Skip to content

Fix three CI failures affecting every branch off main#363

Merged
robzolkos merged 3 commits into
basecamp:mainfrom
robzolkos:ci/ruby-head-default-bundler
Jul 10, 2026
Merged

Fix three CI failures affecting every branch off main#363
robzolkos merged 3 commits into
basecamp:mainfrom
robzolkos:ci/ruby-head-default-bundler

Conversation

@robzolkos

@robzolkos robzolkos commented Jul 10, 2026

Copy link
Copy Markdown
Collaborator

Three independent CI checks are failing on main, and therefore on every open PR branched from it. Each has a different cause and a different fix. They are grouped here because none of them is a code change and all three must land before any PR can go green.

1. Ruby headbundler incompatibility

ruby/setup-ruby installs a Bundler that Ruby head rejects, so the head matrix entry fails while every pinned version passes.

The setup step is now split: the head entry passes bundler: default and uses the Bundler that Ruby head ships with. Rubies 3.2 through 4.0 keep the existing step and existing behavior.

This is the check currently blocking #356, #358, and #360 — each fails Ruby head and nothing else.

2. Go Vulnerability Check — stale toolchain, not a real vulnerability

GO-2026-5856 is a privacy leak in crypto/tls, present in go1.26.4 and fixed in go1.26.5.

actions/setup-go defaults to check-latest: false. Given go 1.26 in go.mod, it accepts any cached 1.26.x and the runners have go1.26.4 warm in the tool cache, so the scan never installs the patched release. The SDK code is unaffected; the scanner was simply pointed at an old stdlib.

Setting check-latest: true on the govulncheck job makes it resolve the newest 1.26.x. Confirmed in CI: Attempting to download 1.26.5go version go1.26.5No vulnerabilities found.

Scoped to the govulncheck job so the change stays CI-only. Deliberately not fixed with a toolchain directive in go.mod, which would force a minimum toolchain onto everyone consuming the Go SDK and would need a manual bump after each future stdlib CVE.

3. Bundler Audit — unused gem with an unpatched CVE

CVE-2026-38969 (WEBrick reparses trailer) affects webrick 1.9.2. There is no fixed release; 1.9.2 is the newest and bundler-audit's guidance is to remove the gem.

webrick has been declared in basecamp-sdk.gemspec since the Ruby SDK landed in #54 and has never been loaded. Nothing requires it, no rake task invokes it, and the tests stub HTTP through WebMock (205 stub_request sites) rather than starting a real server. The gemspec declaration is the only occurrence of the string in the repository.

Removing the declaration drops it from the lockfile entirely, rather than suppressing a live advisory via .bundler-audit.yml.

yard and rdoc can serve documentation over WEBrick. Neither has a rake task here, so nothing automated depends on it; anyone running a doc server ad hoc will get a clear missing-gem error.


Fixes 1 and 3 were extracted from the branch for #302, which had accumulated them while sitting open. #302 is now rebased to contain only its schedule-dates change.

Copilot AI review requested due to automatic review settings July 10, 2026 02:09
@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown

Sensitive Change Detection (shadow mode)

This PR modifies control-plane files:

  • .github/workflows/security.yml
  • .github/workflows/test.yml

Shadow mode — this check is informational only. When activated, changes to these paths will require approval from a maintainer.

@github-actions github-actions Bot added github-actions Pull requests that update GitHub Actions bug Something isn't working labels Jul 10, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adjusts the CI Ruby matrix to keep ruby/setup-ruby’s existing Bundler behavior for pinned Rubies (3.2–4.0) while allowing Ruby head to use the Bundler shipped with Ruby itself, addressing consistent CI failures on the Ruby head job.

Tip

If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.

Changes:

  • Split the Ruby setup step into two conditional steps based on matrix.ruby.
  • For matrix.ruby == 'head', configure ruby/setup-ruby with bundler: default while keeping bundler-cache and working directory behavior consistent.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

Re-trigger cubic

setup-go defaults to check-latest: false, so it reuses whatever 1.26.x the
runner has cached (currently go1.26.4) instead of fetching the newest patch.
That makes the vulnerability scan report stdlib CVEs already fixed upstream --
GO-2026-5856 is fixed in go1.26.5, which the scan never installs.
Copilot AI review requested due to automatic review settings July 10, 2026 02:15

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

webrick has been declared in the gemspec since the Ruby SDK landed in basecamp#54 and
has never been loaded: nothing requires it, no rake task invokes it, and the
tests stub HTTP through WebMock rather than starting a real server.

CVE-2026-38969 (WEBrick reparses trailer) has no patched release, so
bundle-audit fails on every branch. Removing the declaration drops the gem
from the lockfile entirely instead of suppressing the advisory.

Note that yard and rdoc can serve docs over WEBrick. Neither has a rake task
here, so nothing automated depends on it.
@robzolkos robzolkos changed the title Use default Bundler on Ruby head Fix three CI failures affecting every branch off main Jul 10, 2026
Copilot AI review requested due to automatic review settings July 10, 2026 02:32
@github-actions github-actions Bot added dependencies Pull requests that update a dependency file ruby Pull requests that update the Ruby SDK labels Jul 10, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 4 changed files in this pull request and generated no new comments.

@robzolkos robzolkos merged commit 77ab930 into basecamp:main Jul 10, 2026
47 checks passed
@robzolkos robzolkos deleted the ci/ruby-head-default-bundler branch July 10, 2026 02:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working dependencies Pull requests that update a dependency file github-actions Pull requests that update GitHub Actions ruby Pull requests that update the Ruby SDK

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants