starter-workflows icon indicating copy to clipboard operation
starter-workflows copied to clipboard

Published 20 hours ago verified publisher icon actions

Fix ci/rubyonrails bugs, using bundle exec

Open jamiemccarthy opened this issue 1 year ago • 8 comments

This PR fixes three separate issues I identified with the rubyonrails workflow in #2159:

  1. Most seriously, the three linting commands must be run with bundle exec as a prefix, or they simply do not work. As written, the first lint command fails with bin/bundler-audit: No such file or directory. So this starter workflow has been broken for some time. This PR fixes that problem.
  2. bundle-audit is the preferred spelling of that command, as documented in its readme
  3. ~~The setup-ruby readme notes: "Important: Prefer ruby/setup-ruby@v1" and this PR switches to pin to that tag instead of a commit. The readme explains "If you pin to a commit or release, only the Ruby versions available at the time of the commit will be available." The existing file, by pinning to a commit, has not only been missing ruby 3.3.0, but has required manual updates to fix CVEs, as in eeb9248ea6d958f2adcb504c334b98464be041ea. It's more secure to let the upstream maintainers pick up these fixes and trust them to keep v1 up to date.~~ edit 2024-04-26: removed this change, see PR discussion for why

I'm happy to discuss these changes, and to reformat them in whatever way will be easiest. In particular, I've pushed the changes above as separate commits but I'm happy to squash them and resubmit.

I've been using a modified form of this workflow in a couple of jobs/workflows in a personal project since September. For what it's worth, it uses the bundle exec change, and it's been working fine.

Thank you!

jamiemccarthy avatar Feb 12 '24 13:02 jamiemccarthy

You can create the expected binstubs by running bundle binstubs bundle-audit brakeman rubocop and then checking in the generated files. I personally use binstubs rather than bundle exec, because I like the discoverability of seeing what's inside bin/ in my application.

As for the ruby-setup version, I originally used v1 in my PR and was told that it is against policy for starter actions to be unpinned, and it was required to pin them to a precise hash for the PR to be accepted.

Good luck!

indirect avatar Apr 25 '24 23:04 indirect

The pinning requirement is listed under Previous guidelines for new starter workflows: https://github.com/actions/starter-workflows/blob/2435e576016b3fdd46574a49126d65bfd0d4872f/CONTRIBUTING.md?plain=1#L14-L22

It doesn't appear to be the actual policy for this repository

organizations/users whose repositories aren't pinned
  • aliyun
  • aws-actions
  • azure
  • docker
  • github
  • google-github-actions
  • hashicorp
  • kentaro-m
  • microsoft
  • peter-evans
  • pozil
  • redhat-actions
  • slsa-framework
  • synopsys-sig
  • TencentCloud

I don't know what "Previous" means. It might mean "no longer in effect".

jsoref avatar Apr 26 '24 01:04 jsoref

Ah, I see the requirement. Thanks for the heads-up, @indirect.

It's not in CONTRIBUTING.md, it's in the pull request template:

https://github.com/actions/starter-workflows/blob/2435e576016b3fdd46574a49126d65bfd0d4872f/.github/pull_request_template.md?plain=1#L53

This workflow must only use actions that are produced by the language or ecosystem that the workflow supports. These actions must be published to the GitHub Marketplace. We require that these actions be referenced using the full 40 character hash of the action's commit instead of a tag.

This policy was adopted in 2021. At that time, there was discussion suggesting it shouldn't be a permanent restriction for some actions:

https://github.com/actions/starter-workflows/pull/806#pullrequestreview-589899124

You can use a qualified partners workflow too. And they don't need pinning to a 40 char SHA

Not sure how users will know which actions are from qualified partners... I'll merge this PR as-is for now, we can alway return to this and relax our conditions further in a future iteration.

I can see arguments either way, but that's out of scope for this PR.

So unless y'all object, I'll go ahead and push a commit that switches back from @v1 to the latest hash.

I think the rest of this PR is still worth doing. I don't much care whether it uses bundle binstubs to write out new files or execs them with bundle exec. As long as the result is that it works :)

jamiemccarthy avatar Apr 26 '24 11:04 jamiemccarthy

I don't have a strong preference for whether the ruby commands get run with bundle exec or as binstubs. This PR runs them with bundle exec. I've just pushed #2427 which runs them with binstubs.

I am proposing that one of them should be merged, depending on personal preference for how those ruby commands get run. The other PR should be closed. I don't care which 😄

jamiemccarthy avatar Jun 08 '24 16:06 jamiemccarthy

@indirect @jsoref Just re-upping this request. This PR's been updated, and #2427 has also been submitted as an alternative that uses binstubs.

jamiemccarthy avatar Jun 09 '24 21:06 jamiemccarthy

I have no influence over this repository. I have a project I want added to it, but I haven't even tried to submit it. I'm looking over existing PRs before I try to submit mine.

(I have made some PRs to bump generic dependencies, to test the waters, and it hasn't been particularly fast.)

jsoref avatar Jun 09 '24 21:06 jsoref

@jamiemccarthy I have gotten one PR merged here in the past. It took 3 months. Good luck!

indirect avatar Jun 10 '24 16:06 indirect

Okay, thanks, sorry for the misunderstanding. I don't know if there's anyone to @-ping, so I'll just wait I guess!

jamiemccarthy avatar Jun 11 '24 11:06 jamiemccarthy

Closing this in favor of https://github.com/actions/starter-workflows/pull/2427

thyeggman avatar Aug 01 '24 00:08 thyeggman