From 489c5398dd6d53bfbf7016103ccad4f88f8120c5 Mon Sep 17 00:00:00 2001
From: Stephen Young <stephen@customer.io>
Date: Fri, 8 May 2026 17:15:39 -0400
Subject: [PATCH 1/4] Add RubyGems publish workflow with OIDC trusted
 publishing

---
 .github/workflows/publish.yml | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 .github/workflows/publish.yml

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..f396d03
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,30 @@
+name: Publish to RubyGems
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  publish:
+    name: Build and publish
+    runs-on: ubuntu-latest
+    environment: rubygems
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.4"
+          bundler-cache: true
+
+      - name: Build gem
+        run: gem build customerio.gemspec
+
+      - name: Publish to RubyGems
+        uses: rubygems/release-gem@v1

From 3fd8281adc920fe578a7b8275421740172903f95 Mon Sep 17 00:00:00 2001
From: Stephen Young <stephen@customer.io>
Date: Fri, 8 May 2026 22:16:18 -0400
Subject: [PATCH 2/4] Remove redundant gem build step

---
 .github/workflows/publish.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index f396d03..c338226 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -23,8 +23,5 @@ jobs:
           ruby-version: "3.4"
           bundler-cache: true
 
-      - name: Build gem
-        run: gem build customerio.gemspec
-
       - name: Publish to RubyGems
         uses: rubygems/release-gem@v1

From 2fcc32a1c286f3e5fe77e8b68f96ea23b594265f Mon Sep 17 00:00:00 2001
From: Stephen Young <stephen@customer.io>
Date: Fri, 8 May 2026 22:19:32 -0400
Subject: [PATCH 3/4] Use standard release-gem pattern with tag trigger

---
 .github/workflows/publish.yml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index c338226..01f2f0e 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -1,11 +1,12 @@
 name: Publish to RubyGems
 
 on:
-  release:
-    types: [published]
+  push:
+    tags:
+      - "v*"
 
 permissions:
-  contents: read
+  contents: write
   id-token: write
 
 jobs:
@@ -16,6 +17,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1

From 71d690840ee71c0783a1a576ad560dd41b923aea Mon Sep 17 00:00:00 2001
From: Stephen Young <stephen@customer.io>
Date: Fri, 8 May 2026 22:23:15 -0400
Subject: [PATCH 4/4] Add version-tag match check before publishing

---
 .github/workflows/publish.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 01f2f0e..534c604 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -26,5 +26,14 @@ jobs:
           ruby-version: "3.4"
           bundler-cache: true
 
+      - name: Verify tag matches gem version
+        run: |
+          tag="${GITHUB_REF#refs/tags/v}"
+          version=$(ruby -r ./lib/customerio/version -e "puts Customerio::VERSION")
+          if [ "$tag" != "$version" ]; then
+            echo "::error::Tag v$tag does not match Customerio::VERSION ($version)"
+            exit 1
+          fi
+
       - name: Publish to RubyGems
         uses: rubygems/release-gem@v1