diff --git a/.github/workflows/cache-clean.yml b/.github/workflows/cache-clean.yml index e1f357bd..68907d12 100644 --- a/.github/workflows/cache-clean.yml +++ b/.github/workflows/cache-clean.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Delete caches - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7 with: script: | let totalDeleted = 0; @@ -71,13 +71,27 @@ jobs: totalDeleted++; totalBytes += cache.size_in_bytes; - await github.rest.actions.deleteActionsCacheById({ - owner: context.repo.owner, - repo: context.repo.repo, - cache_id: cache.id - }); - - console.log(`Deleted cache ${cache.id} (${sizeInMb(cache.size_in_bytes)} MB) for ref ${cache.ref}`); + try { + await github.rest.actions.deleteActionsCacheByKey({ + owner: context.repo.owner, + repo: context.repo.repo, + key: cache.key, + ref: cache.ref + }); + console.log(`Deleted cache ${cache.key} (${sizeInMb(cache.size_in_bytes)} MB) for ref ${cache.ref}`); + } catch (error) { + console.warn(`Error deleting cache by key: ${error.message}. Attempting alternative method...`); + try { + await github.rest.actions.deleteActionsCacheByKey({ + owner: context.repo.owner, + repo: context.repo.repo, + key: cache.key + }); + console.log(`Deleted cache ${cache.key} (${sizeInMb(cache.size_in_bytes)} MB) without ref parameter`); + } catch (secondError) { + console.error(`Failed to delete cache ${cache.key}: ${secondError.message}`); + } + } } } diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 71fd73ca..14caadf7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,5 +1,7 @@ --- name: "CI" +permissions: + contents: read on: push: @@ -72,15 +74,15 @@ jobs: rust_toolchain: stable runs-on: ${{ matrix.sys.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: oxidize-rb/actions/upload-core-dumps@v1 + - uses: oxidize-rb/actions/upload-core-dumps@d4731ac609739be0920f0faf5569b58b8eb1a262 # v1 - name: Setup debug info shell: bash run: script/ci/set-debug-env.sh - - uses: oxidize-rb/actions/setup-ruby-and-rust@v1 + - uses: oxidize-rb/actions/setup-ruby-and-rust@d4731ac609739be0920f0faf5569b58b8eb1a262 # v1 if: matrix.ruby_version != 'skip' with: cache-version: v2 @@ -150,7 +152,7 @@ jobs: if: env.ACTIONS_STEP_DEBUG == 'true' run: bundle exec rake bindings:generate - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 if: always() with: name: rb-sys-ci-debug-artifacts-${{ matrix.sys.os }}-${{ matrix.ruby_version }} @@ -171,11 +173,11 @@ jobs: rust_toolchain: stable runs-on: ${{ matrix.sys.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: oxidize-rb/actions/upload-core-dumps@v1 + - uses: oxidize-rb/actions/upload-core-dumps@d4731ac609739be0920f0faf5569b58b8eb1a262 # v1 - - uses: oxidize-rb/actions/setup-ruby-and-rust@v1 + - uses: oxidize-rb/actions/setup-ruby-and-rust@d4731ac609739be0920f0faf5569b58b8eb1a262 # v1 with: ruby-version: none rustup-toolchain: ${{ matrix.sys.rust_toolchain }} @@ -187,7 +189,7 @@ jobs: echo "GEM_HOME=~/.gem/ruby/${{ matrix.ruby_version }}" >> $GITHUB_ENV - name: ⚡ Cache - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4 with: path: | /opt/rubies/${{ matrix.ruby_version }} diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index f551e072..d82728bf 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -38,7 +38,7 @@ jobs: matrix: toolchain: ${{ fromJSON(needs.fetch_ci_data.outputs.toolchains-data) }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set rb-sys version variable id: vars @@ -55,28 +55,28 @@ jobs: echo "aliases=$aliases" >> $GITHUB_ENV # Test the container - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: repository: "oxidize-rb/oxi-test" path: "tmp/oxi-test" - - uses: ruby/setup-ruby@v1 + - uses: ruby/setup-ruby@e34163cd15f4bb403dcd72d98e295997e6a55798 # v1 with: ruby-version: "3.1" - name: Login to Docker Hub if: github.event_name != 'pull_request' - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3 - name: Prepare Docker images list id: prepare_images @@ -91,7 +91,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5 with: images: | ${{ env.images }} @@ -108,7 +108,7 @@ jobs: org.oxidize-rb.ruby.platform=${{ env.ruby_platform }} - name: Docker build - uses: docker/build-push-action@v6 + uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6 with: builder: ${{ steps.buildx.outputs.name }} context: ./docker @@ -182,7 +182,7 @@ jobs: --highestUserWastedPercent "$highest_user_wasted_percent" - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@99baf0d8b4e787c3cfd7b602664c8ce60a43cd38 # master with: image-ref: "${{ secrets.DOCKER_HUB_USERNAME }}/${{ env.ruby_platform }}:sha-${{ github.sha }}" format: "sarif" @@ -193,13 +193,13 @@ jobs: exit-code: "0" # Changed from "1" to "0" to prevent failing on EOL OS warnings - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3 with: sarif_file: "trivy-results-${{ env.ruby_platform }}.sarif" category: "docker-${{ env.ruby_platform }}" - name: Docker push - uses: docker/build-push-action@v6 + uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6 with: builder: ${{ steps.buildx.outputs.name }} context: ./docker @@ -212,7 +212,7 @@ jobs: cache-to: ${{ secrets.DOCKER_HUB_USERNAME }}/${{ env.ruby_platform }}:cache-${{ steps.vars.outputs.rb-sys-version }} - name: Docker Hub Description - uses: peter-evans/dockerhub-description@v4 + uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} @@ -220,7 +220,7 @@ jobs: readme-filepath: ./readme.md - name: Slack Noti on Failure - uses: 8398a7/action-slack@v3 + uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3 with: status: ${{ job.status }} fields: repo,message,commit,author,action,eventName,ref,workflow,job,took,pullRequest diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index f407a4e3..213baf57 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -1,6 +1,9 @@ --- name: "Docs" +permissions: + contents: read + on: push: branches: @@ -16,9 +19,9 @@ jobs: name: 📑 Validate Docs runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: ruby/setup-ruby@v1 + - uses: ruby/setup-ruby@e34163cd15f4bb403dcd72d98e295997e6a55798 # v1 with: bundler-cache: true ruby-version: "3.2" diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index a93fe10d..e103a89d 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -1,5 +1,7 @@ --- name: Integration +permissions: + contents: read on: push: branches: @@ -41,15 +43,15 @@ jobs: INPUTS: ${{ toJSON(matrix) }} run: | echo "$INPUTS" | jq - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: repository: ${{ matrix.repo.name }} ref: ${{ matrix.repo.ref }} path: repo - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: path: rb-sys - - uses: oxidize-rb/actions/setup-ruby-and-rust@v1 + - uses: oxidize-rb/actions/setup-ruby-and-rust@d4731ac609739be0920f0faf5569b58b8eb1a262 # v1 id: setup with: cache-version: v2 @@ -76,14 +78,14 @@ jobs: name: Bundle install in Dockerfile runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: repository: ${{ matrix.repo.name }} ref: ${{ matrix.repo.ref }} path: repo - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3 - name: Generate Dockerfile run: | @@ -106,7 +108,7 @@ jobs: cat Gemfile.issue - name: Build and push Docker image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6 with: context: . file: ./Dockerfile.issue diff --git a/.github/workflows/publish-book.yml b/.github/workflows/publish-book.yml index df32d19a..53f2b64d 100644 --- a/.github/workflows/publish-book.yml +++ b/.github/workflows/publish-book.yml @@ -16,9 +16,9 @@ jobs: concurrency: group: ${{ github.workflow }}-${{ github.ref }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: oxidize-rb/actions/setup-ruby-and-rust@v1 + - uses: oxidize-rb/actions/setup-ruby-and-rust@d4731ac609739be0920f0faf5569b58b8eb1a262 # v1 with: ruby-version: "3.4" bundler-cache: true @@ -31,7 +31,7 @@ jobs: run: bundle exec rake book:build - name: Deploy - uses: peaceiris/actions-gh-pages@v4 + uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4 if: ${{ github.ref == 'refs/heads/main' }} with: github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/docker/Dockerfile.aarch64-linux b/docker/Dockerfile.aarch64-linux index 71951e0d..d714e4db 100644 --- a/docker/Dockerfile.aarch64-linux +++ b/docker/Dockerfile.aarch64-linux @@ -17,11 +17,12 @@ ENV RUBY_TARGET="aarch64-linux" \ CMAKE_aarch64_unknown_linux_gnu="/opt/cmake/bin/cmake" \ CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER="aarch64-linux-gnu-gcc" -COPY setup/lib.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh / +COPY setup/lib.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh setup/delete-unused-files.sh / RUN bash -c "source /lib.sh && install_packages libclang-12-dev llvm-12-dev clang-12 libc6-arm64-cross libc6-dev-arm64-cross" && \ /rustup.sh && \ /rubygems.sh && \ /cmake.sh && \ /rubybashrc.sh && \ + /delete-unused-files.sh && \ /rb-sys-dock.sh diff --git a/docker/Dockerfile.aarch64-linux-musl b/docker/Dockerfile.aarch64-linux-musl index 4b452e06..c832248c 100644 --- a/docker/Dockerfile.aarch64-linux-musl +++ b/docker/Dockerfile.aarch64-linux-musl @@ -18,11 +18,12 @@ ENV RUBY_TARGET="aarch64-linux-musl" \ BINDGEN_EXTRA_CLANG_ARGS_aarch64_unknown_linux_musl="--sysroot=/usr/aarch64-linux-musl" \ CMAKE_aarch64_unknown_linux_musl="cmake" -COPY setup/lib.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh / +COPY setup/lib.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh setup/delete-unused-files.sh / RUN bash -c "source /lib.sh && install_packages libclang-12-dev llvm-12-dev" && \ /rustup.sh && \ /rubygems.sh && \ /cmake.sh && \ /rubybashrc.sh && \ + /delete-unused-files.sh && \ /rb-sys-dock.sh diff --git a/docker/Dockerfile.arm-linux b/docker/Dockerfile.arm-linux index 75f64325..2bd0fe7a 100644 --- a/docker/Dockerfile.arm-linux +++ b/docker/Dockerfile.arm-linux @@ -16,11 +16,12 @@ ENV RUBY_TARGET="arm-linux" \ PKG_CONFIG_PATH="/usr/lib/arm-linux-gnueabihf/pkgconfig" \ CMAKE_arm_unknown_linux_gnueabihf="/opt/cmake/bin/cmake" -COPY setup/lib.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh / +COPY setup/lib.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh setup/delete-unused-files.sh / RUN bash -c "source /lib.sh && install_packages libclang-dev clang llvm-dev libc6-armhf-cross libc6-dev-armhf-cross" && \ /rustup.sh && \ /rubygems.sh && \ /cmake.sh && \ /rubybashrc.sh && \ + /delete-unused-files.sh && \ /rb-sys-dock.sh diff --git a/docker/Dockerfile.arm64-darwin b/docker/Dockerfile.arm64-darwin index d4bbdb33..a60eacbf 100644 --- a/docker/Dockerfile.arm64-darwin +++ b/docker/Dockerfile.arm64-darwin @@ -17,12 +17,13 @@ ENV RUBY_TARGET="arm64-darwin" \ PKG_CONFIG="aarch64-apple-darwin-pkg-config" \ CMAKE_aarch64_apple_darwin="/opt/cmake/bin/cmake" -COPY setup/lib.sh setup/osxcross-shebang.