ruby-oauth · pboling · Sep 20, 2025 · Sep 20, 2025 · Sep 20, 2025 · Sep 20, 2025
diff --git a/.github/workflows/current.yml b/.github/workflows/current.yml
@@ -45,9 +45,7 @@ jobs:
             rubygems: latest
             bundler: latest
 
-          # truffleruby-24.1
-          #   (according to documentation: targets Ruby 3.3 compatibility)
-          #   (according to runtime: targets Ruby 3.2 compatibility)
+          # truffleruby-24.1 (targets Ruby 3.3 compatibility)
           - ruby: "truffleruby"
             appraisal: "current"
             exec_cmd: "rake test"

diff --git a/.github/workflows/license-eye.yml b/.github/workflows/license-eye.yml
@@ -0,0 +1,40 @@
+name: Apache SkyWalking Eyes
+
+permissions:
+  contents: read
+
+on:
+  push:
+    branches:
+      - 'main'
+      - '*-stable'
+    tags:
+      - '!*' # Do not execute on tags
+  pull_request:
+    branches:
+      - '*'
+  # Allow manually triggering the workflow.
+  workflow_dispatch:
+
+# Cancels all previous workflow runs for the same branch that have not yet completed.
+concurrency:
+  # The concurrency group contains the workflow name and the branch name.
+  group: "${{ github.workflow }}-${{ github.ref }}"
+  cancel-in-progress: true
+
+jobs:
+  license-check:
+    if: "!contains(github.event.commits[0].message, '[ci skip]') && !contains(github.event.commits[0].message, '[skip ci]')"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Check Dependencies' License
+        uses: apache/skywalking-eyes/dependency@main
+        with:
+          config: .licenserc.yaml
+          # Ruby packages declared as dependencies in gemspecs or Gemfiles are
+          #   typically consumed as binaries; enable weak-compatibility
+          #   so permissive and weak-copyleft combinations are treated as compatible.
+          flags: --weak-compatible
diff --git a/.idea/.gitignore b/.idea/.gitignore
diff --git a/.idea/oauth-tty.iml b/.idea/oauth-tty.iml
diff --git a/.junie/guidelines.md b/.junie/guidelines.md
@@ -12,7 +12,8 @@ This document captures project-specific knowledge to streamline setup, testing,
     - See .env.local.example for an example of what to put in .env.local.
     - See CONTRIBUTING.md for details on how to set up your local environment.
 - Ruby and Bundler
-  - Runtime supports very old Rubies (>= 1.9.2) but development tooling targets >= 2.3 because of CI/setup-ruby and dev dependencies.
+  - Runtime supports Ruby >= 2.3.0
+  - Development tooling targets Ruby >= 2.3.0 (minimum supported by setup-ruby GHA).
   - Use a recent Ruby (>= 3.4 recommended) for fastest setup and to exercise modern coverage behavior.
   - Install dependencies via Bundler in project root:
     - bundle install
@@ -53,7 +54,7 @@ This document captures project-specific knowledge to streamline setup, testing,
     - RSpec.describe usage:
       - Use `describe "#<method_name>"` to contain a block of specs that test instance method behavior.
       - Use `describe "::<method_name>"` to contain a block of specs that test class method behavior.
-      - Do not use `describe ".<method_name>"` because the dot is ambiguous w.r.t instance vs. class methods. 
+      - Do not use `describe ".<method_name>"` because the dot is ambiguous w.r.t instance vs. class methods.
     - When adding new code or modifying existing code always add tests to cover the updated behavior, including branches, and different types of expected and unexpected inputs.
   - Additional test utilities:
     - rspec-stubbed_env: Use stub_env to control ENV safely within examples.
@@ -89,11 +90,13 @@ This document captures project-specific knowledge to streamline setup, testing,
   - Place new specs under spec/ mirroring lib/ structure where possible. Do not require "spec_helper" at the top of spec files, as it is automatically loaded by .rspec.
   - If your code relies on environment variables that drive activation (see "Activation env vars" below), prefer using rspec-stubbed_env:
     - it does not support stubbing with blocks, but it does automatically clean up after itself.
-    - outside the example:
+    - the below config is included in all spec scenarios by the kettle-test gem, so no need to do it again; it is here for reference:
       include_context 'with stubbed env'
     - in a before hook, or in an example:
       stub_env("FLOSS_FUNDING_MY_NS" => "Free-as-in-beer")
+
       # example code continues
+
   - If your spec needs to assert on console output, tag it with :check_output. By default, STDOUT is silenced.
   - Use Timecop for deterministic time-sensitive behavior as needed (require config/timecop is already done by spec_helper).
 
