| Age | Commit message (Collapse) | Author |
|---|
|
Dependabot left the version comment as v6.0.2 on the four lines that
carry a trailing `# zizmor: ignore[artipacked]`, since its comment
rewriter only handles a version comment as the last token on the line.
zizmor flagged the resulting hash/comment mismatch. Update every
checkout pin in .github to the v6.0.3 commit and comment at once.
|
|
Dir.each_child yields entry names, so stat/digest/children ran against
the working directory instead of HOME. Join dir and name first.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
|
Replace secrets: inherit with explicit Slack webhook secrets, which are
the only secrets the ubuntu/macos/windows builds use. tarball-non-development
uses no secrets, so drop inherit there entirely.
|
|
These reusable workflows only check out, download artifacts, build, and
test, so contents: read is sufficient.
|
|
|
|
Bumps the github-actions group with 5 updates in the / directory:
| Package | From | To |
| --- | --- | --- |
| [ruby/setup-ruby](https://github.com/ruby/setup-ruby) | `1.307.0` | `1.310.0` |
| [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) | `0.5.3` | `0.5.6` |
| [github/codeql-action](https://github.com/github/codeql-action) | `4.35.4` | `4.35.5` |
| [ruby/action-slack](https://github.com/ruby/action-slack) | `3.2.2` | `4.0.0` |
| [taiki-e/install-action](https://github.com/taiki-e/install-action) | `2.78.0` | `2.79.4` |
Updates `ruby/setup-ruby` from 1.307.0 to 1.310.0
- [Release notes](https://github.com/ruby/setup-ruby/releases)
- [Changelog](https://github.com/ruby/setup-ruby/blob/master/release.rb)
- [Commits](https://github.com/ruby/setup-ruby/compare/6aaa311d81eba98ae12eaffbcb63296ace0efcde...afeafc3d1ab54a631816aba4c914a0081c12ff2f)
Updates `zizmorcore/zizmor-action` from 0.5.3 to 0.5.6
- [Release notes](https://github.com/zizmorcore/zizmor-action/releases)
- [Commits](https://github.com/zizmorcore/zizmor-action/compare/b1d7e1fb5de872772f31590499237e7cce841e8e...5f14fd08f7cf1cb1609c1e344975f152c7ee938d)
Updates `github/codeql-action` from 4.35.4 to 4.35.5
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/68bde559dea0fdcac2102bfdf6230c5f70eb485e...9e0d7b8d25671d64c341c19c0152d693099fb5ba)
Updates `ruby/action-slack` from 3.2.2 to 4.0.0
- [Release notes](https://github.com/ruby/action-slack/releases)
- [Commits](https://github.com/ruby/action-slack/compare/54175162371f1f7c8eb94d7c8644ee2479fcd375...d260b61aa817726d5bedd22dd6cc305787fa4cdd)
Updates `taiki-e/install-action` from 2.78.0 to 2.79.4
- [Release notes](https://github.com/taiki-e/install-action/releases)
- [Changelog](https://github.com/taiki-e/install-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/taiki-e/install-action/compare/e1c4cd42111751368541a7cb5db3522bd1f846a4...e0eafa9a0d485c37f97c0f7beb930a58a2facbac)
---
updated-dependencies:
- dependency-name: ruby/setup-ruby
dependency-version: 1.310.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: github-actions
- dependency-name: zizmorcore/zizmor-action
dependency-version: 0.5.6
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: github-actions
- dependency-name: github/codeql-action
dependency-version: 4.35.5
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: github-actions
- dependency-name: ruby/action-slack
dependency-version: 4.0.0
dependency-type: direct:production
update-type: version-update:semver-major
dependency-group: github-actions
- dependency-name: taiki-e/install-action
dependency-version: 2.79.4
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: github-actions
...
Signed-off-by: dependabot[bot] <support@github.com>
|
|
|
|
Bump ruby/setup-ruby to v1.307.0 (matching the 17 other workflows that
already pin this SHA) and use Ruby 3.2 as the host interpreter on both
Ubuntu and Windows.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
macOS already pulled gmp via brew so bignum tests linked against it,
while ubuntu/non-development/windows skipped it and quietly used the
pure-C fallback. Add libgmp-dev on apt and gmp on vcpkg so all platforms
build bignum.c against gmp consistently.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
ext/readline and ext/curses are no longer shipped from ruby/ruby, so
libreadline / libncurses are unused at build and run time. Remove them
from apt / brew / vcpkg lists, drop the matching --with-readline-dir
configure flag on macOS, and simplify the Windows DLL symlink loop that
was carved out to skip readline.dll.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
Before the workflows were unified into the tarball-test reusable, the
github.workflow value itself encoded the branch (snapshot-master /
snapshot-ruby_3_4 etc.) and made schedule notifications self-describing.
