mongodb
diff --git a/‎.github/release.yml
+4 b/‎.github/release.yml
+4
diff --git a/‎.github/workflows/release.yml
+130 b/‎.github/workflows/release.yml
+130
diff --git a/‎README.md
+37-1 b/‎README.md
+37-1
diff --git a/‎Rakefile
+45-21 b/‎Rakefile
+45-21
diff --git a/‎gem-public_cert.pem
-26 b/‎gem-public_cert.pem
-26
diff --git a/‎mongo.gemspec
+8-11 b/‎mongo.gemspec
+8-11
diff --git a/‎profile/driver_bench/rake/tasks.rake
+3-3 b/‎profile/driver_bench/rake/tasks.rake
+3-3
@@ -0,0 +1,4 @@
+# For configuring how release notes are auto-generated.
+# Requires the use of labels to categorize pull requests.
+#
+# See: https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes
@@ -0,0 +1,130 @@
+name: "Driver Release"
+run-name: "Ruby Driver Release ${{ github.ref_name }}"
+
+on: workflow_dispatch
+
+env:
+  RELEASE_MESSAGE_TEMPLATE: |
+    Version {0} of the [MongoDB Ruby Driver](https://rubygems.org/gems/mongo) is now available.
+
+    **Release Highlights**
+
+    TODO: one or more paragraphs describing important changes in this release
+
+    **Documentation**
+
+    Documentation is available at [MongoDB.com](https://www.mongodb.com/docs/ruby-driver/current/).
+
+    **Installation**
+
+    You may install this version via RubyGems, with:
+
+    gem install --version {0} mongo
+
+jobs:
+  release:
+    name: "Driver Release"
+    environment: release
+    runs-on: 'ubuntu-latest'
+
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: write
+
+      # required by the mongodb-labs/drivers-github-tools/setup@v2 step
+      # also required by `rubygems/release-gem`
+      id-token: write
+
+    steps:
+      - name: "Create temporary app token"
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
+      - name: "Store GitHub token in environment"
+        run: echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV"
+        shell: bash
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          token: ${{ env.GH_TOKEN }}
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.2'
+          bundler-cache: true
+
+      - name: Setup GitHub tooling for DBX Drivers
+        uses: mongodb-labs/drivers-github-tools/setup@v2
+        with:
+          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
+          aws_region_name: ${{ vars.AWS_REGION_NAME }}
+          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
+
+      - name: Get the driver version
+        shell: bash
+        run: |
+          echo "DRIVER_VERSION=$(ruby -Ilib -rmongo/version -e 'puts Mongo::VERSION')" >> "$GITHUB_ENV"
+
+      - name: Set output gem file name
+        shell: bash
+        run: |
+          echo "GEM_FILE_NAME=mongo-${{ env.DRIVER_VERSION }}.gem" >> "$GITHUB_ENV"
+
+      - name: Build the gem
+        shell: bash
+        run: |
+          gem build --output=${{ env.GEM_FILE_NAME }} mongo.gemspec
+
+      - name: Sign the gem
+        uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
+        with:
+          filenames: '${{ env.GEM_FILE_NAME }}'
+
+      - name: Create and sign the tag
+        uses: mongodb-labs/drivers-github-tools/git-sign@v2
+        with:
+          command: "git tag -u ${{ env.GPG_KEY_ID }} -m 'Release tag for v${{ env.DRIVER_VERSION }}' v${{ env.DRIVER_VERSION }}"
+
+      - name: Push the tag to the repository
+        shell: bash
+        run: |
+          git push origin v${{ env.DRIVER_VERSION }}
+
+      - name: Create a new release
+        shell: bash
+        run: gh release create v${{ env.DRIVER_VERSION }} --title ${{ env.DRIVER_VERSION }} --generate-notes --draft
+
+      - name: Capture the changelog
+        shell: bash
+        run: gh release view v${{ env.DRIVER_VERSION }} --json body --template '{{ .body }}' >> changelog
+
+      - name: Prepare release message
+        shell: bash
+        run: |
+          echo "${{ format(env.RELEASE_MESSAGE_TEMPLATE, env.DRIVER_VERSION) }}" > release-message
+          cat changelog >> release-message
+
+      - name: Update release information
+        shell: bash
+        run: |
+          echo "RELEASE_URL=$(gh release edit v${{ env.DRIVER_VERSION }} --notes-file release-message)" >> "$GITHUB_ENV"
+
+      - name: Upload release artifacts
+        run: gh release upload v${{ env.DRIVER_VERSION }} ${{ env.GEM_FILE_NAME }} ${{ env.RELEASE_ASSETS }}/${{ env.GEM_FILE_NAME }}.sig
+
+      - name: Publish the gem
+        uses: rubygems/release-gem@v1
+        with:
+          await-release: false
@@ -5,7 +5,43 @@ MongoDB Ruby Driver
 
 The officially supported Ruby driver for [MongoDB](https://www.mongodb.org/).
 
-The Ruby driver supports Ruby 2.5-3.0 and JRuby 9.2.
+The Ruby driver supports Ruby 2.7-3.3 and JRuby 9.3-9.4.
+
+## Installation
+
+Install via RubyGems, either via the command-line for ad-hoc uses:
+
+  $ gem install mongo
+
+Or via a Gemfile for more general use:
+
+  gem 'mongo'
+
+### Release Integrity
+
+Each release of the MongoDB Ruby driver after version 2.20.0 has been automatically built and signed using the team's GPG key.
+
+To verify the driver's gem file:
+
+1. [Download the GPG key](https://pgp.mongodb.com/ruby-driver.asc).
+2. Import the key into your GPG keyring with `gpg --import ruby-driver.asc`.
+3. Download the gem file (if you don't already have it). You can download it from RubyGems with `gem fetch mongo`, or you can download it from the [releases page](https://github.com/mongodb/mongo-ruby-driver/releases) on GitHub.
+4. Download the corresponding detached signature file from the [same release](https://github.com/mongodb/mongo-ruby-driver/releases). Look at the bottom of the release that corresponds to the gem file, under the 'Assets' list, for a `.sig` file with the same version number as the gem you wish to install.
+5. Verify the gem with `gpg --verify mongo-X.Y.Z.gem.sig mongo-X.Y.Z.gem` (replacing `X.Y.Z` with the actual version number).
+
+You are looking for text like "Good signature from "MongoDB Ruby Driver Release Signing Key <[email protected]>" in the output. If you see that, the signature was found to correspond to the given gem file.
+
+(Note that other output, like "This key is not certified with a trusted signature!", is related to *web of trust* and depends on how strongly you, personally, trust the `ruby-driver.asc` key that you downloaded from us. To learn more, see https://www.gnupg.org/gph/en/manual/x334.html)
+
+### Why not use RubyGems' gem-signing functionality?
+
+RubyGems' own gem signing is problematic, most significantly because there is no established chain of trust related to the keys used to sign gems. RubyGems' own documentation admits that "this method of signing gems is not widely used" (see https://guides.rubygems.org/security/). Discussions about this in the RubyGems community have been off-and-on for more than a decade, and while a solution will eventually arrive, we have settled on using GPG instead for the following reasons:
+
+1. Many of the other driver teams at MongoDB are using GPG to sign their product releases. Consistency with the other teams means that we can reuse existing tooling for our own product releases.
+2. GPG is widely available and has existing tools and procedures for dealing with web of trust (though they are admittedly quite arcane and intimidating to the uninitiated, unfortunately).
+
+Ultimately, most users do not bother to verify gems, and will not be impacted by our choice of GPG over RubyGems' native method.
+
 
 ## Documentation
 
 
@@ -2,17 +2,12 @@
 # rubocop:todo all
 
 require 'bundler'
-require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'
-# TODO move the mongo require into the individual tasks that actually need it
-require 'mongo'
 
 ROOT = File.expand_path(File.join(File.dirname(__FILE__)))
 
 $: << File.join(ROOT, 'spec/shared/lib')
 
-require 'mrss/spec_organizer'
-
 CLASSIFIERS = [
   [%r,^mongo/server,, :unit_server],
   [%r,^mongo,, :unit],
@@ -33,18 +28,55 @@ RUN_PRIORITY = %i(
   spec spec_sdam_integration
 )
 
-tasks = Rake.application.instance_variable_get('@tasks')
-tasks['release:do'] = tasks.delete('release')
-
 RSpec::Core::RakeTask.new(:spec) do |t|
   #t.rspec_opts = "--profile 5" if ENV['CI']
 end
 
 task :default => ['spec:prepare', :spec]
 
