Skip to content

ci: Generate both gemfile and lock #2967

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sl0thentr0py merged 1 commit into from
Jun 10, 2026
+52 −39
Merged

ci: Generate both gemfile and lock #2967

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
91 changes: 52 additions & 39 deletions .github/workflows/update_lockfiles.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,7 @@ jobs:
run:
working-directory: sentry-ruby
env:
BUNDLE_GEMFILE: ${{ github.workspace }}/sentry-ruby/Gemfile
BUNDLE_LOCKFILE: ${{ github.workspace }}/sentry-ruby/gemfiles/ruby-${{ matrix.ruby_version }}_rack-${{ matrix.rack_version }}_redis-${{ matrix.redis_rb_version }}.lock
BUNDLE_GEMFILE: ${{ github.workspace }}/sentry-ruby/gemfiles/ruby-${{ matrix.ruby_version }}_rack-${{ matrix.rack_version }}_redis-${{ matrix.redis_rb_version }}.gemfile
RACK_VERSION: ${{ matrix.rack_version }}
REDIS_RB_VERSION: ${{ matrix.redis_rb_version }}
strategy:
Expand All @@ -62,18 +61,22 @@ jobs:
- uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
with:
ruby-version: ${{ matrix.ruby_version }}
bundler: 2.6.9
bundler: latest
bundler-cache: false
- name: Resolve lockfile
run: |
mkdir -p gemfiles
bundle lock --update --add-checksums
# Wrapper keys the lock to this cell (<cell>.gemfile -> <cell>.gemfile.lock).
echo 'eval_gemfile "../Gemfile"' > "$BUNDLE_GEMFILE"
bundle lock --update
# Checksums need Bundler >= 2.5 (Ruby >= 3.0); older Rubies get version pinning only.
bundle lock --add-checksums || echo "::warning::--add-checksums unsupported on $(bundle --version); version pinning only for ${{ matrix.ruby_version }}"
Comment thread
sl0thentr0py marked this conversation as resolved.
- uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
with:
name: lock-sentry-ruby-${{ matrix.ruby_version }}-${{ matrix.rack_version }}-${{ matrix.redis_rb_version }}
# Leading wildcard keeps the repo-relative path (sentry-ruby/gemfiles/...)
# inside the artifact, so the commit job can drop it straight back in place.
path: "*/gemfiles/ruby-${{ matrix.ruby_version }}_rack-${{ matrix.rack_version }}_redis-${{ matrix.redis_rb_version }}.lock"
# inside the artifact; trailing * grabs both .gemfile and .gemfile.lock.
path: "*/gemfiles/ruby-${{ matrix.ruby_version }}_rack-${{ matrix.rack_version }}_redis-${{ matrix.redis_rb_version }}.gemfile*"
if-no-files-found: error

gen-sentry-rails:
Expand All @@ -85,8 +88,7 @@ jobs:
run:
working-directory: sentry-rails
env:
BUNDLE_GEMFILE: ${{ github.workspace }}/sentry-rails/Gemfile
BUNDLE_LOCKFILE: ${{ github.workspace }}/sentry-rails/gemfiles/ruby-${{ matrix.ruby_version }}_rails-${{ matrix.rails_version }}.lock
BUNDLE_GEMFILE: ${{ github.workspace }}/sentry-rails/gemfiles/ruby-${{ matrix.ruby_version }}_rails-${{ matrix.rails_version }}.gemfile
RAILS_VERSION: ${{ matrix.rails_version }}
strategy:
fail-fast: false
Expand Down Expand Up @@ -118,16 +120,18 @@ jobs:
- uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
with:
ruby-version: ${{ matrix.ruby_version }}
bundler: 2.6.9
bundler: latest
bundler-cache: false
- name: Resolve lockfile
run: |
mkdir -p gemfiles
bundle lock --update --add-checksums
echo 'eval_gemfile "../Gemfile"' > "$BUNDLE_GEMFILE"
bundle lock --update
bundle lock --add-checksums || echo "::warning::--add-checksums unsupported on $(bundle --version); version pinning only for ${{ matrix.ruby_version }}"
- uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
with:
name: lock-sentry-rails-${{ matrix.ruby_version }}-${{ matrix.rails_version }}
path: "*/gemfiles/ruby-${{ matrix.ruby_version }}_rails-${{ matrix.rails_version }}.lock"
path: "*/gemfiles/ruby-${{ matrix.ruby_version }}_rails-${{ matrix.rails_version }}.gemfile*"
if-no-files-found: error