@@ -133,6 +136,7 @@ Notes
 - Coverage reports: NEVER review the HTML report. Use JSON (preferred), XML, LCOV, or RCOV. For this project, always run tests with K_SOUP_COV_FORMATTERS set to "json".
 - Do NOT modify .envrc in tasks; when running tests locally or in scripts, manually prefix each run, e.g.: K_SOUP_COV_FORMATTERS="json" bin/rspec
 - For all the kettle-soup-cover options, see .envrc and find the K_SOUP_COV_* env vars.
+- NEVER modify ENV variables in tests directly. Always use the stub_env macro from the rspec-stubbed_env gem (more details in the testing section above).
 
 Important documentation rules
 - Do NOT edit files under docs/ manually; they are generated by `bundle exec rake yard` as part of the default rake task.

diff --git a/.licenserc.yaml b/.licenserc.yaml
@@ -0,0 +1,7 @@
+header:
+  license:
+    spdx-id: MIT
+
+dependency:
+  files:
+    - Gemfile.lock
diff --git a/.rubocop_gradual.lock b/.rubocop_gradual.lock
@@ -5,10 +5,10 @@
   "lib/oauth/tty/command.rb:3092098200": [
     [126, 23, 4, "Security/Open: The use of `Kernel#open` is a serious security risk.", 2087926481]
   ],
-  "oauth-tty.gemspec:3967633356": [
-    [130, 3, 40, "Gemspec/DependencyVersion: Dependency version specification is required.", 2300588954],
-    [132, 3, 44, "Gemspec/DependencyVersion: Dependency version specification is required.", 1905290578],
-    [133, 3, 46, "Gemspec/DependencyVersion: Dependency version specification is required.", 4289565910]
+  "oauth-tty.gemspec:3319279878": [
+    [129, 3, 40, "Gemspec/DependencyVersion: Dependency version specification is required.", 2300588954],
+    [131, 3, 44, "Gemspec/DependencyVersion: Dependency version specification is required.", 1905290578],
+    [132, 3, 46, "Gemspec/DependencyVersion: Dependency version specification is required.", 4289565910]
   ],
   "spec/oauth/backwards_compatibility_spec.rb:4041711732": [
     [3, 16, 25, "RSpec/DescribeClass: The first argument to describe should be the class or module being tested.", 3956042931]

diff --git a/Appraisals b/Appraisals
@@ -31,15 +31,17 @@ end
 # Used for head (nightly) releases of ruby, truffleruby, and jruby.
 # Split into discrete appraisals if one of them needs a dependency locked discretely.
 appraise "head" do
-  gem "oauth", ">= 1.1.0"
+  # Why is gem "cgi" here? See: https://github.com/vcr/vcr/issues/1057
+  #  gem "cgi", ">= 0.5"
+  gem "oauth", github: "ruby-oauth/oauth", branch: "main"
   gem "benchmark", "~> 0.4", ">= 0.4.1"
   eval_gemfile "modular/x_std_libs.gemfile"
 end
 
 # Used for current releases of ruby, truffleruby, and jruby.
 # Split into discrete appraisals if one of them needs a dependency locked discretely.
 appraise "current" do
-  gem "oauth", ">= 1.1.0"
+  gem "oauth", github: "ruby-oauth/oauth", branch: "main"
   eval_gemfile "modular/x_std_libs.gemfile"
 end
 
