Skip to content

Support Rails 8 / activesupport 8; stop committing Gemfile.lock#64

Merged
ianyamey merged 1 commit into
mainfrom
ian/update-gemfile-rails-8
Jun 8, 2026
Merged

Support Rails 8 / activesupport 8; stop committing Gemfile.lock#64
ianyamey merged 1 commit into
mainfrom
ian/update-gemfile-rails-8

Conversation

@ianyamey

@ianyamey ianyamey commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

What & why

unit-ruby couldn't resolve in apps on Rails 8 — the gemspec pinned activesupport '~> 7', which excludes activesupport 8. retirable/app runs activesupport 8.1, so it was blocked. This relaxes the constraint, refreshes dependencies, and removes the committed lockfile (the root cause of the stale pin going unnoticed).

Changes

Gemspec — relax for Rails 8

  • activesupport: ~> 7>= 7.0, < 9 (now resolves with both Rails 7 and 8)
  • dev dotenv: ~> 2~> 3
  • faraday/faraday-retry (~> 2) and Ruby >= 3.3 were already compatible

Stop committing Gemfile.lock

  • A library gem's dependency contract is the gemspec; consumers resolve against their own lockfile. Committing the lock meant CI only ever exercised one frozen resolution — which is exactly how the stale activesupport ~> 7 pin survived. CI now resolves fresh on every run, so an incompatible future release surfaces immediately. git rm --cached + added to .gitignore.

CI (.github/workflows/ci.yml)

  • Add Ruby 4.0 to the matrix (now ["3.3", "3.4", "4.0"]), fail-fast: false
  • Pin actions to commit SHAs instead of moving tags (immutable, supply-chain safe; comments keep them Dependabot-readable):
    • actions/checkout @v2@df4cb1c (v6.0.3) — also clears the deprecated Node 16 runner warnings
    • ruby/setup-ruby @v1@12fd324 (v1.312.0)

Housekeeping

  • Bump version 1.0.11.1.0
  • .rubocop.yml: rename deprecated IgnoredPatternsAllowedPatterns

Security

Clears the open Dependabot alerts: #19, #20, #21, #22, #23. The relaxed gemspec ranges admit patched versions (activesupport ≥ 7.2.3.1, faraday ≥ 2.14.2), and removing the committed lockfile leaves nothing pinning the vulnerable versions Dependabot was flagging.

Testing

84 unit specs pass. The 12 feature specs require live UNIT_* API credentials (provided in CI via secrets) and fail identically with and without these changes — not affected by this PR.

🤖 Generated with Claude Code

Relax the gemspec so the gem resolves in apps on Rails 8 (e.g.
retirable/app, which runs activesupport 8.1):

- activesupport: `~> 7` -> `>= 7.0, < 9`
- dev dotenv: `~> 2` -> `~> 3`

Stop tracking Gemfile.lock. A library gem's dependency contract is the
gemspec; the consuming app resolves against its own lockfile. Committing
the lock meant CI only ever tested one frozen resolution, which is how
the stale activesupport `~> 7` pin went unnoticed. CI now resolves fresh
each run.

CI:
- add Ruby 4.0 to the matrix; set fail-fast: false
- pin actions/checkout (v6.0.3) and ruby/setup-ruby (v1.312.0) to commit
  SHAs instead of moving tags

Also bump version to 1.1.0 and rename the deprecated rubocop
`IgnoredPatterns` config key to `AllowedPatterns`.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 8, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Summary by CodeRabbit

  • Chores
    • Version bumped to 1.1.0
    • Updated ActiveSupport dependency to support a broader version range (7.0 to less than 9)
    • Updated Dotenv dependency to version 3
    • Enhanced CI configuration for testing against Ruby 3.4 and 4.0

Walkthrough

The PR releases gem version 1.1.0 with updated dependency constraints: activesupport now allows versions 7.0 through 8.x, and dotenv is upgraded to ~> 3. The CI workflow is updated to test against Ruby 3.4 and 4.0 with pinned action SHAs for reproducibility. Configuration changes include adding Gemfile.lock to .gitignore (with a note that the consuming app handles dependency resolution) and updating RuboCop's line length rule to allow comment-start patterns via AllowedPatterns.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main objectives: Rails 8/activesupport 8 support and removal of the committed Gemfile.lock—both central to the changeset.
Description check ✅ Passed The description comprehensively explains the rationale, changes, security implications, and testing—all directly related to the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ian/update-gemfile-rails-8

Comment @coderabbitai help to get the list of available commands and usage tips.

@ianyamey ianyamey requested a review from trevornelson June 8, 2026 21:42

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
.github/workflows/ci.yml (1)

31-31: ⚡ Quick win

Consider adding persist-credentials: false to the checkout action.

Static analysis flagged that the checkout action does not set persist-credentials: false, which could persist GITHUB_TOKEN in .git/config. While this workflow doesn't upload artifacts (which would be the primary risk), setting this flag is a defense-in-depth security best practice.

🔒 Proposed security hardening
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 31, Update the checkout step that uses
"uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" to include the
option persist-credentials: false; locate the job step referencing
actions/checkout and add the persist-credentials: false input so the
GITHUB_TOKEN is not written into .git/config as a defense-in-depth security
hardening.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 28: The CI matrix removed Ruby 3.3 but the gemspec's
required_ruby_version (variable required_ruby_version) declares ">= 3.3", so
restore Ruby 3.3 in the GitHub Actions matrix by updating the ruby-version
matrix entry (ruby-version: ["3.3", "3.4", "4.0"]) so the minimum supported
runtime is tested; ensure the ruby-version list in .github/workflows/ci.yml
includes "3.3" and adjust ordering if you prefer ascending versions.
- Around line 31-33: The actions/checkout pin is inconsistent: update the uses
entry that currently reads
"actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" to the correct SHA
for tag v6.0.3 (9f698171ed81b15d1823a05fc7211befd50c8ae0) or alternatively
change the trailing comment to match the pinned SHA; modify the line referencing
actions/checkout so the tag comment and the pinned SHA are consistent (leave
ruby/setup-ruby as-is).

---

Nitpick comments:
In @.github/workflows/ci.yml:
- Line 31: Update the checkout step that uses "uses:
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" to include the option
persist-credentials: false; locate the job step referencing actions/checkout and
add the persist-credentials: false input so the GITHUB_TOKEN is not written into
.git/config as a defense-in-depth security hardening.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6b1b865d-0381-4ef8-9f76-83249f547989

📥 Commits

Reviewing files that changed from the base of the PR and between 59502cd and 308c4e2.

⛔ Files ignored due to path filters (1)
  • Gemfile.lock is excluded by !**/*.lock
📒 Files selected for processing (6)
  • .github/workflows/ci.yml
  • .gitignore
  • .rubocop.yml
  • lib/unit-ruby/version.rb
  • spec/version_spec.rb
  • unit-ruby.gemspec

Comment thread .github/workflows/ci.yml
Comment thread .github/workflows/ci.yml
@ianyamey ianyamey enabled auto-merge (squash) June 8, 2026 21:48
@ianyamey ianyamey merged commit 1ac91c2 into main Jun 8, 2026
3 checks passed
@ianyamey ianyamey deleted the ian/update-gemfile-rails-8 branch June 8, 2026 21:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants