Use `rubygems/release-gem` to publish Dependabot

[JamieMagee]

Code improvement description

Now that #9787 has been completed in #11984, we should look into using the rubygems/release-gem action to publish the Dependabot RubyGems.

For one, it would allow us to get rid of our custom Rakefile. For another, we get the added security benefit of Sigstore attestations¹.

The main challenges with migrating to rubygems/release-gem are outlined here: https://github.com/dependabot/dependabot-core/pull/11984/files#r2030204218

Footnotes

1. https://github.com/rubygems/release-gem/pull/11 ↩

[jeffwidman]

FWIW, when I was researching how to implement Trusted Publishing, I'd noticed 84codes/rubocop-eightyfourcodes#16 which made it look like handling Sigstore attestations directly is very simple.

Now that I got Trusted Publishing working, let's try it!

• Add sigstore attestations for our published gems #12025

To be clear: I'm not saying I'm opposed to this idea, rather that the difficulty of adding / maintaining Sigstore attestations doesn't seem like a compelling argument for this. Especially since ☝ is the same underlying command that rubygems/release-gem uses to add attestations:

• Attest by default when using trusted publishing rubygems/release-gem#11

[JamieMagee]

That works for me. I am mainly concerned about improving the supply chain security of Dependabot. If using sigstore directly is the easiest way to do it, then go for it!

[jeffwidman]

Also, for anyone who tackles this in the future, here's some historical context: #11984 (comment)