The unified workflow collapsed that to "tarball-test", so put
inputs.archname back into the link label to restore the prior signal.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
The sparse checkout used to expose .github/actions/slack on failure
inherits the default persist-credentials: true, which leaves the
GITHUB_TOKEN in the workspace git config. Match the convention used by
mingw.yml / wasm.yml / parse_y.yml and silence the zizmor credential
persistence warning.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
Direct ruby/action-slack calls fired on every failure() including fork
PRs, where secrets.SIMPLER_ALERTS_URL is empty and the action crashed
with 'Cannot read properties of null'. Switch the SIMPLER_ALERTS_URL
step to ./.github/actions/slack so the existing push-only and
ruby/* repository guards apply, matching the 21 other workflows that
already go through this composite.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
Without the workaround the snapshot-tarball run leaves
~/.gnupg/{crls.d,private-keys-v1.d,public-keys.d} behind after
test_sync_default_gems, which trips Diff stats of HOME. GPG 2.x's
agent processes ignore GNUPGHOME for these directories on first
launch, so always sweep the leftovers regardless of which branch the
reusable was called from.
|
|
SIMPLER_ALERTS_URL always fires on failure so developer-facing CI
(PR, push, merge_group, manual dispatch) surfaces breakage in the
ruby-core channel. notify-release-channel additionally routes to
SNAPSHOT_SLACK_WEBHOOK_URL for the daily snapshot dispatcher and
future draft-release callers, with the same payload schema as before
except commit now comes from github.sha.
|
|
ruby_3_3 was the only caller that disabled the extra mkdir step.
Always create $HOME/.local/share and $HOME/.ssh in the main Fixed
world writable dirs step. mkdir -p $HOME/.local/share also covers
$HOME/.local, so the bare mkdir for it goes away.
|
|
Confirms the snapshot tarball ships a working RubyGems and Bundler in
addition to the ruby binary.
|
|
Hardcode the post-install smoke test to /usr/local/bin/ruby, matching
the configure default prefix used on master/4_0/3_4. ruby_3_3's `ruby`
override falls away when it aligns with the same install layout.
|
|
The three apt-mode variants existed to selectively uninstall git (and
sometimes ruby) per test_task. ruby-and-git on ruby_3_3 also pinned an
apt-installed host ruby. With ruby/setup-ruby covering the host ruby
unconditionally and git always shipping on the runner image, the
matrix collapses to the single 'none' install step.
|
|
Always install Ruby 3.2 via ruby/setup-ruby for test-bundled-gems.
ruby_3_3 will follow once it stops relying on the apt-installed ruby
for its host.
|
|
The step force-removed $HOME/.gnupg between Tests and Diff stats of
HOME, but the original cause for the directory persisting was never
identified. Remove it and observe whether the HOME diff still passes.
|
|
power_assert was allowed to fail on master/4_0 by passing it through
this input. The allow-list belongs in tool/test-bundled-gems.rb now
that the tool ships in the same repo as the workflow.
|
|
No caller passes patch-url: tarball-test.yml never set it, and
ruby/actions draft-release.yml stopped forwarding it once it started
calling these workflows by ref. Remove the input and the Apply patch
step from the ubuntu, macos, and windows reusables.
|
|
zizmor flags `cd "${{ inputs.archname }}/"` inside `run:` blocks as
code injection via template expansion: GitHub Actions substitutes the
input value into the shell script verbatim, so a caller passing shell
metacharacters could execute arbitrary code.
Hoist `ARCHNAME: ${{ inputs.archname }}` to the job-level `env:` block
and reference it as `$ARCHNAME` in shell, matching the pattern already
used by tarball-windows.yml (see 942f45b2af).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
The per-OS tarball-test workflows currently hard-code `cd snapshot-*/`
to enter the extracted tarball directory, which prevents callers from
producing tarballs under any other prefix (for example `ruby-3.4.0-rc1`
emitted by `tool/make-snapshot` when given a version argument).
Replace the glob with `cd "${{ inputs.archname }}/"`. Existing snapshot
callers still pass `snapshot-<branch>` so behavior is unchanged for
this repository, but ruby/actions can now reuse the same workflows
from `draft-release.yml` with `ruby-<version>` archnames.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
Add a daily 18:30 UTC schedule trigger to match the existing ruby/actions
snapshot cron, and limit the Slack failure notifications in the reusable
workflows to schedule runs. PRs and merge_group runs are still gated by
the workflow's CI status, but won't spam the Snapshot/SimplerAlerts
channels or fail on missing webhook secrets in forks.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
zizmor flags inline `${{ inputs.X }}` expansions inside run scripts as
template-injection errors. Reusable workflow inputs come from the
in-repo caller and are trusted, but routing them through env avoids the
class of mistake entirely and silences the audit without per-line
ignores.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
Port the daily snapshot tarball pipeline from ruby/actions into
ruby/ruby so the tarball build and per-OS tests run on every push and
pull request. The make-snapshot composite action gains a srcdir input so
the same logic can either clone ruby/ruby (daily upload from ruby/actions)
or operate on the working tree (this workflow).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
