From d097b116b78cadc36ec75d5e898c81ca3a72b28a Mon Sep 17 00:00:00 2001
From: Jeff Widman <jeff@jeffwidman.com>
Date: Tue, 23 May 2023 19:03:15 -0700
Subject: [PATCH] Minor cleanup on the publish RubyGems action (#7337)

Clarify that we're safe to run on every release.

Also clarify the expected scope of the API key so that if someone
rotates it, they remember to limit the scope of it.
---
 .github/workflows/gems-release-to-rubygems.yml | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/gems-release-to-rubygems.yml b/.github/workflows/gems-release-to-rubygems.yml
index 9e82ae28ae..e3a00bd255 100644
--- a/.github/workflows/gems-release-to-rubygems.yml
+++ b/.github/workflows/gems-release-to-rubygems.yml
@@ -1,20 +1,25 @@
 name: Gems - Release to RubyGems
 on:
   release:
+    # It's fine to trigger on every release because if we tag a release w/o
+    # bumping the Gem version, RubyGems will reject it with an error that the
+    # version is already live.
     types: [published]
-permissions:
-  contents: read
+
 jobs:
   release-gems:
     name: Release gems to rubygems.org
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
+      - uses: actions/checkout@v3
       - uses: ruby/setup-ruby@v1
       - run: |
           [ -d ~/.gem ] || mkdir ~/.gem
           echo "---" > ~/.gem/credentials
-          echo ":rubygems_api_key: ${{ secrets.RUBYGEMS_API_KEY }}" > ~/.gem/credentials
+          echo ":rubygems_api_key: ${{ secrets.RUBYGEMS_API_KEY_WITH_SCOPE_LIMITED_TO_PUSH }}" > ~/.gem/credentials
           chmod 0600 ~/.gem/credentials
           gem install rake && rake gems:release