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh / +COPY setup/lib.sh setup/osxcross-shebang.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh setup/delete-unused-files.sh / RUN bash -c "source /lib.sh && install_packages libclang-dev clang libc6-arm64-cross libc6-dev-arm64-cross" && \ /rustup.sh && \ /rubygems.sh && \ /cmake.sh && \ /rubybashrc.sh && \ + /delete-unused-files.sh && \ /rb-sys-dock.sh && \ /osxcross-shebang.sh diff --git a/docker/Dockerfile.x64-mingw-ucrt b/docker/Dockerfile.x64-mingw-ucrt index b4db3c96..c175ee95 100644 --- a/docker/Dockerfile.x64-mingw-ucrt +++ b/docker/Dockerfile.x64-mingw-ucrt @@ -16,11 +16,12 @@ ENV RUBY_TARGET="x64-mingw-ucrt" \ PKG_CONFIG_PATH_x86_64_pc_windows_gnu="/usr/x86_64-w64-mingw32/pkgconfig" \ CMAKE_x86_64_pc_windows_gnu="/opt/cmake/bin/cmake" -COPY setup/lib.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh / +COPY setup/lib.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh setup/delete-unused-files.sh / RUN bash -c "source /lib.sh && install_packages libclang-dev" && \ /rustup.sh && \ /rubygems.sh && \ /cmake.sh && \ /rubybashrc.sh && \ + /delete-unused-files.sh && \ /rb-sys-dock.sh diff --git a/docker/Dockerfile.x64-mingw32 b/docker/Dockerfile.x64-mingw32 index 9ed9980f..50070642 100644 --- a/docker/Dockerfile.x64-mingw32 +++ b/docker/Dockerfile.x64-mingw32 @@ -16,12 +16,13 @@ ENV RUBY_TARGET="x64-mingw32" \ PKG_CONFIG_PATH_x86_64_pc_windows_gnu="/usr/x86_64-w64-mingw32/pkgconfig" \ CMAKE_x86_64_pc_windows_gnu="/opt/cmake/bin/cmake" -COPY setup/lib.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh / +COPY setup/lib.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh setup/delete-unused-files.sh / RUN bash -c "source /lib.sh && install_packages libclang-dev" && \ /rustup.sh && \ /rubygems.sh && \ /cmake.sh && \ /rubybashrc.sh && \ + /delete-unused-files.sh && \ /rb-sys-dock.sh diff --git a/docker/Dockerfile.x86-linux b/docker/Dockerfile.x86-linux index 03bfdc32..bc37a1ec 100644 --- a/docker/Dockerfile.x86-linux +++ b/docker/Dockerfile.x86-linux @@ -18,11 +18,12 @@ ENV RUBY_TARGET="x86-linux" \ BINDGEN_EXTRA_CLANG_ARGS_i686_unknown_linux_gnu="--sysroot=/usr -I/usr/i686-linux-gnu/include -I/usr/lib/gcc-cross/i686-linux-gnu/9/include" \ CMAKE_i686_unknown_linux_gnu="/opt/cmake/bin/cmake" -COPY setup/lib.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh / +COPY setup/lib.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh setup/delete-unused-files.sh / RUN bash -c "source /lib.sh && install_packages libclang-12-dev llvm-12-dev clang-12 gcc-i686-linux-gnu g++-i686-linux-gnu gcc-multilib-i686-linux-gnu" && \ /rustup.sh && \ /rubygems.sh && \ /cmake.sh && \ /rubybashrc.sh && \ + /delete-unused-files.sh && \ /rb-sys-dock.sh diff --git a/docker/Dockerfile.x86-mingw32 b/docker/Dockerfile.x86-mingw32 index 40185f7f..7b836213 100644 --- a/docker/Dockerfile.x86-mingw32 +++ b/docker/Dockerfile.x86-mingw32 @@ -20,7 +20,7 @@ ENV RUBY_TARGET="x86-mingw32" \ PKG_CONFIG_PATH_i686_pc_windows_gnu="/usr/i686-w64-mingw32/pkgconfig" \ CMAKE_i686_pc_windows_gnu="/opt/cmake/bin/cmake" -COPY setup/lib.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh / +COPY setup/lib.