Migrate from actions/setup-ruby to ruby/setup-ruby
#5433
Conversation
jeffwidman
changed the title
actions/setup-ruby action [was deprecated in favor of `ruby/set…actions/setup-ruby to ruby/setup-ruby
jeffwidman
force-pushed
the
switch-from-deprecated-setup-ruby-action
branch
from
369b8ef to
293302a
Compare
|
I'm not really sure how to test this... I have a funny feeling the only way is by cutting a release which should trigger this workflow to push the gem to rubygems... |
|
@deivid-rodriguez can you please review this? In particular, see my comments on the PR description mentioning several args which I'm unclear whether should be included or not... |
|
Actually, I wish there was an officially supported action for publishing to RubyGems... that would bypass a lot of what we've got here, no need to create a custom I poked around, but all I could find were actions maintained by individuals, which I'm a bit leery of relying on for both security and stability concerns. Couldn't find anything maintained by Ruby / Ruby Gem organizations... |
|
Hi @jeffwidman! I don't think you're using Bundler at all, here. If that's the case, you definitely don't need And regarding automatic gem release action. Yes, there's nothing official yet. I think it's mainly because "automatic releases" required disabling two factor authentication or at least some complicated trickery to make it work with it. I think it would be a great idea to push for something fully secure and official, I will ask around! |
|
Thank you for looking this over.
Interesting. Looks like the current code here is already able to publish without 2FA though for some reason. |
|
Interesting indeed. Have a look at rubygems/rubygems.org#2500. There used to be the workaround of setting "UI only" as the MFA level, but that effectively means disabling MFA, and that will be deprecated because it's misleading. At the end of the linked thread there's another approach for automatically generating MFA codes that should be secure I think. But in any cases, a proper action would be great. |
|
I think using the same version used elsewhere is a good idea 👍. |
|
I'm actually hesitant to pin to a specific ruby version because it's so easy to go out of sync with our other code... for example, in #5432 I caught that we'd forgotten to bump a similar version pin. And in order to merge #5030 we are likely going to bump to Ruby 3.1... I'm not very knowledgable on ruby tooling, but I wonder... since this workflow is simply uploading the gem to rubygems, does it even matter what the Ruby version is? Ie, as long as it's a relatively recent version, won't the gem push succeed? This isn't something I feel strongly about, so if there's a reasonable case for pinning the version, I'm happy to do it, but thought I should raise these questions first... |
|
I don't think it has to match, specially here since as you explained is just about releasing gems. But I personally like to use the same fixed version everywhere. You're right that doing that would require extra work to not fall out of sync, but even if it falls out of sync, you're at least always using a fixed version for releasing and can be sure that a Ruby being released with some bug that affects this task can't ever affect it (I know it's very unlikely, but still). |
|
I wonder if it might make more sense to specify a But this is a library, so we'd be tying the hands of our users, which we probably don't want to do... Anyway, for now to get this across the line I'll pin it manually, and then have a separate conversation about pros/cons of switching to using |
|
I think a |
Oh interesting, didn't realize it wasn't shipped with the gem. In that case, we should probably use that. I'll opened #5483 to add that. |
The `actions/setup-ruby` action [was deprecated in favor of `ruby/setup-ruby`](actions/setup-ruby@e932e7a#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5R9). So this switches to that. Reading the docs for `ruby/setup-ruby`, all the examples include the following params: ``` with: ruby-version: '3.0' # Not needed with a .ruby-version file bundler-cache: true # runs 'bundle install' and caches installed gems automatically ``` However, the `ruby-version` looked like it needed to be specified for `actions/setup-ruby` as well, and it wasn't, so maybe there's a default that suffices? And I suspect the `bundler-cache` arg is only relevant for repeated calls to ruby/bundler within a single CI run... whereas we only call this action once for the following ruby call: ``` gem install rake && rake gems:release ``` So I doubt that caching adds value. Happy to be proved wrong if someone more familiar with Ruby knows more.
jeffwidman
force-pushed
the
switch-from-deprecated-setup-ruby-action
branch
from
a7a5620 to
befa7ff
Compare
We're starting to pin the desired ruby version in multiple places: * Rubocop * the new `ruby/setup-ruby` action that we're adding in dependabot#5433 We used to not ship the `.ruby-version` file, with the thought that this is a library... but this file isn't included in the gemfile spec, so we're not tying the hands of our users. This merely sets the default version of Ruby that we're using for development. We will keep this in sync with the version of Ruby installed in the Dockerfile, so it'll target the version of Ruby we use in production at GitHub. But since not included in the gem, others are free to use a different Ruby version. Copy the `.ruby-version` file into the CI container.
The
actions/setup-rubyaction was deprecated in favor ofruby/setup-ruby.So this switches to that.
Reading the docs for
ruby/setup-ruby, all the examples include thefollowing params:
However, the
ruby-versionlooked like it needed to be specified foractions/setup-rubyas well, and it wasn't, so maybe there's a defaultthat suffices?
And I suspect the
bundler-cachearg is only relevant for repeated calls to ruby/bundlerwithin a single CI run... whereas we only call this action once for the following ruby call:
So I doubt that caching adds value.
Happy to be proved wrong if someone more familiar with Ruby knows more.