@@ -84,37 +86,37 @@ appraise "ruby-3-0" do
 end
 
 appraise "ruby-3-1" do
-  gem "oauth", ">= 1.1.0"
+  gem "oauth", github: "ruby-oauth/oauth", branch: "main"
   eval_gemfile "modular/x_std_libs/r3.1/libs.gemfile"
 end
 
 appraise "ruby-3-2" do
-  gem "oauth", ">= 1.1.0"
+  gem "oauth", github: "ruby-oauth/oauth", branch: "main"
   eval_gemfile "modular/x_std_libs/r3/libs.gemfile"
 end
 
 appraise "ruby-3-3" do
-  gem "oauth", ">= 1.1.0"
+  gem "oauth", github: "ruby-oauth/oauth", branch: "main"
   eval_gemfile "modular/x_std_libs/r3/libs.gemfile"
 end
 
 # Only run security audit on the latest version of Ruby
 appraise "audit" do
-  gem "oauth", ">= 1.1.0"
+  gem "oauth", github: "ruby-oauth/oauth", branch: "main"
   eval_gemfile "modular/x_std_libs.gemfile"
 end
 
 # Only run coverage on the latest version of Ruby
 appraise "coverage" do
-  gem "oauth", ">= 1.1.0"
+  gem "oauth", github: "ruby-oauth/oauth", branch: "main"
   eval_gemfile "modular/coverage.gemfile"
   eval_gemfile "modular/optional.gemfile"
   eval_gemfile "modular/x_std_libs.gemfile"
 end
 
 # Only run linter on the latest version of Ruby (but, in support of oldest supported Ruby version)
 appraise "style" do
-  gem "oauth", ">= 1.1.0"
+  gem "oauth", github: "ruby-oauth/oauth", branch: "main"
   eval_gemfile "modular/style.gemfile"
   eval_gemfile "modular/x_std_libs.gemfile"
 end
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,61 +17,90 @@ Please file a bug if you notice a violation of semantic versioning.
 [📗keep-changelog-img]: https://img.shields.io/badge/keep--a--changelog-1.0.0-FFDD67.svg?style=flat
 
 ## [Unreleased]
+
 ### Added
+
 - (dev) kettle-dev v1.1.16 (@pboling)
 - (docs) more documentation (@Aboling0, @pboling)
 - (docs) Deployed documentation site for HEAD (@Aboling0)
     - https://oauth-tty.galtzo.com
 - (test) many new tests (@pboling)
 - (docs) CITATION.cff
 - support window increased, down to Ruby 2.3 (@pboling)
+
 ### Changed
+
 - (docs) upgrade Code of Conduct to Contributor Covenant 2.1 (@pboling)
 - (test) migrated test suite to RSpec (@pboling)
 - (test) ignore Ruby warnings coming from other libs (@pboling)
+
 ### Deprecated
+
 ### Removed
+
 - (test) minitest (@pboling)
+
 ### Fixed
+
 ### Security
 
 ## [1.0.5] - 2022-09-20
+
 - TAG: [v1.0.5][1.0.5t]
+
 ### Added
+
 - SHA 256 Checksum for release (in addition to SHA 512) (@pboling)
 - Aligned checksums directory name with `rake build:checksum` task (@pboling)
 - General Cleanup
 
 ## [1.0.4] - 2022-09-19
+
 - TAG: [1.0.4][1.0.4t]
+
 ### Added
+
 - Certificate for signing gem releases (@pboling)
 - Gemspec metadata (@pboling)
   - funding_uri
   - mailing_list_uri
 - Installation and usage documentation (@pboling)
 - SHA 512 Checksum for release (@pboling)
+
 ### Changed
+
 - Gem releases are now cryptographically signed (@pboling)
 
 ## [1.0.3] - 2022-09-06
+
 - TAG: [1.0.3][1.0.3t]
+
 ### Fixed
+
 - Author name - Thaigo Pinto (@pboling)
 
 ## [1.0.2] - 2022-08-26
+
 - TAG: [1.0.2][1.0.2t]
+
 ### Fixed
+
 - URLs in Gemspec (@pboling)
 
 ## [1.0.1] - 2022-08-26
+
 - TAG: [1.0.1][1.0.1t]
+
 ### Fixed
+
 - Circular reference while loading (@pboling)
 
 ## [1.0.0] - 2022-08-26
+
 - TAG: [1.0.0][1.0.0t]
+
 ### Added
+
 - Initial release (@pboling)
 
 [Unreleased]: https://gitlab.com/ruby-oauth/oauth-tty/-/compare/v1.0.5...main