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh setup/delete-unused-files.sh / RUN set -ex; \ curl -Lo /llvm-mingw.zip https://github.com/mstorsjo/llvm-mingw/releases/download/${LLVM_MINGW_VERSION}/llvm-mingw-${LLVM_MINGW_VERSION}-msvcrt-i686.zip; \ @@ -33,4 +33,5 @@ RUN set -ex; \ /rubygems.sh && \ /cmake.sh && \ /rubybashrc.sh && \ + /delete-unused-files.sh && \ /rb-sys-dock.sh diff --git a/docker/Dockerfile.x86_64-darwin b/docker/Dockerfile.x86_64-darwin index 95ba944c..58f38ae9 100644 --- a/docker/Dockerfile.x86_64-darwin +++ b/docker/Dockerfile.x86_64-darwin @@ -17,12 +17,13 @@ ENV RUBY_TARGET="x86_64-darwin" \ PKG_CONFIG="x86_64-apple-darwin-pkg-config" \ CMAKE_x86_64_apple_darwin="/opt/cmake/bin/cmake" -COPY setup/lib.sh setup/osxcross-shebang.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh / +COPY setup/lib.sh setup/osxcross-shebang.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh setup/delete-unused-files.sh / RUN bash -c "source /lib.sh && install_packages libclang-dev clang" && \ /rustup.sh && \ /rubygems.sh && \ /cmake.sh && \ /rubybashrc.sh && \ + /delete-unused-files.sh && \ /rb-sys-dock.sh && \ /osxcross-shebang.sh diff --git a/docker/Dockerfile.x86_64-linux b/docker/Dockerfile.x86_64-linux index 1037bf4d..18ec9c16 100644 --- a/docker/Dockerfile.x86_64-linux +++ b/docker/Dockerfile.x86_64-linux @@ -17,11 +17,12 @@ ENV RUBY_TARGET="x86_64-linux" \ CMAKE_x86_64_unknown_linux_gnu="/opt/cmake/bin/cmake" \ CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_LINKER="x86_64-linux-gnu-gcc" -COPY setup/lib.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh / +COPY setup/lib.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh setup/delete-unused-files.sh / RUN bash -c "source /lib.sh && install_packages libclang-12-dev llvm-12-dev clang-12 libc6-amd64-cross libc6-dev-amd64-cross" && \ /rustup.sh && \ /rubygems.sh && \ /cmake.sh && \ /rubybashrc.sh && \ + /delete-unused-files.sh && \ /rb-sys-dock.sh diff --git a/docker/Dockerfile.x86_64-linux-musl b/docker/Dockerfile.x86_64-linux-musl index c0616f3a..5ed423c4 100644 --- a/docker/Dockerfile.x86_64-linux-musl +++ b/docker/Dockerfile.x86_64-linux-musl @@ -18,11 +18,12 @@ ENV RUBY_TARGET="x86_64-linux-musl" \ BINDGEN_EXTRA_CLANG_ARGS_x86_64_unknown_linux_musl="--sysroot=/usr/x86_64-unknown-linux-musl" \ CMAKE_x86_64_unknown_linux_musl="cmake" -COPY setup/lib.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh / +COPY setup/lib.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh setup/delete-unused-files.sh / RUN bash -c "source /lib.sh && install_packages libclang-12-dev llvm-12-dev" && \ /rustup.sh && \ /rubygems.sh && \ /cmake.sh && \ /rubybashrc.sh && \ + /delete-unused-files.sh && \ /rb-sys-dock.sh diff --git a/docker/setup/delete-unused-files.sh b/docker/setup/delete-unused-files.sh new file mode 100755 index 00000000..fa11d66f --- /dev/null +++ b/docker/setup/delete-unused-files.sh @@ -0,0 +1,62 @@ +#!/bin/bash + +set -euo pipefail + +# Script to delete unused files that cause issues or warnings +# Currently removes gemspecs from older Ruby versions that have security vulnerabilities + +# Base path where ruby installations are located +ROOT_PATH="/usr/local/rake-compiler/ruby" + +echo "Removing vulnerable gemspec files from $ROOT_PATH" + +# Ruby 2.4.x vulnerabilities +find "$ROOT_PATH" -path "*/ruby-2.4*/lib/ruby/gems/2.4.0/specifications/default/rdoc-5.0.1.gemspec" -delete +find "$ROOT_PATH" -path "*/ruby-2.4*/lib/ruby/gems/2.4.0/specifications/rake-12.0.0.gemspec" -delete + +# Ruby 2.5.x vulnerabilities +find "$ROOT_PATH" -path "*/ruby-2.5*/lib/ruby/gems/2.5.0/specifications/default/rdoc-6.0.1.1.gemspec" -delete +find "$ROOT_PATH" -path "*/ruby-2.5*/lib/ruby/gems/2.5.0/specifications/default/webrick-1.4.2.1.gemspec" -delete + +# Ruby 2.6.x vulnerabilities +find "$ROOT_PATH" -path "*/ruby-2.6*/lib/ruby/gems/2.6.0/specifications/default/bundler-1.17.2.gemspec" -delete +find "$ROOT_PATH" -path "*/ruby-2.6*/lib/ruby/gems/2.6.0/specifications/default/rdoc-6.1.2.1.gemspec" -delete +find "$ROOT_PATH" -path "*/ruby-2.6*/lib/ruby/gems/2.6.0/specifications/default/rexml-3.1.9.1.gemspec" -delete +find "$ROOT_PATH" -path "*/ruby-2.6*/lib/ruby/gems/2.6.0/specifications/default/webrick-1.4.4.gemspec" -delete + +# Ruby 2.7.x vulnerabilities +find "$ROOT_PATH" -path "*/ruby-2.7*/lib/ruby/gems/2.7.0/specifications/default/bundler-2.1.4.gemspec" -delete +find "$ROOT_PATH" -path "*/ruby-2.7*/lib/ruby/gems/2.7.0/specifications/default/cgi-0.1.0.2.gemspec" -delete +find "$ROOT_PATH" -path "*/ruby-2.7*/lib/ruby/gems/2.7.0/specifications/default/rdoc-6.2.1.1.gemspec" -delete +find "$ROOT_PATH" -path "*/ruby-2.7*/lib/ruby/gems/2.7.0/specifications/default/rexml-3.2.3.1.gemspec" -delete +find "$ROOT_PATH" -path "*/ruby-2.7*/lib/ruby/gems/2.7.0/specifications/default/uri-0.10.0.2.gemspec" -delete +find "$ROOT_PATH" -path "*/ruby-2.7*/lib/ruby/gems/2.7.0/specifications/default/webrick-1.6.1.gemspec" -delete + +# Ruby 3.0.x vulnerabilities +find "$ROOT_PATH" -path "*/ruby-3.0*/lib/ruby/gems/3.0.0/specifications/default/cgi-0.2.2.gemspec" -delete +find "$ROOT_PATH" -path "*/ruby-3.0*/lib/ruby/gems/3.0.0/specifications/default/net-imap-0.1.1.gemspec" -delete +find "$ROOT_PATH" -path "*/ruby-3.0*/lib/ruby/gems/3.0.0/specifications/default/uri-0.10.3.gemspec" -delete +find "$ROOT_PATH" -path "*/ruby-3.0*/lib/ruby/gems/3.0.0/specifications/rexml-3.2.5.gemspec" -delete + +# Ruby 3.1.x vulnerabilities +find "$ROOT_PATH" -path "*/ruby-3.1*/lib/ruby/gems/3.1.0/specifications/default/cgi-0.3.6.gemspec" -delete +find "$ROOT_PATH" -path "*/ruby-3.1*/lib/ruby/gems/3.1.0/specifications/default/uri-0.12.2.gemspec" -delete +find "$ROOT_PATH" -path "*/ruby-3.1*/lib/ruby/gems/3.1.0/specifications/net-imap-0.2.4.gemspec" -delete +find "$ROOT_PATH" -path "*/ruby-3.1*/lib/ruby/gems/3.1.0/specifications/rexml-3.2.5.gemspec" -delete + +# Ruby 3.2.x vulnerabilities +find "$ROOT_PATH" -path "*/ruby-3.2*/lib/ruby/gems/3.2.0/specifications/default/cgi-0.3.6.gemspec" -delete +find "$ROOT_PATH" -path "*/ruby-3.2*/lib/ruby/gems/3.2.0/specifications/default/uri-0.12.3.gemspec" -delete +find "$ROOT_PATH" -path "*/ruby-3.2*/lib/ruby/gems/3.2.0/specifications/net-imap-0.3.4.1.gemspec" -delete + +# Ruby 3.3.x vulnerabilities +find "$ROOT_PATH" -path "*/ruby-3.3*/lib/ruby/gems/3.3.0/specifications/default/cgi-0.4.1.gemspec" -delete +find "$ROOT_PATH" -path "*/ruby-3.3*/lib/ruby/gems/3.3.0/specifications/default/uri-0.13.1.gemspec" -delete +find "$ROOT_PATH" -path "*/ruby-3.3*/lib/ruby/gems/3.3.0/specifications/net-imap-0.4.9.1.gemspec" -delete + +# Ruby 3.4.x vulnerabilities +find "$ROOT_PATH" -path "*/ruby-3.4*/lib/ruby/gems/3.4.0/specifications/default/cgi-0.4.1.gemspec" -delete +find "$ROOT_PATH" -path "*/ruby-3.4*/lib/ruby/gems/3.4.0/specifications/default/uri-1.0.2.gemspec" -delete +find "$ROOT_PATH" -path "*/ruby-3.4*/lib/ruby/gems/3.4.0/specifications/net-imap-0.5.4.gemspec" -delete + +echo "Deleted vulnerable gemspec files"