         private_key: ${{ inputs.app_private_key }}

ruby/pr-check/action.yml

@@ -0,0 +1,113 @@
+# PRs are only eligible for release if they are merged and have
+# the `release-candidate` label.
+#
+# The only events allowed to trigger this action are:
+# - push (in which case the commit sha is used to find the corresponding
+#   PR)
+# - workflow_dispatch (in which case the PR is found from the inputs
+#   on the event)
+
+name: PR Check
+description: Check that a PR is eligible for release
+
+outputs:
+  message:
+    description: The body of the pull request that is being released.
+    value: ${{ steps.check_pr.outputs.message }}
+  ref:
+    description: The ref of the pull request that is being released.
+    value: ${{ steps.check_pr.outputs.ref }}
+
+runs:
+  using: composite
+  steps:
+    - name: "Check PR Eligibility"
+      id: check_pr
+      # 60a0d83039c74a4aee543508d2ffcb1c3799cdea => 'v7' tag as of 2025-07-28
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
+      with:
+        script: |
+          let pr;
+
+          // was this triggered by a push event?
+          if (context.eventName == 'push') {
+            // if so, we need to find the PR that corresponds to the commit
+            // that was pushed.
+            //
+            // because only maintainers can push to protected branches,
+            // we can assume the user has the correct permissions to do
+            // this.
+            const { data: listing } = await github.rest.repos.listPullRequestsAssociatedWithCommit({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              commit_sha: context.payload.after,
+            });
+
+            if (listing.length == 0) {
+              throw new Error(`Workflow aborted: No pull request found for the pushed commit (${context.payload.after}).`);
+            }
+
+            const response = await github.rest.pulls.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: listing[0].number,
+            });
+
+            pr = response.data;
+
+          // if it wasn't triggered by a push event, was it triggered by
+          // a workflow_dispatch event?
+          } else if (context.eventName == 'workflow_dispatch') {
+            // it is technically possible for users with only write access
+            // to trigger workflows; we need to make sure that the user
+            // who triggered this has either admin or maintain access to the
+            // repository.
+            const username = context.triggering_actor || context.actor;
+
+            const { data: perms } = await github.rest.repos.getCollaboratorPermissionLevel({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              username,
+            });
+
+            if (perms.role_name !== 'admin' && perms.role_name !== 'maintain') {
+              throw new Error(`User ${username} must have 'admin' or 'maintain' role to initiate the release process. (${perms.role_name})`);
+            }
+
+            // if so, we grab the PR with the number that was passed in with
+            // the inputs.
+            const number = context.payload.inputs.pr;
+            if (!number) {
+              throw new Error('Workflow aborted: No pull request number provided. (need `pr` input)');
+            }
+
+            const response = await github.rest.pulls.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: number,
+            });
+
+            pr = response.data;
+
+          // workflow was triggered by an unrecognized/unsupported event
+          } else {
+            throw new Error(`Workflow aborted: Unsupported event type: ${context.eventName}.`);
+          }
+
+          if (!pr) {
+            throw new Error('No pull request found for the triggered event.');
+          }
+
+          if (!pr.merged) {
+            throw new Error('Pull request is not merged.');
+          }
+
+          if (!pr.labels.some(label => label.name == 'release-candidate')) {
+            throw new Error('Pull request is not a release candidate.');
+          }
+
+          console.log('body: >>', pr.body, '<<');
+          console.log('ref: >>', pr.merge_commit_sha, '<<');
+
+          core.setOutput('message', pr.body);
+          core.setOutput('ref', pr.merge_commit_sha);