[WIP] Update GitHub Actions release workflow to fix token error

[Copilot]

• Inspect failing Release workflow run and job logs to confirm root cause
• Review .github/workflows/release.yml for permissions and publish step configuration
• Update release workflow to use contents: read, keep id-token: write, and avoid job-level permission overrides
• Upgrade publish action to rubygems/release-gem@v2 and keep only api-key auth input
• Run relevant checks to verify repository tests/build still pass after workflow change
• Run final validation and share summary

Original prompt

Update the GitHub Actions release workflow to resolve the 'Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable' error on publish. Specifically:

• Ensure the permissions block at the workflow level includes both 'contents: read' and 'id-token: write', and that no job-level permissions block overrides this.
• In the publish step, update the action 'rubygems/release-gem' to use the latest stable version (@v2), instead of @v1.
• Remove any OIDC- or audience-related settings from the publish step, leaving only the API key (api-key) to authenticate with RubyGems.
• Cleanup any comments or redundant configuration related to OIDC unless strictly required by RubyGems Federation (which by default is not enabled).

This will fix the workflow so the publish step can complete successfully using the secret RUBYGEMS_AUTH_TOKEN.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: Please find a solution for this failing job. Use the logs, job definition, and any referenced files where the failure occurred. Keep your response focused on the solution and include code suggestions when appropriate.

Assistant: The job failed with the error: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable. This happens because the publish job tries to use OIDC-based authentication, but the current workflow permissions setting is too restrictive.

Solution:
In your .github/workflows/release.yml, update the permissions key to include id-token as follows:

yaml
permissions:
contents: read
id-token: write

Place this at the top level of your workflow, not just for individual jobs. This will allow GitHub Actions to issue the necessary OIDC token for publishing.

After making this change, your release workflow should be able to acquire the required environment variable and proceed with publishing.

User: I already have this setting

Assistant: Thank you for clarifying. Let's review the situation and recommend a more targeted solution.

Analysis

• Error:
  Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable
• Current permissions:

  permissions:
    contents: read
    id-token: write

What Causes This Error?

This error typically means the job or step is trying to use OIDC for authentication (often for publishing or some form of deployment), but GitHub Actions can't provide the OIDC token. Even with permissions set, there are a few scenarios where this can still fail:

1. permissions must be set at the proper level.
   • Setting on the workflow level makes it available everywhere.
   • If you also declare a job-specific permissions section, it can override and restrict the effective permissions.
2. The action you are using may expect OIDC, but its configuration doesn’t actually require it, or a secret is missing.
3. Token usage outside GitHub-hosted runners is not supported.

Specifics for Your Workflow

• You are using rubygems/release-gem@v1.
• You provide an API key using ${{ secrets.RUBYGEMS_AUTH_TOKEN }}, so OIDC is not strictly required unless you configured rubygems to use OIDC over API keys.
• The error happens before or during publishing, indicating a misconfiguration or a bug with the action version.

What To Do

1. Check for Job-Level Permission Overrides

Ensure none of your jobs ("verify", "publish") have their own permissions: block that conflicts with the top-level one.

2. Try Pinning rubygems/release-gem to a Newer Version

It’s possible your version of rubygems/release-gem is trying to use OIDC (which is opt-in and not default for most RubyGems flows), or the action has a bug.
Try pinning to the latest version:

- name: Publish gem to RubyGems
  uses: rubygems/release-gem@v2
  with:
    api-key: ${{ secrets.RUBYGEMS_AUTH_TOKEN }}

3. Remove the audience Parameter if Not Needed

Your log contains:
audience: rubygems.org
Unless you are configured for OIDC federation on RubyGems (which is not the default), omit this. RubyGems.org typically requires the API key, not OIDC.

4. Double-Check That You Are Using a GitHub-Hosted Runner

OIDC tokens are not available on self-hosted runners unless specifically enabled.

5. Fallback: Use an API key Only

If you don’t plan to use OIDC for RubyGems yet, you can force the action to use only your API key by setting only:

with:
  api-key: ${{ secrets.RUBYGEMS_AUTH_TOKEN }}

and omitting any OIDC/audience options.

---

Example: Minimal Working Publish Step

- name: Publish gem to RubyGems
  uses: rubygems/release-gem@v2
  with:
    api-key: ${{ secrets.RUBYGEMS_AUTH_TOKEN }}

Make sure you do not set OIDC parameters unless explicitly required.

---

Summary:
Even with correct permissions, if the action or step requests an OIDC audience or expects OIDC, but RubyGems and your action setup are not actually using it, you will hit this error. Pinning the action, remov...

This pull request was created from Copilot chat.