Fix three CI failures affecting every branch off main#363
Merged
Conversation
Sensitive Change Detection (shadow mode)This PR modifies control-plane files:
|
There was a problem hiding this comment.
Pull request overview
Adjusts the CI Ruby matrix to keep ruby/setup-ruby’s existing Bundler behavior for pinned Rubies (3.2–4.0) while allowing Ruby head to use the Bundler shipped with Ruby itself, addressing consistent CI failures on the Ruby head job.
Tip
If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.
Changes:
- Split the Ruby setup step into two conditional steps based on
matrix.ruby. - For
matrix.ruby == 'head', configureruby/setup-rubywithbundler: defaultwhile keepingbundler-cacheand working directory behavior consistent.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
setup-go defaults to check-latest: false, so it reuses whatever 1.26.x the runner has cached (currently go1.26.4) instead of fetching the newest patch. That makes the vulnerability scan report stdlib CVEs already fixed upstream -- GO-2026-5856 is fixed in go1.26.5, which the scan never installs.
webrick has been declared in the gemspec since the Ruby SDK landed in basecamp#54 and has never been loaded: nothing requires it, no rake task invokes it, and the tests stub HTTP through WebMock rather than starting a real server. CVE-2026-38969 (WEBrick reparses trailer) has no patched release, so bundle-audit fails on every branch. Removing the declaration drops the gem from the lockfile entirely instead of suppressing the advisory. Note that yard and rdoc can serve docs over WEBrick. Neither has a rake task here, so nothing automated depends on it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Three independent CI checks are failing on
main, and therefore on every open PR branched from it. Each has a different cause and a different fix. They are grouped here because none of them is a code change and all three must land before any PR can go green.1.
Ruby head—bundlerincompatibilityruby/setup-rubyinstalls a Bundler that Ruby head rejects, so theheadmatrix entry fails while every pinned version passes.The setup step is now split: the
headentry passesbundler: defaultand uses the Bundler that Ruby head ships with. Rubies 3.2 through 4.0 keep the existing step and existing behavior.This is the check currently blocking #356, #358, and #360 — each fails
Ruby headand nothing else.2.
Go Vulnerability Check— stale toolchain, not a real vulnerabilityGO-2026-5856is a privacy leak incrypto/tls, present ingo1.26.4and fixed ingo1.26.5.actions/setup-godefaults tocheck-latest: false. Givengo 1.26ingo.mod, it accepts any cached1.26.xand the runners havego1.26.4warm in the tool cache, so the scan never installs the patched release. The SDK code is unaffected; the scanner was simply pointed at an old stdlib.Setting
check-latest: trueon the govulncheck job makes it resolve the newest1.26.x. Confirmed in CI:Attempting to download 1.26.5→go version go1.26.5→No vulnerabilities found.Scoped to the govulncheck job so the change stays CI-only. Deliberately not fixed with a
toolchaindirective ingo.mod, which would force a minimum toolchain onto everyone consuming the Go SDK and would need a manual bump after each future stdlib CVE.3.
Bundler Audit— unused gem with an unpatched CVECVE-2026-38969(WEBrick reparses trailer) affectswebrick 1.9.2. There is no fixed release;1.9.2is the newest and bundler-audit's guidance is to remove the gem.webrickhas been declared inbasecamp-sdk.gemspecsince the Ruby SDK landed in #54 and has never been loaded. Nothing requires it, no rake task invokes it, and the tests stub HTTP through WebMock (205stub_requestsites) rather than starting a real server. The gemspec declaration is the only occurrence of the string in the repository.Removing the declaration drops it from the lockfile entirely, rather than suppressing a live advisory via
.bundler-audit.yml.yardandrdoccan serve documentation over WEBrick. Neither has a rake task here, so nothing automated depends on it; anyone running a doc server ad hoc will get a clear missing-gem error.Fixes 1 and 3 were extracted from the branch for #302, which had accumulated them while sitting open. #302 is now rebased to contain only its schedule-dates change.