rubygems · cseeman · Jan 7, 2026 · jenshenny · Jan 9, 2026 · cseeman
diff --git a/app/models/oidc/trusted_publisher/github_action.rb b/app/models/oidc/trusted_publisher/github_action.rb
@@ -11,23 +11,39 @@ class OIDC::TrustedPublisher::GitHubAction < ApplicationRecord
   validates :repository_owner, :repository_name, :workflow_filename, :repository_owner_id,
     presence: true, length: { maximum: Gemcutter::MAX_FIELD_LENGTH }
   validates :environment, allow_nil: true, length: { maximum: Gemcutter::MAX_FIELD_LENGTH }
+  validates :workflow_repository_owner, :workflow_repository_name,
+    allow_nil: true, length: { maximum: Gemcutter::MAX_FIELD_LENGTH }
 
   validate :unique_publisher
   validate :workflow_filename_format
+  validate :workflow_repository_fields_consistency
+  validate :workflow_repository_differs_from_repository
 
   def self.for_claims(claims)
     repository = claims.fetch(:repository)
     repository_owner, repository_name = repository.split("/", 2)
-    workflow_prefix = "#{repository}/.github/workflows/"
-    workflow_ref = claims.fetch(:job_workflow_ref).delete_prefix(workflow_prefix)
-    workflow_filename = workflow_ref.sub(/@[^@]+\z/, "")
+    job_workflow_ref = claims.fetch(:job_workflow_ref)
+
+    match = job_workflow_ref.match(%r{\A([^/]+)/([^/]+)/\.github/workflows/([^@]+)@})
+    raise ActiveRecord::RecordNotFound, "Invalid job_workflow_ref format" unless match
+
+    workflow_repo_owner, workflow_repo_name, workflow_filename = match.captures
 
     required = {
       repository_owner:, repository_name:, workflow_filename:,
       repository_owner_id: claims.fetch(:repository_owner_id)
     }
 
     base = where(required)
+
+    same_repo = workflow_repo_owner == repository_owner && workflow_repo_name == repository_name
+    base = if same_repo
+             base.where(workflow_repository_owner: workflow_repo_owner, workflow_repository_name: workflow_repo_name)
+               .or(base.where(workflow_repository_owner: nil, workflow_repository_name: nil))
+           else
+             base.where(workflow_repository_owner: workflow_repo_owner, workflow_repository_name: workflow_repo_name)
+           end
+
     if (env = claims[:environment])
       base.where(environment: env).or(base.where(environment: nil)).order(environment: :asc) # NULLS LAST by default for asc
     else
@@ -36,13 +52,17 @@ def self.for_claims(claims)
   end
 
   def self.permitted_attributes
-    %i[repository_owner repository_name workflow_filename environment]
+    %i[repository_owner repository_name workflow_filename environment
+       workflow_repository_owner workflow_repository_name]
   end
 
   def self.build_trusted_publisher(params)
-    params = params.reverse_merge(repository_owner_id: nil, repository_name: nil, workflow_filename: nil, environment: nil)
+    params = params.reverse_merge(repository_owner_id: nil, repository_name: nil, workflow_filename: nil, environment: nil,
+                                  workflow_repository_owner: nil, workflow_repository_name: nil)
     params.delete(:repository_owner_id)
     params[:environment] = nil if params[:environment].blank?
+    params[:workflow_repository_owner] = nil if params[:workflow_repository_owner].blank?
+    params[:workflow_repository_name] = nil if params[:workflow_repository_name].blank?
     find_or_initialize_by(params)
   end
 
@@ -55,7 +75,9 @@ def payload
       repository_name:,
       repository_owner_id:,
       workflow_filename:,
-      environment:
+      environment:,
+      workflow_repository_owner:,
+      workflow_repository_name:
     }
   end
 
@@ -98,7 +120,7 @@ def job_workflow_ref_condition(ref)
     OIDC::AccessPolicy::Statement::Condition.new(
       operator: "string_equals",
       claim: "job_workflow_ref",
-      value: "#{repository}/#{workflow_slug}@#{ref}"
+      value: "#{workflow_repository}/#{workflow_slug}@#{ref}"
     )
   end
 
@@ -127,7 +149,7 @@ def initialize(trusted_publisher)
     def verify(cert)
       ref = cert.openssl.find_extension("1.3.6.1.4.1.57264.1.14")&.value_der&.then { OpenSSL::ASN1.decode(it).value }
       Sigstore::Policy::Identity.new(
-        identity: "https://github.com/#{@trusted_publisher.repository}/#{@trusted_publisher.workflow_slug}@#{ref}",
+        identity: "https://github.com/#{@trusted_publisher.workflow_repository}/#{@trusted_publisher.workflow_slug}@#{ref}",
         issuer: OIDC::Provider::GITHUB_ACTIONS_ISSUER
       ).verify(cert)
     end
@@ -145,6 +167,14 @@ def name
 
   def repository = "#{repository_owner}/#{repository_name}"
 
