bump setup-ruby action to support ruby v4 release (#293) #1333

Workflow file for this run

	name: CI

	on:
	push:
	branches:
	- main
	pull_request:
	schedule:
	- cron: "0 12 * * *"

	permissions: {}

	jobs:
	ruby-versions:
	uses: ruby/actions/.github/workflows/ruby_versions.yml@3fbf038d6f0d8043b914f923764c61bc2a114a77
	with:
	engine: all
	min_version: 3.2

	test:
	needs: ruby-versions
	runs-on: ${{ matrix.os }}
	name: Test Ruby ${{ matrix.ruby }} / ${{ matrix.os }}
	strategy:
	fail-fast: false
	matrix:
	ruby: ${{ fromJson(needs.ruby-versions.outputs.versions) }}
	os: [ubuntu-latest]
	# os: [ ubuntu-latest, macos-latest, windows-latest ]
	# include:
	# - { os: windows-latest, ruby: ucrt }
	# - { os: windows-latest, ruby: mingw }
	# - { os: windows-latest, ruby: mswin }
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
	with:
	egress-policy: audit

	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	persist-credentials: false
	- name: Set up Ruby
	uses: ruby/setup-ruby@d5f787ce339eb0767271bc01d922e85644c2c8ab # v1.280.0
	with:
	ruby-version: ${{ matrix.ruby }}
	bundler-cache: true

	- name: Run the tests
	run: bin/rake test

	- name: Upload coverage reports to Codecov
	uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
	if: ${{ matrix.ruby }} == ${{ fromJson(needs.ruby-versions.outputs.latest) }} && ${{ matrix.os }} == "ubuntu-latest" && always()
Check warning on line 54 in .github/workflows/ci.yml View workflow run for this annotation GitHub Actions / CI Workflow syntax warning `.github/workflows/ci.yml (Line: 54, Col: 13): Conditional expression contains literal text outside replacement tokens. This will cause the expression to always evaluate to truthy. Did you mean to put the entire expression inside ${{ }}?`
	with:
	token: ${{ secrets.CODECOV_TOKEN }}
	slug: sigstore/sigstore-ruby

	sigstore-conformance:
	needs: ruby-versions
	runs-on: ${{ matrix.os }}
	name: Sigstore Ruby ${{ matrix.ruby }} / ${{ matrix.os }}
	strategy:
	fail-fast: false
	matrix:
	ruby: ${{ fromJson(needs.ruby-versions.outputs.versions) }}
	os: [ubuntu-latest]
	# os: [ ubuntu-latest, macos-latest, windows-latest ]
	# include:
	# - { os: windows-latest, ruby: ucrt }
	# - { os: windows-latest, ruby: mingw }
	# - { os: windows-latest, ruby: mswin }
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
	with:
	egress-policy: audit

	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	persist-credentials: false
	- name: Set up Ruby
	uses: ruby/setup-ruby@d5f787ce339eb0767271bc01d922e85644c2c8ab # v1.280.0
	with:
	ruby-version: ${{ matrix.ruby }}
	bundler-cache: true

	- name: Run the conformance tests
	uses: sigstore/sigstore-conformance@d658ea74a060aeabae78f8a379167f219dc38c38 # v0.0.16
	with:
	entrypoint: ${{ github.workspace }}/bin/conformance-entrypoint
	xfail: "${{ matrix.ruby != 'head' && matrix.ruby != 'truffleruby-head' && matrix.ruby != '3.4' && matrix.ruby != '4.0' && 'test_verify_rejects_bad_tsa_timestamp' }}"
	if: ${{ matrix.os }} == "ubuntu-latest"
Check warning on line 93 in .github/workflows/ci.yml View workflow run for this annotation GitHub Actions / CI Workflow syntax warning `.github/workflows/ci.yml (Line: 93, Col: 13): Conditional expression contains literal text outside replacement tokens. This will cause the expression to always evaluate to truthy. Did you mean to put the entire expression inside ${{ }}?`
	- name: Run the conformance tests against staging
	uses: sigstore/sigstore-conformance@d658ea74a060aeabae78f8a379167f219dc38c38 # v0.0.16
	with:
	entrypoint: ${{ github.workspace }}/bin/conformance-entrypoint
	xfail: "${{ matrix.ruby != 'head' && matrix.ruby != 'truffleruby-head' && matrix.ruby != '3.4' && matrix.ruby != '4.0' && 'test_verify_rejects_bad_tsa_timestamp' }}"
	environment: staging
	if: ${{ matrix.os }} == "ubuntu-latest"
Check warning on line 100 in .github/workflows/ci.yml View workflow run for this annotation GitHub Actions / CI Workflow syntax warning `.github/workflows/ci.yml (Line: 100, Col: 13): Conditional expression contains literal text outside replacement tokens. This will cause the expression to always evaluate to truthy. Did you mean to put the entire expression inside ${{ }}?`

	tuf-conformance:
	needs: ruby-versions
	runs-on: ${{ matrix.os }}
	name: TUF Ruby ${{ matrix.ruby }} / ${{ matrix.os }}
	strategy:
	fail-fast: false
	matrix:
	ruby: ${{ fromJson(needs.ruby-versions.outputs.versions) }}
	os: [ubuntu-latest]
	# os: [ ubuntu-latest, macos-latest, windows-latest ]
	# include:
	# - { os: windows-latest, ruby: ucrt }
	# - { os: windows-latest, ruby: mingw }
	# - { os: windows-latest, ruby: mswin }
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
	with:
	egress-policy: audit

