fix(gemspec): exclude test, spec, and CI files from published gem#415
fix(gemspec): exclude test, spec, and CI files from published gem#415neumayr wants to merge 1 commit intorubysec:masterfrom
Conversation
This change tightens up the `gem.files` configuration in `bundler-audit.gemspec` to avoid shipping test files and CI configuration into the published gem. Co-Authored-By: Copilot <198982749+Copilot@users.noreply.github.com>
| glob = lambda { |patterns| gem.files & Dir[*patterns] } | ||
|
|
||
| gem.files = `git ls-files`.split($/) | ||
| gem.files = glob[gemspec['files']] if gemspec['files'] |
There was a problem hiding this comment.
The gem.files = glob[gemspec['files']] if gemspec['files'] line is supposed to be there, in case we ever want to explicitly list the files or glob-patterns of files to include in the built gem in gemspec.yml.
|
|
||
| gem.files = `git ls-files`.split($/) | ||
| gem.files = glob[gemspec['files']] if gemspec['files'] | ||
| gem.files = `git ls-files -z`.split("\x0").reject do |f| |
There was a problem hiding this comment.
I'm not sure why git ls-files -z is preferred over regular git ls-files. None of the file names include newlines and the output of the command should be deliminated by $/. I feel like that should be a separate PR and discussion.
There was a problem hiding this comment.
I see, Copilot made this decision
| gem.files = `git ls-files`.split($/) | ||
| gem.files = glob[gemspec['files']] if gemspec['files'] | ||
| gem.files = `git ls-files -z`.split("\x0").reject do |f| | ||
| f.match(%r{^(test|spec|\.github)/}) |
There was a problem hiding this comment.
I already have some code in other projects that remove all spec files from the gem.files. Also, discussing which other dotfiles to remove from the built gem should be another discussion.
|
This PR includes other changes which should be separate PRs/discussions. I do agree we could remove the |
- exclude `spec/` directory from published gem - follow up of rubysec#415
- exclude `spec/` directory from published gem - follow up of rubysec#415
- exclude `spec/` directory from published gem - follow up of rubysec#415
Summary
This change tightens up the
gem.filesconfiguration inbundler-audit.gemspecto avoid shipping test files and CI configuration into the published gem.
Motivation
Avoid false positives in container image scanners like AWS Inspector, which scan
and analyze every
Gemfile.lockthey can find in the container image.So for example, the also the
spec/files under/[…]/gems/bundler-audit-0.9.3/spec/bundle/secure/Gemfile.lockare reported.Changes
Use
git ls-files -zwith null-byte splitting instead ofgit ls-fileswith$/(newline). This is more robust and correctlyhandles any filenames containing newlines or other special characters.
Exclude
test/,spec/, and.github/directories from the publishedgem file list. Previously, all tracked files (including the full spec suite
and GitHub Actions workflows) were included in the gem package. These files
are only relevant during development and should not be distributed to gem
consumers.
Remove dead
gem.filesoverride line. The linegem.files = glob[gemspec['files']] if gemspec['files']was neverevaluated in practice because
gemspec.ymldoes not define afiles:key.Removing it eliminates confusion and potential for unintended future
behaviour.
Before
After
Why this matters
Shipping
spec/files and.github/workflows in a published gem unnecessarily bloats the download size for end users and exposes internal CI configuration that has no value outside of the development environment. This change aligns the gemspec with the convention used by many well-maintained gems in the Ruby ecosystem.Notes on the suggestion
rubysec/bundler-auditbundler-audit.gemspeconly (1 file, net −2 / +3 lines)gemspec.ymlhas nofiles:key so the removed override line was never usedP.S. 🤖 I've vibe coded this task for fun with github agents, just because
I wanted to try it out. Be nice ✌️ 🌻