Skip to content

Update RubyGems in GitHub Actions CI #406

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 12, 2025
Merged

Update RubyGems in GitHub Actions CI #406

merged 2 commits into from
Oct 12, 2025

Conversation

@yahonda
Copy link
Contributor

@yahonda yahonda commented Oct 11, 2025

This pull request updates RubyGems in GitHub Actions CI to address these failures

Steps to reproduce

  1. Use Ruby 3.3 or lower version of Ruby that installs RubyGems version lower than 3.6.0
  2. Clone the bundler-audit and run RSpec
git clone https://github.com/rubysec/bundler-audit
cd bundler-audit
bundle install
bundle exec rspec ./spec/integration_spec.rb

Expected behavior

It should pass

Actual behavior without this fix

These two specs fail.

% ruby -v                                           
ruby 3.3.9 (2025-07-24 revision f5c772fc7c) [x86_64-darwin25]
% gem -v
3.5.22
% bundler -v
Bundler version 2.5.22
% bundle exec rspec ./spec/integration_spec.rb      
WARN: Unresolved or ambiguous specs during Gem::Specification.reset:
      stringio (>= 0)
      Available/installed versions of this gem:
      - 3.1.7
      - 3.1.1
WARN: Clearing out unresolved specs. Try 'gem cleanup <gem>'
Please report a bug if this causes problems.
HEAD is now at 89cdde9 Add CVE-2020-5247 against puma, fixing #435 (#436)

bin/bundler-audit
  must invoke the CLI class (FAILED - 1)

bin/bundle-audit
  must invoke the CLI class (FAILED - 2)

Failures:

  1) bin/bundler-audit must invoke the CLI class
     Failure/Error: expect(subject).to eq("bundler-audit #{Bundler::Audit::VERSION}#{$/}")
     
       expected: "bundler-audit 0.9.2\n"
            got: "WARN: Unresolved or ambiguous specs during Gem::Specification.reset:\n      stringio (>= 0)\n      A...specs. Try 'gem cleanup <gem>'\nPlease report a bug if this causes problems.\nbundler-audit 0.9.2\n"
     
       (compared using ==)
     
       Diff:
       @@ -1 +1,8 @@
       +WARN: Unresolved or ambiguous specs during Gem::Specification.reset:
       +      stringio (>= 0)
       +      Available/installed versions of this gem:
       +      - 3.1.7
       +      - 3.1.1
       +WARN: Clearing out unresolved specs. Try 'gem cleanup <gem>'
       +Please report a bug if this causes problems.
        bundler-audit 0.9.2
       
     # ./spec/integration_spec.rb:14:in `block (2 levels) in <top (required)>'

  2) bin/bundle-audit must invoke the CLI class
     Failure/Error: expect(subject).to eq("bundler-audit #{Bundler::Audit::VERSION}#{$/}")
     
       expected: "bundler-audit 0.9.2\n"
            got: "WARN: Unresolved or ambiguous specs during Gem::Specification.reset:\n      stringio (>= 0)\n      A...specs. Try 'gem cleanup <gem>'\nPlease report a bug if this causes problems.\nbundler-audit 0.9.2\n"
     
       (compared using ==)
     
       Diff:
       @@ -1 +1,8 @@
       +WARN: Unresolved or ambiguous specs during Gem::Specification.reset:
       +      stringio (>= 0)
       +      Available/installed versions of this gem:
       +      - 3.1.7
       +      - 3.1.1
       +WARN: Clearing out unresolved specs. Try 'gem cleanup <gem>'
       +Please report a bug if this causes problems.
        bundler-audit 0.9.2
       
     # ./spec/integration_spec.rb:29:in `block (2 levels) in <top (required)>'

Finished in 0.63557 seconds (files took 0.14522 seconds to load)
2 examples, 2 failures

Failed examples:

rspec ./spec/integration_spec.rb:13 # bin/bundler-audit must invoke the CLI class
rspec ./spec/integration_spec.rb:28 # bin/bundle-audit must invoke the CLI class

Coverage report generated for RSpec to /Users/yahonda/src/github.com/rubysec/bundler-audit/coverage.
Line Coverage: 35.61% (47 / 132)
Stopped processing SimpleCov as a previous error not related to SimpleCov has been detected
%

With this fix

Updating RubyGems to 3.6.0 or higher that includes https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#360--2024-12-16 these specs should pass.

