Tags: jdx/ruby
Tags
fix: keep SLSA release workflow on tag refs (#33) ## Summary - switch the release provenance workflow back to `slsa-framework/[email protected]` by tag instead of a raw commit SHA - document why this reusable workflow must stay on a tag when `compile-generator: false` - stop Renovate from digest-pinning `slsa-framework/slsa-github-generator`, which would reintroduce the breakage ## Root Cause The release failure was not caused by `v2.1.0` itself. The breakage came from referencing the reusable workflow by commit SHA. In `v2.1.0`, the generator's builder fetch path expects a tag-style ref so it can resolve and verify the builder release. When Renovate pinned the workflow to a raw SHA, the provenance job failed while fetching the builder. Failing run: - https://github.com/jdx/ruby/actions/runs/24729843533 Relevant error: - `Invalid ref: f7dd8c54c2067bafc12ca7a55595d5ee9b75204a. Expected ref of the form refs/tags/vX.Y.Z` ## Why This Fix Using the release tag keeps the SLSA workflow on the intended supported path, and the Renovate rule prevents automation from converting it back to a digest later.
fix: keep SLSA release workflow on tag refs (#33) ## Summary - switch the release provenance workflow back to `slsa-framework/[email protected]` by tag instead of a raw commit SHA - document why this reusable workflow must stay on a tag when `compile-generator: false` - stop Renovate from digest-pinning `slsa-framework/slsa-github-generator`, which would reintroduce the breakage ## Root Cause The release failure was not caused by `v2.1.0` itself. The breakage came from referencing the reusable workflow by commit SHA. In `v2.1.0`, the generator's builder fetch path expects a tag-style ref so it can resolve and verify the builder release. When Renovate pinned the workflow to a raw SHA, the provenance job failed while fetching the builder. Failing run: - https://github.com/jdx/ruby/actions/runs/24729843533 Relevant error: - `Invalid ref: f7dd8c54c2067bafc12ca7a55595d5ee9b75204a. Expected ref of the form refs/tags/vX.Y.Z` ## Why This Fix Using the release tag keeps the SLSA workflow on the intended supported path, and the Renovate rule prevents automation from converting it back to a digest later.
Fix dep resolution and --HEAD flag leak in jdx-package (#21) ## Summary Two bugs in `cmd/jdx-package.rb`: 1. **[email protected] included when YJIT is enabled**: `Dependency.expand` includes `[email protected]` and `[email protected]` even when YJIT is enabled (the default). The formula conditionally declares these deps with `if build.without? "yjit"`, but the dep resolver doesn't honor build options. This causes the build to fail when `[email protected]`'s post-install `localedef` step errors out. Fix by pruning these deps when `--without-yjit` is not passed. 2. **`--HEAD` flag leaks across loop iterations**: The `flags` array is defined before the `args.named.each` loop and `--HEAD` is appended inside the loop without being removed. When processing multiple formulae, `--HEAD` accumulates across iterations. Fix by using `flags.dup` per iteration. ## Test plan - [x] Verified fix aligns with formula intent (`[email protected]` is conditional on `build.without? "yjit"`) - [ ] Build `[email protected]` with YJIT on Linux — should no longer pull in `[email protected]` - [ ] Build multiple formulae in one invocation — `--HEAD` should not leak 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Moderate risk because it changes dependency pruning and build flags for bottle builds, which can affect build outputs and CI behavior, but it’s localized to `cmd/jdx-package.rb`. > > **Overview** > Fixes `jdx-package` packaging to avoid state leaking across formula builds by duplicating per-formula flags so `--HEAD` is applied only for the current `name`. > > Adjusts dependency expansion to explicitly prune `glibc@*` and `[email protected]` when YJIT is enabled (i.e., `--without-yjit` is *not* set), preventing unintended deps from being built/installed during bottle creation. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 428fead. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
Fix dep resolution and --HEAD flag leak in jdx-package (#21) ## Summary Two bugs in `cmd/jdx-package.rb`: 1. **[email protected] included when YJIT is enabled**: `Dependency.expand` includes `[email protected]` and `[email protected]` even when YJIT is enabled (the default). The formula conditionally declares these deps with `if build.without? "yjit"`, but the dep resolver doesn't honor build options. This causes the build to fail when `[email protected]`'s post-install `localedef` step errors out. Fix by pruning these deps when `--without-yjit` is not passed. 