+# stands in for the Bundler-provided `build` task, which builds the
+# gem for this project. Our release process builds the gems in a
+# particular way, in a GitHub action. This task is just to help remind
+# developers of that fact.
+task :build do
+  abort <<~WARNING
+    `rake build` does nothing in this project. The gem must be built via
+    the `Driver Release` action on GitHub, which is triggered manually when
+    a new release is ready.
+  WARNING
+end
+
+# overrides the default Bundler-provided `release` task, which also
+# builds the gem. Our release process assumes the gem has already
+# been built (and signed via GPG), so we just need `rake release` to
+# push the gem to rubygems.
+task :release do
+  require 'mongo/version'
+
+  if ENV['GITHUB_ACTION'].nil?
+    abort <<~WARNING
+      `rake release` must be invoked from the `Driver Release` GitHub action,
+      and must not be invoked locally. This ensures the gem is properly signed
+      and distributed by the appropriate user.
+
+      Note that it is the `rubygems/release-gem@v1` step in the `Driver Release`
+      action that invokes this task. Do not rename or remove this task, or the
+      release-gem step will fail. Reimplement this task with caution.
+
+      mongo-#{Mongo::VERSION}.gem was NOT pushed to RubyGems.
+    WARNING
+  end
+
+  system 'gem', 'push', "mongo-#{Mongo::VERSION}.gem"
+end
+
+task :mongo do
+  require 'mongo'
+end
+
 namespace :spec do
   desc 'Creates necessary user accounts in the cluster'
-  task :prepare do
+  task prepare: :mongo do
     $: << File.join(File.dirname(__FILE__), 'spec')
 
     require 'support/utils'
@@ -53,7 +85,7 @@ namespace :spec do
   end
 
   desc 'Waits for sessions to be available in the deployment'
-  task :wait_for_sessions do
+  task wait_for_sessions: :mongo do
     $: << File.join(File.dirname(__FILE__), 'spec')
 
     require 'support/utils'
@@ -77,7 +109,7 @@ namespace :spec do
   end
 
   desc 'Prints configuration used by the test suite'
-  task :config do
+  task config: :mongo do
     $: << File.join(File.dirname(__FILE__), 'spec')
 
     # Since this task is usually used for troubleshooting of test suite
@@ -90,6 +122,8 @@ namespace :spec do
   end
 
   def spec_organizer
+    require 'mrss/spec_organizer'
+
     Mrss::SpecOrganizer.new(
       root: ROOT,
       classifiers: CLASSIFIERS,
@@ -109,16 +143,6 @@ namespace :spec do
   end
 end
 
-namespace :release do
-  task :check_private_key do
-    unless File.exist?('gem-private_key.pem')
-      raise "No private key present, cannot release"
-    end
-  end
-end
-
-task :release => ['release:check_private_key', 'release:do']
-
 desc 'Build and validate the evergreen config'
 task eg: %w[ eg:build eg:validate ]
 
 
@@ -9,28 +9,25 @@ Gem::Specification.new do |s|
   s.name              = 'mongo'
   s.version           = Mongo::VERSION
   s.platform          = Gem::Platform::RUBY
-  s.authors           = ["The MongoDB Ruby Team"]
-  s.email             = "[email protected]"
+  s.authors           = [ 'The MongoDB Ruby Team' ]
+  s.email             = '[email protected]'
   s.homepage          = 'https://mongodb.com/docs/ruby-driver/'
   s.summary           = 'Ruby driver for MongoDB'
-  s.description       = 'A Ruby driver for MongoDB'
   s.license           = 'Apache-2.0'
+  s.description       = <<~DESC
+    A pure-Ruby driver for connecting to, querying, and manipulating MongoDB
+    databases. Officially developed and supported by MongoDB, with love for
+    the Ruby community.
+  DESC
 
   s.metadata = {
     'bug_tracker_uri' => 'https://jira.mongodb.org/projects/RUBY',
     'changelog_uri' => 'https://github.com/mongodb/mongo-ruby-driver/releases',
-    'documentation_uri' => 'https://mongodb.com/docs/ruby-driver/',
     'homepage_uri' => 'https://mongodb.com/docs/ruby-driver/',
+    'documentation_uri' => 'https://mongodb.com/docs/ruby-driver/current/tutorials/quick-start/',
     'source_code_uri' => 'https://github.com/mongodb/mongo-ruby-driver',
   }
 
-  if File.exist?('gem-private_key.pem')
-    s.signing_key     = 'gem-private_key.pem'
-    s.cert_chain      = ['gem-public_cert.pem']
-  else
-    warn "[#{s.name}] Warning: No private key present, creating unsigned gem."
-  end
-
   s.files             = Dir.glob('{bin,lib,spec}/**/*')
   s.files             += %w[mongo.gemspec LICENSE README.md CONTRIBUTING.md Rakefile]
   s.test_files        = Dir.glob('spec/**/*')
 
@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require_relative '../suite'
-
 task driver_bench: %i[ driver_bench:data driver_bench:run ]
 
 SPECS_REPO_URI = '[email protected]:mongodb/specifications.git'
@@ -32,7 +30,9 @@ namespace :driver_bench do
   end
 
   desc 'Runs the DriverBench benchmark suite'
-  task :run do
+  task run: 'driver_bench:initialize' do
+    require_relative '../suite'
+
     Mongo::DriverBench::Suite.run!
   end
 end