From c7007deaa060395911ba039604655d6d08fae556 Mon Sep 17 00:00:00 2001
From: Ashish Kulkarni <ashish@kulkarni.dev>
Date: Sat, 11 Jan 2025 19:06:28 +0530
Subject: [PATCH] setup Dependabot and Trusted Publishing workflow

see https://guides.rubygems.org/trusted-publishing/
---
 .github/dependabot.yml         |  6 ++++++
 .github/workflows/push_gem.yml | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/push_gem.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..b18fd29
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: 'github-actions'
+    directory: '/'
+    schedule:
+      interval: 'weekly'
diff --git a/.github/workflows/push_gem.yml b/.github/workflows/push_gem.yml
new file mode 100644
index 0000000..bfddc1b
--- /dev/null
+++ b/.github/workflows/push_gem.yml
@@ -0,0 +1,32 @@
+name: Publish gem to rubygems.org
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: read
+
+jobs:
+  push:
+    if: github.repository == 'prontolabs/pronto'
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+      id-token: write
+
+    steps:
+      - uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@cbb722410c2e876e24abbe8de2cc27693e501dcb # v4.2.2
+
+      - uses: ruby/setup-ruby@4a9ddd6f338a97768b8006bf671dfbad383215f4 # v1.207.0
+        with:
+          bundler-cache: true
+          ruby-version: '3.4'
+
+      - uses: rubygems/release-gem@a25424ba2ba8b387abc8ef40807c2c85b96cbe32 # v1.1.1