CI: Expand ruby version matrix for broader Ruby compatibility#58
CI: Expand ruby version matrix for broader Ruby compatibility#58extern-c wants to merge 9 commits into
Conversation
Signed-off-by: Amauri Bizerra <10775696+extern-c@users.noreply.github.com>
Signed-off-by: Amauri Bizerra <10775696+extern-c@users.noreply.github.com>
Signed-off-by: Amauri Bizerra <10775696+extern-c@users.noreply.github.com>
Signed-off-by: Amauri Bizerra <10775696+extern-c@users.noreply.github.com>
Signed-off-by: Amauri Bizerra <10775696+extern-c@users.noreply.github.com>
Up to standards ✅🟢 Issues
|
| Metric | Results |
|---|---|
| Complexity | 0 |
| Duplication | 0 |
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
Signed-off-by: Amauri Bizerra <10775696+extern-c@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Updates the gem’s supported Ruby baseline and CI matrix to validate compatibility across a wider set of modern Ruby versions, while removing the repository Gemfile.lock to avoid cross-version dependency resolution conflicts.
Changes:
- Drop Ruby 2.7 support (gemspec + RuboCop target) and re-enable CI for Ruby 3.0/3.1 while adding Ruby 4.0 to the matrix.
- Remove
Gemfile.lockfrom the repo and ignore it going forward. - Adjust BOM component hash construction formatting and tweak dev dependency constraints.
Reviewed changes
Copilot reviewed 4 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| lib/cyclonedx/bom_component.rb | Makes hashes/licenses array entries explicit hash objects. |
| Gemfile.lock | Removes the lockfile from the repository. |
| cyclonedx-ruby.gemspec | Raises minimum Ruby to 3.0 and adjusts cucumber dev dependency constraints. |
| .rubocop.yml | Updates RuboCop target Ruby version to 3.0. |
| .gitignore | Ignores Gemfile.lock going forward. |
| .github/workflows/ruby.yml | Expands CI Ruby version matrix (adds 4.0, re-adds 3.0/3.1). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| spec.description = 'CycloneDX is a lightweight software bill-of-material (SBOM) specification designed for use in application security contexts and supply chain component analysis. This Gem generates CycloneDX BOMs from Ruby projects.' | ||
| spec.homepage = 'https://github.com/CycloneDX/cyclonedx-ruby-gem' | ||
| spec.license = 'Apache-2.0' | ||
| spec.required_ruby_version = '>= 2.7.0' |
There was a problem hiding this comment.
This change does change the supported ruby version, right?
If so, then this seems to be an unintended change.
There was a problem hiding this comment.
Hi,
I'm proposing we drop support for Ruby 2.7.0 (EOL: 2023-03-31) to help reduce maintenance burden, avoid future dependency incompatibilities, and enable further modernization of the gem. This would make Ruby >= 3.0 a requirement to run cyclonedx-ruby-gem, starting with the next release.
There was a problem hiding this comment.
Ney, this would be a completely different scope.
and mist importantly, this would be a breaking change, too.
this PR should be about one thing and one thing only: complete the CI/CT matrix.
please keep things simple, single-soped: one step at a time.
There was a problem hiding this comment.
Bundler is unable to resolve dependencies for Ruby 2.7 with the current gemspec. I was able to retain support for Ruby 3.0+ and Ruby 4.0 in CI by loosening dependency constrains slightly, but Ruby 2.7 remains incompatible.
Resolving dependencies...
ffi-1.17.4-x86_64-linux-musl requires ruby version < 4.1.dev, >= 3.0, which is incompatible with the current version, ruby
2.7.8p225There are a few ways to address this, such as maintaining multiple Gemfile.lock files or using Appraisal to manage separate dependency sets. However, this would introduce additional complexity, especially given that Ruby 2.7 reached end-of-life in 2023.
If there is a strong need to continue supporting Ruby 2.7, I'm happy to revisit this and explore those alternatives.
There was a problem hiding this comment.
UPD: Bundler successfully resolves the project's dependencies in the CI environment when running in a fork of the repository using the same configuration, so Ruby 2.7 support has been restored. The earlier error was specific to my development environment. Ruby 2.7 support can be kept for now, although the setup is somewhat fragile for that Ruby version. This can be improved in a follow-up PR.
| @@ -1,6 +1,6 @@ | |||
| AllCops: | |||
| NewCops: enable | |||
| TargetRubyVersion: 2.7 | |||
There was a problem hiding this comment.
@extern-c please explain this change. is this related to the scope of completing the CI/CT matrix?
There was a problem hiding this comment.
TargetRubyVersion was updated from 2.7 to 3.0 to align with the gem's new minimum supported Ruby version introduced in this PR.
There was a problem hiding this comment.
why removed? not a blocker, just a question?
| purl: @purl, | ||
| hashes: [ | ||
| alg: HASH_ALG, | ||
| content: @hash |
There was a problem hiding this comment.
this looks like a bugfix, not a CI pipeline relevant change
There was a problem hiding this comment.
@extern-c please explain this change. is this related to the scope of completing the CI/CT matrix?
There was a problem hiding this comment.
Rubocop started emitting Style/HashAsLastArrayItem: Wrap hash in { and} offenses after TargetRubyVersion was updated from 2.7 to 3.0. These changes address the new offenses introduced by the Ruby version bump to avoid adding additional violations. The codebase may still contain other existing offenses, but this change does not introduce new ones.
Signed-off-by: Amauri Bizerra <10775696+extern-c@users.noreply.github.com>
| purl: @purl, | ||
| hashes: [ | ||
| alg: HASH_ALG, | ||
| content: @hash |
There was a problem hiding this comment.
@extern-c please explain this change. is this related to the scope of completing the CI/CT matrix?
There was a problem hiding this comment.
why removed? not a blocker, just a question?
There was a problem hiding this comment.
The current Gemfile.lock prevents Bundler from resolving dependencies across all Ruby versions supported by the project. Here is the output from bundler install with Ruby 2.7:
Bundler found conflicting requirements for the Ruby version:
In Gemfile:
Ruby
cyclonedx-ruby was resolved to 1.2.0, which depends on
Ruby (>= 2.7.0)
cyclonedx-ruby was resolved to 1.2.0, which depends on
nokogiri (~> 1.15) was resolved to 1.18.10, which depends on
Ruby (>= 3.1.0)
Ruby (>= 3.1.0), which is required by gem 'cyclonedx-ruby', is not available in the local ruby installation
While there are different views on committing Gemfile.lock for libraries/gems, in this case, I believe the benefits of omitting it outweigh the drawbacks. We could maintain multiple Gemfile.lock files or use Appraisal to handle this, but I think that would introduce unnecessary complexity.
| @@ -1,6 +1,6 @@ | |||
| AllCops: | |||
| NewCops: enable | |||
| TargetRubyVersion: 2.7 | |||
There was a problem hiding this comment.
@extern-c please explain this change. is this related to the scope of completing the CI/CT matrix?
Signed-off-by: Amauri Bizerra <10775696+extern-c@users.noreply.github.com>
extern-c
force-pushed
the
ci/expand-ruby-version-matrix
branch
from
e5037d9 to
8ab4cf1
Compare
Signed-off-by: Amauri Bizerra <10775696+extern-c@users.noreply.github.com>
Description
This PR resolves issue #43 by addressing dependency conflicts and updating supported Ruby versions. CI was previously failing due to
Gemfile.lockconstraints across multiple Ruby versions.Ruby 2.7 support was also causing dependency incompatibilities.Please note that Ruby 2.7 reached end of life on March 31, 2023. Dropping support for this version helps reduce ongoing maintenance burden and avoid future dependency incompatibilities.Source: Ruby Maintenance Branches
I understand that there are different opinions on whether
Gemfile.lockshould be included in gems; however, in this case, I believe the benefits of omitting it outweigh the drawbacks.AI Tool Disclosure
[e.g. GitHub CoPilot, ChatGPT, JetBrains Junie etc.][e.g. GPT-4.1, Claude Haiku 4.5, Gemini 2.5 Pro etc.][Summarize the key prompts or instructions given to the AI tools]Affirmation