	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	persist-credentials: false
	- name: Set up Ruby
	uses: ruby/setup-ruby@d5f787ce339eb0767271bc01d922e85644c2c8ab # v1.280.0
	with:
	ruby-version: ${{ matrix.ruby }}
	bundler-cache: true

	- name: Touch requirements.txt
	run: touch requirements.txt

	- name: Write xfails
	run: bin/rake bin/tuf-conformance-entrypoint.xfails

	- name: Run the TUF conformance tests
	uses: theupdateframework/tuf-conformance@9bfc222a371e30ad5511eb17449f68f855fb9d8f # v2.3.0
	with:
	entrypoint: ${{ github.workspace }}/bin/tuf-conformance-entrypoint
	artifact-name: "test repositories ${{ matrix.ruby }} ${{ matrix.os }}"
	if: \|
Check warning on line 142 in .github/workflows/ci.yml View workflow run for this annotation GitHub Actions / CI Workflow syntax warning `.github/workflows/ci.yml (Line: 142, Col: 13): Conditional expression contains literal text outside replacement tokens. This will cause the expression to always evaluate to truthy. Did you mean to put the entire expression inside ${{ }}?`
	${{ matrix.os }} == "ubuntu-latest"

	smoketest:
	needs: ruby-versions
	runs-on: ubuntu-latest
	name: Smoketest
	permissions: {}
	strategy:
	fail-fast: false
	matrix:
	ruby: ${{ fromJson(needs.ruby-versions.outputs.versions) }}
	os: [ubuntu-latest]
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
	with:
	egress-policy: audit

	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	persist-credentials: false
	- name: Set up Ruby
	uses: ruby/setup-ruby@d5f787ce339eb0767271bc01d922e85644c2c8ab # v1.280.0
	with:
	ruby-version: ${{ fromJson(needs.ruby-versions.outputs.latest) }}
	bundler-cache: true
	- name: Build the gem
	run: bin/rake build
	- name: List built gems
	id: list-gems
	run: \|
	echo "gems=$(find pkg -type f -name '*.gem' -print0 \| xargs -0 jq --compact-output --null-input --args '[$ARGS.positional[]]')" >> $GITHUB_OUTPUT
	- name: Fetch testing OIDC token
	uses: sigstore-conformance/extremely-dangerous-public-oidc-beacon@4a8befcc16064dac9e97f210948d226e5c869bdc # v1.0.0
	- name: Run the smoketest
	run: \|
	./bin/smoketest ${BUILT_GEMS}
	env:
	BUILT_GEMS: ${{ join(fromJson(steps.list-gems.outputs.gems), ' ') }}
	OIDC_TOKEN_FILE: ./oidc-token.txt
	SIGSTORE_CERT_IDENTITY: https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/extremely-dangerous-oidc-beacon.yml@refs/heads/main

	all-tests-pass:
	if: always()

	needs:
	- test
	- sigstore-conformance
	- tuf-conformance

	runs-on: ubuntu-latest

	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
	with:
	egress-policy: audit

	- name: check test jobs
	uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
	with:
	jobs: ${{ toJSON(needs) }}

	lint:
	needs: ruby-versions
	runs-on: ubuntu-latest
	name: Lint
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
	with:
	egress-policy: audit

	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	persist-credentials: false
	- name: Set up Ruby
	uses: ruby/setup-ruby@d5f787ce339eb0767271bc01d922e85644c2c8ab # v1.280.0
	with:
	ruby-version: ${{ fromJson(needs.ruby-versions.outputs.latest) }}
	bundler-cache: true
	- name: Run the linter
	run: bin/rubocop

	zizmor:
	name: zizmor
	runs-on: ubuntu-latest
	permissions:
	security-events: write
	# required for workflows in private repositories
	contents: read
	actions: read
	steps:
	- name: Checkout repository
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	persist-credentials: false

	- name: Install the latest version of uv
	uses: astral-sh/setup-uv@180f8b44399608a850e1db031fa65c77746566d3 # v5.0.1

	- name: Run zizmor 🌈
	run: uvx zizmor --format sarif . > results.sarif

	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	- name: Upload SARIF file
	uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
	with:
	sarif_file: results.sarif
	category: zizmor

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

bump setup-ruby action to support ruby v4 release (#293) #1333

Workflow file

bump setup-ruby action to support ruby v4 release (#293) #1333

Uh oh!

Workflow file for this run

GitHub Actions / CI

GitHub Actions / CI

GitHub Actions / CI

GitHub Actions / CI