-
Notifications
You must be signed in to change notification settings - Fork 5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix ci/rubyonrails bugs, using bundle exec #2302
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cc: @indirect, @bishal-pdMSFT, @JamesMGreene
fwiw, these changes look reasonable to me.
You can create the expected binstubs by running As for the Good luck! |
The pinning requirement is listed under Previous guidelines for new starter workflows: starter-workflows/CONTRIBUTING.md Lines 14 to 22 in 2435e57
It doesn't appear to be the actual policy for this repository organizations/users whose repositories aren't pinned
I don't know what "Previous" means. It might mean "no longer in effect". |
Ah, I see the requirement. Thanks for the heads-up, @indirect. It's not in
This policy was adopted in 2021. At that time, there was discussion suggesting it shouldn't be a permanent restriction for some actions:
I can see arguments either way, but that's out of scope for this PR. So unless y'all object, I'll go ahead and push a commit that switches back from I think the rest of this PR is still worth doing. I don't much care whether it uses |
As required in pull_request_template.md
Can build ruby 3.1.6 and 3.3.2
I don't have a strong preference for whether the ruby commands get run with I am proposing that one of them should be merged, depending on personal preference for how those ruby commands get run. The other PR should be closed. I don't care which 😄 |
I have no influence over this repository. I have a project I want added to it, but I haven't even tried to submit it. I'm looking over existing PRs before I try to submit mine. (I have made some PRs to bump generic dependencies, to test the waters, and it hasn't been particularly fast.) |
@jamiemccarthy I have gotten one PR merged here in the past. It took 3 months. Good luck! |
This PR fixes three separate issues I identified with the rubyonrails workflow in #2159:
bin/bundler-audit: No such file or directory
. So this starter workflow has been broken for some time. This PR fixes that problem.bundle-audit
is the preferred spelling of that command, as documented in its readmeThe setup-ruby readme notes: "Important: Prefer ruby/setup-ruby@v1" and this PR switches to pin to that tag instead of a commit. The readme explains "If you pin to a commit or release, only the Ruby versions available at the time of the commit will be available." The existing file, by pinning to a commit, has not only been missing ruby 3.3.0, but has required manual updates to fix CVEs, as in eeb9248. It's more secure to let the upstream maintainers pick up these fixes and trust them to keepedit 2024-04-26: removed this change, see PR discussion for whyv1
up to date.I'm happy to discuss these changes, and to reformat them in whatever way will be easiest. In particular, I've pushed the changes above as separate commits but I'm happy to squash them and resubmit.
I've been using a modified form of this workflow in a couple of jobs/workflows in a personal project since September. For what it's worth, it uses the
bundle exec
change, and it's been working fine.Thank you!