gen-sentry-sidekiq:
Expand All @@ -139,8 +143,7 @@ jobs:
run:
working-directory: sentry-sidekiq
env:
BUNDLE_GEMFILE: ${{ github.workspace }}/sentry-sidekiq/Gemfile
BUNDLE_LOCKFILE: ${{ github.workspace }}/sentry-sidekiq/gemfiles/ruby-${{ matrix.ruby_version }}_sidekiq-${{ matrix.sidekiq_version }}.lock
BUNDLE_GEMFILE: ${{ github.workspace }}/sentry-sidekiq/gemfiles/ruby-${{ matrix.ruby_version }}_sidekiq-${{ matrix.sidekiq_version }}.gemfile
SIDEKIQ_VERSION: ${{ matrix.sidekiq_version }}
strategy:
fail-fast: false
Expand All @@ -164,16 +167,18 @@ jobs:
- uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
with:
ruby-version: ${{ matrix.ruby_version }}
bundler: 2.6.9
bundler: latest
bundler-cache: false
- name: Resolve lockfile
run: |
mkdir -p gemfiles
bundle lock --update --add-checksums
echo 'eval_gemfile "../Gemfile"' > "$BUNDLE_GEMFILE"
bundle lock --update
bundle lock --add-checksums || echo "::warning::--add-checksums unsupported on $(bundle --version); version pinning only for ${{ matrix.ruby_version }}"
- uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
with:
name: lock-sentry-sidekiq-${{ matrix.ruby_version }}-${{ matrix.sidekiq_version }}
path: "*/gemfiles/ruby-${{ matrix.ruby_version }}_sidekiq-${{ matrix.sidekiq_version }}.lock"
path: "*/gemfiles/ruby-${{ matrix.ruby_version }}_sidekiq-${{ matrix.sidekiq_version }}.gemfile*"
if-no-files-found: error

gen-sentry-resque:
Expand All @@ -185,8 +190,7 @@ jobs:
run:
working-directory: sentry-resque
env:
BUNDLE_GEMFILE: ${{ github.workspace }}/sentry-resque/Gemfile
BUNDLE_LOCKFILE: ${{ github.workspace }}/sentry-resque/gemfiles/ruby-${{ matrix.ruby_version }}.lock
BUNDLE_GEMFILE: ${{ github.workspace }}/sentry-resque/gemfiles/ruby-${{ matrix.ruby_version }}.gemfile
strategy:
fail-fast: false
# Keep in sync with the matrix in sentry_resque_test.yml.
Expand All @@ -200,16 +204,18 @@ jobs:
- uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
with:
ruby-version: ${{ matrix.ruby_version }}
bundler: 2.6.9
bundler: latest
bundler-cache: false
- name: Resolve lockfile
run: |
mkdir -p gemfiles
bundle lock --update --add-checksums
echo 'eval_gemfile "../Gemfile"' > "$BUNDLE_GEMFILE"
bundle lock --update
bundle lock --add-checksums || echo "::warning::--add-checksums unsupported on $(bundle --version); version pinning only for ${{ matrix.ruby_version }}"
- uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
with:
name: lock-sentry-resque-${{ matrix.ruby_version }}
path: "*/gemfiles/ruby-${{ matrix.ruby_version }}.lock"
path: "*/gemfiles/ruby-${{ matrix.ruby_version }}.gemfile*"
if-no-files-found: error

gen-sentry-delayed_job:
Expand All @@ -221,8 +227,7 @@ jobs:
run:
working-directory: sentry-delayed_job
env:
BUNDLE_GEMFILE: ${{ github.workspace }}/sentry-delayed_job/Gemfile
BUNDLE_LOCKFILE: ${{ github.workspace }}/sentry-delayed_job/gemfiles/ruby-${{ matrix.ruby_version }}.lock
BUNDLE_GEMFILE: ${{ github.workspace }}/sentry-delayed_job/gemfiles/ruby-${{ matrix.ruby_version }}.gemfile
strategy:
fail-fast: false
# Keep in sync with the matrix in sentry_delayed_job_test.yml.
Expand All @@ -236,16 +241,18 @@ jobs:
- uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
with:
ruby-version: ${{ matrix.ruby_version }}
bundler: 2.6.9
bundler: latest
bundler-cache: false
- name: Resolve lockfile
run: |
mkdir -p gemfiles
bundle lock --update --add-checksums
echo 'eval_gemfile "../Gemfile"' > "$BUNDLE_GEMFILE"
bundle lock --update
bundle lock --add-checksums || echo "::warning::--add-checksums unsupported on $(bundle --version); version pinning only for ${{ matrix.ruby_version }}"
- uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
with:
name: lock-sentry-delayed_job-${{ matrix.ruby_version }}
path: "*/gemfiles/ruby-${{ matrix.ruby_version }}.lock"
path: "*/gemfiles/ruby-${{ matrix.ruby_version }}.gemfile*"
if-no-files-found: error

