From 913a70a4f5aca26b01c8454cda41f3a849865922 Mon Sep 17 00:00:00 2001
From: Samuel Giddins <segiddins@segiddins.me>
Date: Fri, 19 Jan 2024 16:45:58 -0800
Subject: [PATCH 1/2] Document the trusted publisher exchange token API

---
 Gemfile.lock                         |  2 +-
 rubygems-org-api.md                  | 18 ++++++++++++++++++
 trusted-publishing/releasing-gems.md |  2 +-
 3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 30e5357..4110141 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -93,7 +93,7 @@ GEM
       google-protobuf (~> 3.23)
     sass-embedded (1.69.5-x86_64-linux-gnu)
       google-protobuf (~> 3.23)
-    stringio (3.0.1)
+    stringio (3.1.0)
     terminal-table (3.0.2)
       unicode-display_width (>= 1.1.1, < 3)
     tomlrb (2.0.1)
diff --git a/rubygems-org-api.md b/rubygems-org-api.md
index 6974781..ce75997 100644
--- a/rubygems-org-api.md
+++ b/rubygems-org-api.md
@@ -545,6 +545,24 @@ Retrieve your API key using HTTP basic auth.
       "rubygems_api_key": "701243f217cdf23b1370c7b66b65ca97"
     }
 
+### POST - `/api/v1/oidc/trusted_publisher/exchange_token`
+
+Exchange an OIDC ID token for a RubyGems API key. This endpoint is intended to be used by the
+[`release-gem`](github.com/rubygems/release-gem) GitHub Action for [trusted publishing](/trusted-publishing/releasing-gems).
+
+The request body must be a JSON object with a single key, `jwt`, whose value is the ID token (as a string).
+
+    $ curl -X POST -H "Content-Type: application/json" -H "Accept: application/json" \
+           -d '{"jwt": $ID_TOKEN}' \
+           https://rubygems.org/api/v1/oidc/trusted_publisher/exchange_token"
+
+    {
+      "rubygems_api_key": "rubygems_701243f217cdf23b1370c7b66b65ca97",
+      "name": "GitHub Actions rubygems/configure-rubygems-credentials @ .github/workflows/token.yml",
+      "scopes": ["push_rubygem"],
+      "expires_at": "2021-01-01T00:00:00Z"
+    }
+
 ### GET - `/api/v1/dependencies?gems=[COMMA DELIMITED GEM NAMES]`
 
 Returns a marshalled array of hashes for all versions of given gems. Each hash
diff --git a/trusted-publishing/releasing-gems.md b/trusted-publishing/releasing-gems.md
index f1f29e3..01d449e 100644
--- a/trusted-publishing/releasing-gems.md
+++ b/trusted-publishing/releasing-gems.md
@@ -30,4 +30,4 @@ jobs:
       - uses: rubygems/release-gem@v1
 ```
 
-Note the `id-token: write`` permission: you **must** provide this permission at either the job level (strongly recommended) or workflow level (discouraged). Without it, the publishing action won't have sufficient permissions to identify itself to RubyGems.org.
+Note the `id-token: write` permission: you **must** provide this permission at either the job level (strongly recommended) or workflow level (discouraged). Without it, the publishing action won't have sufficient permissions to identify itself to RubyGems.org.

From 30aa3cc842899bd9894dd3d40122c321fbd12a77 Mon Sep 17 00:00:00 2001
From: Samuel Giddins <segiddins@segiddins.me>
Date: Fri, 19 Jan 2024 17:00:11 -0800
Subject: [PATCH 2/2] Run CI with rubygems 3.5

---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0bebb4a..e91eda2 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -15,7 +15,7 @@ jobs:
         with:
           repository: rubygems/rubygems
           path: rubygems
-          ref: 3.4
+          ref: 3.5
 
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1