The process of delivering Ruby involves more than just shipping code; it is a defense against supply chain attacks. To build a robust fortress around our ecosystem, we had to eliminate the most significant security vulnerability: the human element.

Gone are the days of manual checklists and opaque procedures. Today, they have been replaced by secure, automated pipelines where code verifies code. In essence, Ruby is releasing Ruby.

In this session, I will take you behind the scenes of this evolution from the perspective of a Ruby Core Release Manager. We will dive deep into how release-gem and Sigstore build attestations create a tamper-proof chain of custody. The highlight of this session is the "self-hosting" challenge: releasing Ruby and RubyGems—the root of our dependency tree—autonomously. I will demonstrate our recursive engineering approach, utilizing sigstore-ruby to cryptographically verify the release of RubyGems itself. Join us to see how we ensure that the tools you rely.