gen-sentry-opentelemetry:
Expand All @@ -257,8 +264,7 @@ jobs:
run:
working-directory: sentry-opentelemetry
env:
BUNDLE_GEMFILE: ${{ github.workspace }}/sentry-opentelemetry/Gemfile
BUNDLE_LOCKFILE: ${{ github.workspace }}/sentry-opentelemetry/gemfiles/ruby-${{ matrix.ruby_version }}.lock
BUNDLE_GEMFILE: ${{ github.workspace }}/sentry-opentelemetry/gemfiles/ruby-${{ matrix.ruby_version }}.gemfile
strategy:
fail-fast: false
# Keep in sync with the matrix in sentry_opentelemetry_test.yml.
Expand All @@ -271,16 +277,18 @@ jobs:
- uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
with:
ruby-version: ${{ matrix.ruby_version }}
bundler: 2.6.9
bundler: latest
bundler-cache: false
- name: Resolve lockfile
run: |
mkdir -p gemfiles
bundle lock --update --add-checksums
echo 'eval_gemfile "../Gemfile"' > "$BUNDLE_GEMFILE"
bundle lock --update
bundle lock --add-checksums || echo "::warning::--add-checksums unsupported on $(bundle --version); version pinning only for ${{ matrix.ruby_version }}"
- uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
with:
name: lock-sentry-opentelemetry-${{ matrix.ruby_version }}
path: "*/gemfiles/ruby-${{ matrix.ruby_version }}.lock"
path: "*/gemfiles/ruby-${{ matrix.ruby_version }}.gemfile*"
if-no-files-found: error

gen-sentry-yabeda:
Expand All @@ -292,8 +300,7 @@ jobs:
run:
working-directory: sentry-yabeda
env:
BUNDLE_GEMFILE: ${{ github.workspace }}/sentry-yabeda/Gemfile
BUNDLE_LOCKFILE: ${{ github.workspace }}/sentry-yabeda/gemfiles/ruby-${{ matrix.ruby_version }}.lock
BUNDLE_GEMFILE: ${{ github.workspace }}/sentry-yabeda/gemfiles/ruby-${{ matrix.ruby_version }}.gemfile
strategy:
fail-fast: false
# Keep in sync with the matrix in sentry_yabeda_test.yml.
Expand All @@ -307,16 +314,18 @@ jobs:
- uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
with:
ruby-version: ${{ matrix.ruby_version }}
bundler: 2.6.9
bundler: latest
bundler-cache: false
- name: Resolve lockfile
run: |
mkdir -p gemfiles
bundle lock --update --add-checksums
echo 'eval_gemfile "../Gemfile"' > "$BUNDLE_GEMFILE"
bundle lock --update
bundle lock --add-checksums || echo "::warning::--add-checksums unsupported on $(bundle --version); version pinning only for ${{ matrix.ruby_version }}"
- uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
with:
name: lock-sentry-yabeda-${{ matrix.ruby_version }}
path: "*/gemfiles/ruby-${{ matrix.ruby_version }}.lock"
path: "*/gemfiles/ruby-${{ matrix.ruby_version }}.gemfile*"
if-no-files-found: error

commit:
Expand All @@ -337,7 +346,7 @@ jobs:
with:
token: ${{ secrets.GITHUB_TOKEN }}
# Each artifact carries its repo-relative path, so merging them straight into
# the workspace lands every lock back at <gem>/gemfiles/*.lock — no routing.
# the workspace lands every pair back at <gem>/gemfiles/ — no routing.
- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
with:
merge-multiple: true
Expand All @@ -350,7 +359,11 @@ jobs:
- name: Create branch
id: create-branch
run: |
git add '**/gemfiles/*.lock'
# Stage first, then diff the index against HEAD. `git diff` alone only
# sees tracked files, so newly generated (untracked) pairs — i.e. the
# bootstrap run and any filled-in missing cell — would otherwise look
# like "no change" and never get pushed.
git add '**/gemfiles/*.gemfile' '**/gemfiles/*.gemfile.lock'

if git diff --cached --quiet; then
echo "No lockfile changes; nothing to do."
Expand Down Expand Up @@ -379,7 +392,7 @@ jobs:
script: |
const branchName = process.env.BRANCH_NAME;
const commitTitle = process.env.COMMIT_TITLE;
const prBody = `Automated regeneration of the per-matrix, checksummed lockfiles used to pin CI dependencies (supply-chain hardening).
const prBody = `Automated regeneration of the per-matrix lockfiles used to pin CI dependencies (supply-chain hardening).

## Action required
- If CI passes on this PR, it's safe to approve and merge: the refreshed pins resolve and the suite is green.
Expand Down
Loading