Support Rails 8 / activesupport 8; stop committing Gemfile.lock#64
Conversation
Relax the gemspec so the gem resolves in apps on Rails 8 (e.g. retirable/app, which runs activesupport 8.1): - activesupport: `~> 7` -> `>= 7.0, < 9` - dev dotenv: `~> 2` -> `~> 3` Stop tracking Gemfile.lock. A library gem's dependency contract is the gemspec; the consuming app resolves against its own lockfile. Committing the lock meant CI only ever tested one frozen resolution, which is how the stale activesupport `~> 7` pin went unnoticed. CI now resolves fresh each run. CI: - add Ruby 4.0 to the matrix; set fail-fast: false - pin actions/checkout (v6.0.3) and ruby/setup-ruby (v1.312.0) to commit SHAs instead of moving tags Also bump version to 1.1.0 and rename the deprecated rubocop `IgnoredPatterns` config key to `AllowedPatterns`. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
📝 WalkthroughSummary by CodeRabbit
WalkthroughThe PR releases gem version 1.1.0 with updated dependency constraints: activesupport now allows versions 7.0 through 8.x, and dotenv is upgraded to ~> 3. The CI workflow is updated to test against Ruby 3.4 and 4.0 with pinned action SHAs for reproducibility. Configuration changes include adding Gemfile.lock to .gitignore (with a note that the consuming app handles dependency resolution) and updating RuboCop's line length rule to allow comment-start patterns via AllowedPatterns. 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
.github/workflows/ci.yml (1)
31-31: ⚡ Quick winConsider adding
persist-credentials: falseto the checkout action.Static analysis flagged that the checkout action does not set
persist-credentials: false, which could persist GITHUB_TOKEN in.git/config. While this workflow doesn't upload artifacts (which would be the primary risk), setting this flag is a defense-in-depth security best practice.🔒 Proposed security hardening
- - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci.yml at line 31, Update the checkout step that uses "uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" to include the option persist-credentials: false; locate the job step referencing actions/checkout and add the persist-credentials: false input so the GITHUB_TOKEN is not written into .git/config as a defense-in-depth security hardening.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yml:
- Line 28: The CI matrix removed Ruby 3.3 but the gemspec's
required_ruby_version (variable required_ruby_version) declares ">= 3.3", so
restore Ruby 3.3 in the GitHub Actions matrix by updating the ruby-version
matrix entry (ruby-version: ["3.3", "3.4", "4.0"]) so the minimum supported
runtime is tested; ensure the ruby-version list in .github/workflows/ci.yml
includes "3.3" and adjust ordering if you prefer ascending versions.
- Around line 31-33: The actions/checkout pin is inconsistent: update the uses
entry that currently reads
"actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" to the correct SHA
for tag v6.0.3 (9f698171ed81b15d1823a05fc7211befd50c8ae0) or alternatively
change the trailing comment to match the pinned SHA; modify the line referencing
actions/checkout so the tag comment and the pinned SHA are consistent (leave
ruby/setup-ruby as-is).
---
Nitpick comments:
In @.github/workflows/ci.yml:
- Line 31: Update the checkout step that uses "uses:
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" to include the option
persist-credentials: false; locate the job step referencing actions/checkout and
add the persist-credentials: false input so the GITHUB_TOKEN is not written into
.git/config as a defense-in-depth security hardening.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 6b1b865d-0381-4ef8-9f76-83249f547989
⛔ Files ignored due to path filters (1)
Gemfile.lockis excluded by!**/*.lock
📒 Files selected for processing (6)
.github/workflows/ci.yml.gitignore.rubocop.ymllib/unit-ruby/version.rbspec/version_spec.rbunit-ruby.gemspec
What & why
unit-rubycouldn't resolve in apps on Rails 8 — the gemspec pinnedactivesupport '~> 7', which excludes activesupport 8. retirable/app runs activesupport 8.1, so it was blocked. This relaxes the constraint, refreshes dependencies, and removes the committed lockfile (the root cause of the stale pin going unnoticed).Changes
Gemspec — relax for Rails 8
activesupport:~> 7→>= 7.0, < 9(now resolves with both Rails 7 and 8)dotenv:~> 2→~> 3faraday/faraday-retry(~> 2) and Ruby>= 3.3were already compatibleStop committing
Gemfile.lockactivesupport ~> 7pin survived. CI now resolves fresh on every run, so an incompatible future release surfaces immediately.git rm --cached+ added to.gitignore.CI (
.github/workflows/ci.yml)["3.3", "3.4", "4.0"]),fail-fast: falseactions/checkout@v2→@df4cb1c(v6.0.3) — also clears the deprecated Node 16 runner warningsruby/setup-ruby@v1→@12fd324(v1.312.0)Housekeeping
1.0.1→1.1.0.rubocop.yml: rename deprecatedIgnoredPatterns→AllowedPatternsSecurity
Clears the open Dependabot alerts: #19, #20, #21, #22, #23. The relaxed gemspec ranges admit patched versions (activesupport ≥ 7.2.3.1, faraday ≥ 2.14.2), and removing the committed lockfile leaves nothing pinning the vulnerable versions Dependabot was flagging.
Testing
84 unit specs pass. The 12 feature specs require live
UNIT_*API credentials (provided in CI via secrets) and fail identically with and without these changes — not affected by this PR.🤖 Generated with Claude Code