+  def workflow_repository
+    if workflow_repository_owner.present? && workflow_repository_name.present?
+      "#{workflow_repository_owner}/#{workflow_repository_name}"
+    else
+      repository
+    end
+  end
+
   def workflow_slug = ".github/workflows/#{workflow_filename}"
 
   def owns_gem?(rubygem) = rubygem_trusted_publishers.exists?(rubygem: rubygem)
@@ -169,7 +199,9 @@ def unique_publisher
       repository_name: repository_name,
       repository_owner_id: repository_owner_id,
       workflow_filename: workflow_filename,
-      environment: environment
+      environment: environment,
+      workflow_repository_owner: workflow_repository_owner,
+      workflow_repository_name: workflow_repository_name
     )
 
     errors.add(:base, "publisher already exists")
@@ -181,4 +213,20 @@ def workflow_filename_format
     errors.add(:workflow_filename, "must end with .yml or .yaml") unless /\.ya?ml\z/.match?(workflow_filename)
     errors.add(:workflow_filename, "must be a filename only, without directories") if workflow_filename.include?("/")
   end
+
+  def workflow_repository_fields_consistency
+    owner_present = workflow_repository_owner.present?
+    name_present = workflow_repository_name.present?
+
+    return if owner_present == name_present
+
+    errors.add(:base, "workflow_repository_owner and workflow_repository_name must both be set or both be blank")
+  end
+
+  def workflow_repository_differs_from_repository
+    return if workflow_repository_owner.blank? && workflow_repository_name.blank?
+    return unless workflow_repository_owner == repository_owner && workflow_repository_name == repository_name
+
+    errors.add(:base, "workflow_repository must be different from the repository, leave blank for same-repository workflows")
+  end
 end
diff --git a/app/views/components/oidc/trusted_publisher/github_action/form_component.rb b/app/views/components/oidc/trusted_publisher/github_action/form_component.rb
@@ -9,6 +9,8 @@ def view_template
       field trusted_publisher_form, :text_field, :repository_name, autocomplete: :off
       field trusted_publisher_form, :text_field, :workflow_filename, autocomplete: :off
       field trusted_publisher_form, :text_field, :environment, autocomplete: :off, optional: true
+      field trusted_publisher_form, :text_field, :workflow_repository_owner, autocomplete: :off, optional: true
+      field trusted_publisher_form, :text_field, :workflow_repository_name, autocomplete: :off, optional: true
     end
   end
 

diff --git a/app/views/components/oidc/trusted_publisher/github_action/table_component.rb b/app/views/components/oidc/trusted_publisher/github_action/table_component.rb
@@ -9,6 +9,11 @@ def view_template
       dt(class: "description__heading ") { "Workflow Filename" }
       dd { code { github_action.workflow_filename } }
 
+      if github_action.workflow_repository_owner.present?
+        dt(class: "description__heading") { "Workflow Repository" }
+        dd { code { github_action.workflow_repository } }
+      end
+
       if github_action.environment?
         dt(class: "description__heading") { "Environment" }
         dd { code { github_action.environment } }

diff --git a/config/locales/de.yml b/config/locales/de.yml
@@ -94,6 +94,8 @@ de:
         api_key_permissions: API-Schlüsselberechtigungen
       oidc/trusted_publisher/github_action:
         repository_owner_id: GitHub Repository-Besitzer-ID
+        workflow_repository_owner:
+        workflow_repository_name:
       oidc/pending_trusted_publisher:
         rubygem_name: RubyGem-Name
     errors:
@@ -1042,6 +1044,8 @@ de:
         repository_name_help_html:
         workflow_filename_help_html:
         environment_help_html:
+        workflow_repository_owner_help_html:
+        workflow_repository_name_help_html:
       pending:
         rubygem_name_help_html:
   duration:

diff --git a/config/locales/en.yml b/config/locales/en.yml
@@ -91,6 +91,8 @@ en:
         api_key_permissions: API Key Permissions
       oidc/trusted_publisher/github_action:
         repository_owner_id: GitHub Repository Owner ID
+        workflow_repository_owner: Workflow Repository Owner
+        workflow_repository_name: Workflow Repository Name
       oidc/pending_trusted_publisher:
         rubygem_name: RubyGem name
     errors:
@@ -971,6 +973,12 @@ en:
           The name of the <a href="https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment">GitHub Actions environment</a> that the above workflow uses for publishing.<br>
           This should be configured under the repository's settings.<br>
           While not required, a dedicated publishing environment is strongly encouraged, especially if your repository has maintainers with commit access who shouldn't have RubyGems.org gem push access.
+        workflow_repository_owner_help_html: |
+          <strong>For <a href="https://docs.github.com/en/actions/sharing-automations/reusing-workflows">reusable workflows</a> only:</strong> The GitHub organization or username that owns the repository containing the reusable workflow file.<br>
+          Leave blank if the workflow is defined in the same repository as above (the common case).
+        workflow_repository_name_help_html: |
+          <strong>For <a href="https://docs.github.com/en/actions/sharing-automations/reusing-workflows">reusable workflows</a> only:</strong> The name of the repository containing the reusable workflow file.<br>
+          Leave blank if the workflow is defined in the same repository as above (the common case).
       pending:
         rubygem_name_help_html: "The gem (on RubyGems.org) that will be created when this publisher is used"
   duration:

diff --git a/config/locales/es.yml b/config/locales/es.yml
@@ -92,6 +92,8 @@ es:
         api_key_permissions:
       oidc/trusted_publisher/github_action:
         repository_owner_id:
+        workflow_repository_owner:
+        workflow_repository_name:
       oidc/pending_trusted_publisher:
         rubygem_name:
     errors:
@@ -1088,6 +1090,8 @@ es:
         repository_name_help_html:
         workflow_filename_help_html:
         environment_help_html:
+        workflow_repository_owner_help_html:
+        workflow_repository_name_help_html:
       pending:
         rubygem_name_help_html:
   duration:

diff --git a/config/locales/fr.yml b/config/locales/fr.yml
@@ -91,6 +91,8 @@ fr:
         api_key_permissions:
       oidc/trusted_publisher/github_action:
         repository_owner_id:
+        workflow_repository_owner:
+        workflow_repository_name:
       oidc/pending_trusted_publisher:
         rubygem_name:
     errors:
@@ -999,6 +1001,8 @@ fr:
         repository_name_help_html:
         workflow_filename_help_html:
         environment_help_html:
+        workflow_repository_owner_help_html:
+        workflow_repository_name_help_html:
       pending:
         rubygem_name_help_html:
   duration:

diff --git a/config/locales/ja.yml b/config/locales/ja.yml
@@ -87,6 +87,8 @@ ja:
         api_key_permissions: APIキーのパーミッション
       oidc/trusted_publisher/github_action:
         repository_owner_id: GitHubリポジトリの所有者ID
+        workflow_repository_owner:
+        workflow_repository_name:
       oidc/pending_trusted_publisher:
         rubygem_name: RubyGem名
     errors:
@@ -990,6 +992,8 @@ ja:
           これはリポジトリの設定で構成されていると良いでしょう。<br>
           必須ではありませんが、個別の公開環境は強く推奨されます。
           特にリポジトリに、コミットアクセスを持つがRubyGems.orgへのgemのプッシュアクセスを持つべきではないメンテナがいるときが該当します。
+        workflow_repository_owner_help_html:
+        workflow_repository_name_help_html:
       pending:
         rubygem_name_help_html: "（RubyGems.orgの）gemはこの発行元が使われたときに作られます"
   duration:

diff --git a/config/locales/nl.yml b/config/locales/nl.yml
@@ -86,6 +86,8 @@ nl:
         api_key_permissions:
       oidc/trusted_publisher/github_action:
         repository_owner_id:
+        workflow_repository_owner:
+        workflow_repository_name:
       oidc/pending_trusted_publisher:
         rubygem_name:
     errors:
@@ -956,6 +958,8 @@ nl:
         repository_name_help_html:
         workflow_filename_help_html:
         environment_help_html:
+        workflow_repository_owner_help_html:
+        workflow_repository_name_help_html:
       pending:
         rubygem_name_help_html:
   duration:

diff --git a/config/locales/pt-BR.yml b/config/locales/pt-BR.yml
@@ -91,6 +91,8 @@ pt-BR:
         api_key_permissions:
       oidc/trusted_publisher/github_action:
         repository_owner_id:
+        workflow_repository_owner:
+        workflow_repository_name:
       oidc/pending_trusted_publisher:
         rubygem_name:
     errors:
@@ -978,6 +980,8 @@ pt-BR:
         repository_name_help_html:
         workflow_filename_help_html:
         environment_help_html:
+        workflow_repository_owner_help_html:
+        workflow_repository_name_help_html:
       pending:
         rubygem_name_help_html:
   duration:

diff --git a/config/locales/zh-CN.yml b/config/locales/zh-CN.yml
@@ -87,6 +87,8 @@ zh-CN:
         api_key_permissions:
       oidc/trusted_publisher/github_action:
         repository_owner_id:
+        workflow_repository_owner:
+        workflow_repository_name:
       oidc/pending_trusted_publisher:
         rubygem_name:
     errors:
@@ -970,6 +972,8 @@ zh-CN:
         repository_name_help_html:
         workflow_filename_help_html:
         environment_help_html:
+        workflow_repository_owner_help_html:
+        workflow_repository_name_help_html:
       pending:
         rubygem_name_help_html:
   duration:

diff --git a/config/locales/zh-TW.yml b/config/locales/zh-TW.yml
@@ -86,6 +86,8 @@ zh-TW:
         api_key_permissions: API 金鑰權限
       oidc/trusted_publisher/github_action:
         repository_owner_id:
+        workflow_repository_owner:
+        workflow_repository_name:
       oidc/pending_trusted_publisher:
         rubygem_name:
     errors:
@@ -958,6 +960,8 @@ zh-TW:
         repository_name_help_html:
         workflow_filename_help_html:
         environment_help_html:
+        workflow_repository_owner_help_html:
+        workflow_repository_name_help_html:
       pending:
         rubygem_name_help_html:
   duration:

diff --git a/...igrate/20260107200000_add_workflow_repository_to_oidc_trusted_publisher_github_actions.rb b/...igrate/20260107200000_add_workflow_repository_to_oidc_trusted_publisher_github_actions.rb
@@ -0,0 +1,8 @@
+class AddWorkflowRepositoryToOIDCTrustedPublisherGitHubActions < ActiveRecord::Migration[8.0]
+  def change
+    change_table :oidc_trusted_publisher_github_actions, bulk: true do |t|
+      t.string :workflow_repository_owner
+      t.string :workflow_repository_name
+    end
+  end
+end
diff --git a/db/migrate/20260107200001_add_workflow_repository_to_unique_index.rb b/db/migrate/20260107200001_add_workflow_repository_to_unique_index.rb
@@ -0,0 +1,33 @@
+class AddWorkflowRepositoryToUniqueIndex < ActiveRecord::Migration[8.0]
+  disable_ddl_transaction!
+
+  OLD_COLUMNS = %i[repository_owner repository_name repository_owner_id workflow_filename environment].freeze
+  NEW_COLUMNS = %i[repository_owner repository_name repository_owner_id workflow_filename environment
+                   workflow_repository_owner workflow_repository_name].freeze
+
+  def up
+    remove_index :oidc_trusted_publisher_github_actions,
+      OLD_COLUMNS,
+      name: "index_oidc_trusted_publisher_github_actions_claims",
+      algorithm: :concurrently
+
+    add_index :oidc_trusted_publisher_github_actions,
+      NEW_COLUMNS,
+      name: "index_oidc_trusted_publisher_github_actions_claims",
+      unique: true,
+      algorithm: :concurrently
+  end
+
+  def down
+    remove_index :oidc_trusted_publisher_github_actions,
+      NEW_COLUMNS,
+      name: "index_oidc_trusted_publisher_github_actions_claims",
+      algorithm: :concurrently
+
+    add_index :oidc_trusted_publisher_github_actions,
+      OLD_COLUMNS,
+      name: "index_oidc_trusted_publisher_github_actions_claims",
+      unique: true,
+      algorithm: :concurrently
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[8.0].define(version: 2025_11_06_032329) do
+ActiveRecord::Schema[8.0].define(version: 2026_01_07_200001) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "hstore"
   enable_extension "pg_catalog.plpgsql"
@@ -492,7 +492,9 @@
     t.string "environment"
     t.datetime "created_at", null: false
     t.datetime "updated_at", null: false
-    t.index ["repository_owner", "repository_name", "repository_owner_id", "workflow_filename", "environment"], name: "index_oidc_trusted_publisher_github_actions_claims", unique: true
+    t.string "workflow_repository_owner"
+    t.string "workflow_repository_name"
+    t.index ["repository_owner", "repository_name", "repository_owner_id", "workflow_filename", "environment", "workflow_repository_owner", "workflow_repository_name"], name: "index_oidc_trusted_publisher_github_actions_claims", unique: true
   end
 
   create_table "organization_invites", force: :cascade do |t|