Skip unresolved deps warning on Gem::Specification.reset on benign cases. Pull request ruby/rubygems#8309 by deivid-rodriguez

% gem update --system
Fetching rubygems-update-3.7.2.gem
Successfully installed rubygems-update-3.7.2
Parsing documentation for rubygems-update-3.7.2
Installing ri documentation for rubygems-update-3.7.2
Done installing documentation for rubygems-update after 2 seconds
Parsing documentation for rubygems-update-3.7.2
Done installing documentation for rubygems-update after 0 seconds
Installing RubyGems 3.7.2
  Successfully built RubyGem
  Name: bundler
  Version: 2.7.2
  File: bundler-2.7.2.gem
Bundler 2.7.2 installed
RubyGems 3.7.2 installed
Regenerating binstubs
Regenerating plugins
Parsing documentation for rubygems-3.7.2
Installing ri documentation for rubygems-3.7.2

... snip ...

RubyGems system software updated
% ruby -v
ruby 3.3.9 (2025-07-24 revision f5c772fc7c) [x86_64-darwin25]
% gem -v
3.7.2
% bundler -v
Bundler version 2.7.2
% bundle exec rspec ./spec/integration_spec.rb
HEAD is now at 89cdde9 Add CVE-2020-5247 against puma, fixing #435 (#436)

bin/bundler-audit
  must invoke the CLI class

bin/bundle-audit
  must invoke the CLI class

Finished in 0.73428 seconds (files took 0.23424 seconds to load)
2 examples, 0 failures

Coverage report generated for RSpec to /Users/yahonda/src/github.com/rubysec/bundler-audit/coverage.
Line Coverage: 35.61% (47 / 132)
%

@yahonda yahonda force-pushed the update-rubygems-in-ci branch from c7cc268 to 8d7c927 Compare October 11, 2025 07:56
@yahonda yahonda force-pushed the update-rubygems-in-ci branch from 8d7c927 to 2ad7c90 Compare October 11, 2025 08:02
@yahonda
Allow `WARN: Unresolved or ambiguous specs during Gem::Specification.…
bb8a4d0 
…reset:` for Ruby 3.0.x and TruffleRuby

The latest RubyGems version supported on Ruby 3.0 is 3.5.23,
and TruffleRuby does not support `gem update --system` (its bundled
RubyGems version is 3.5.22). Both of these are lower than 3.6.0,
so the warning is expected in these environments.
@yahonda
Copy link
Contributor Author

yahonda commented Oct 11, 2025

Some tweaks made for Ruby 3.0, 3.1, and TruffleRuby:

1. RubyGems versions

  • Ruby 3.0: use RubyGems 3.5.23, the last version that supports Ruby 3.0 (changelog).
  • Ruby 3.1: use RubyGems 3.6.9, the last version that supports Ruby 3.1 (changelog).

2. Suppress Gem::Specification warnings

Ignore:

WARN: Unresolved or ambiguous specs during Gem::Specification.reset:

for Ruby 3.0 and TruffleRuby, because both are limited to RubyGems versions (3.5.22/3.5.23) that do not include rubygems#8309.

On TruffleRuby, gem update --system is not supported and RubyGems 3.5.22 is bundled by default:

WARNING: "gem update --system" does nothing on TruffleRuby, since it is not fully supported yet.
...

@yahonda
Copy link
Contributor Author

yahonda commented Oct 11, 2025

With this change, CI is green in my environment:
https://github.com/yahonda/bundler-audit/actions/runs/18426842910

@postmodern postmodern merged commit 276e065 into rubysec:master Oct 12, 2025
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@postmodern postmodern postmodern approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yahonda @postmodern