2. **`--HEAD` flag leaks across loop iterations**: The `flags` array is defined before the `args.named.each` loop and `--HEAD` is appended inside the loop without being removed. When processing multiple formulae, `--HEAD` accumulates across iterations. Fix by using `flags.dup` per iteration. ## Test plan - [x] Verified fix aligns with formula intent (`[email protected]` is conditional on `build.without? "yjit"`) - [ ] Build `[email protected]` with YJIT on Linux — should no longer pull in `[email protected]` - [ ] Build multiple formulae in one invocation — `--HEAD` should not leak 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Moderate risk because it changes dependency pruning and build flags for bottle builds, which can affect build outputs and CI behavior, but it’s localized to `cmd/jdx-package.rb`. > > **Overview** > Fixes `jdx-package` packaging to avoid state leaking across formula builds by duplicating per-formula flags so `--HEAD` is applied only for the current `name`. > > Adjusts dependency expansion to explicitly prune `glibc@*` and `[email protected]` when YJIT is enabled (i.e., `--without-yjit` is *not* set), preventing unintended deps from being built/installed during bottle creation. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 428fead. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
Fix dep resolution and --HEAD flag leak in jdx-package (#21) ## Summary Two bugs in `cmd/jdx-package.rb`: 1. **[email protected] included when YJIT is enabled**: `Dependency.expand` includes `[email protected]` and `[email protected]` even when YJIT is enabled (the default). The formula conditionally declares these deps with `if build.without? "yjit"`, but the dep resolver doesn't honor build options. This causes the build to fail when `[email protected]`'s post-install `localedef` step errors out. Fix by pruning these deps when `--without-yjit` is not passed. 2. **`--HEAD` flag leaks across loop iterations**: The `flags` array is defined before the `args.named.each` loop and `--HEAD` is appended inside the loop without being removed. When processing multiple formulae, `--HEAD` accumulates across iterations. Fix by using `flags.dup` per iteration. ## Test plan - [x] Verified fix aligns with formula intent (`[email protected]` is conditional on `build.without? "yjit"`) - [ ] Build `[email protected]` with YJIT on Linux — should no longer pull in `[email protected]` - [ ] Build multiple formulae in one invocation — `--HEAD` should not leak 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Moderate risk because it changes dependency pruning and build flags for bottle builds, which can affect build outputs and CI behavior, but it’s localized to `cmd/jdx-package.rb`. > > **Overview** > Fixes `jdx-package` packaging to avoid state leaking across formula builds by duplicating per-formula flags so `--HEAD` is applied only for the current `name`. > > Adjusts dependency expansion to explicitly prune `glibc@*` and `[email protected]` when YJIT is enabled (i.e., `--without-yjit` is *not* set), preventing unintended deps from being built/installed during bottle creation. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 428fead. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
Fix dep resolution and --HEAD flag leak in jdx-package (#21) ## Summary Two bugs in `cmd/jdx-package.rb`: 1. **[email protected] included when YJIT is enabled**: `Dependency.expand` includes `[email protected]` and `[email protected]` even when YJIT is enabled (the default). The formula conditionally declares these deps with `if build.without? "yjit"`, but the dep resolver doesn't honor build options. This causes the build to fail when `[email protected]`'s post-install `localedef` step errors out. Fix by pruning these deps when `--without-yjit` is not passed. 2. **`--HEAD` flag leaks across loop iterations**: The `flags` array is defined before the `args.named.each` loop and `--HEAD` is appended inside the loop without being removed. When processing multiple formulae, `--HEAD` accumulates across iterations. Fix by using `flags.dup` per iteration. ## Test plan - [x] Verified fix aligns with formula intent (`[email protected]` is conditional on `build.without? "yjit"`) - [ ] Build `[email protected]` with YJIT on Linux — should no longer pull in `[email protected]` - [ ] Build multiple formulae in one invocation — `--HEAD` should not leak 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Moderate risk because it changes dependency pruning and build flags for bottle builds, which can affect build outputs and CI behavior, but it’s localized to `cmd/jdx-package.rb`. > > **Overview** > Fixes `jdx-package` packaging to avoid state leaking across formula builds by duplicating per-formula flags so `--HEAD` is applied only for the current `name`. > > Adjusts dependency expansion to explicitly prune `glibc@*` and `[email protected]` when YJIT is enabled (i.e., `--without-yjit` is *not* set), preventing unintended deps from being built/installed during bottle creation. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 428fead. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
PreviousNext