From eecdb5d4b312a920330c617e1ed5e3baf3996719 Mon Sep 17 00:00:00 2001 From: "chromebrew-actions[bot]" <220035932+chromebrew-actions[bot]@users.noreply.github.com> Date: Fri, 11 Jul 2025 12:32:07 -0500 Subject: [PATCH] Update ruby_resolv, gem search in the ruby buildsystem, & workflows. (#12176) * workflow tweaks Signed-off-by: Satadru Pramanik * Update Ruby Resolv gem to handle CVE-2025-24294 Signed-off-by: Satadru Pramanik * Add built packages for linux/386 to ruby_resolv * Add built packages for linux/amd64 to ruby_resolv * Add built packages for linux/arm/v7 to ruby_resolv * Cleanup workflow. Signed-off-by: Satadru Pramanik * Fix gem search regex Signed-off-by: Satadru Pramanik * Update ruby gem updater with more ruby gem name exceptions. Signed-off-by: Satadru Pramanik * Clean up updater output. Signed-off-by: Satadru Pramanik --------- Signed-off-by: Satadru Pramanik Co-authored-by: Satadru Pramanik Co-authored-by: satmandu --- .github/workflows/Build.yml | 16 +++++++++++++--- .github/workflows/Gen-Token.yml | 2 +- .github/workflows/Unit-Test.yml | 4 +++- lib/buildsystems/ruby.rb | 2 +- packages/ruby_resolv.rb | 10 +++++----- tools/update_python_pip_packages.rb | 3 ++- tools/update_ruby_gem_packages.rb | 11 ++++++++--- 7 files changed, 33 insertions(+), 15 deletions(-) diff --git a/.github/workflows/Build.yml b/.github/workflows/Build.yml index 0a4100734..dc63a0493 100644 --- a/.github/workflows/Build.yml +++ b/.github/workflows/Build.yml @@ -295,7 +295,7 @@ jobs: git config user.name "${{ github.actor }}" git config user.email "${{ github.actor }}@users.noreply.github.com" git add -A - git commit -m "Add built packages for ${PLATFORM} to ${{ env.BRANCH }}" && git push -f + git commit -m "Add built packages for ${PLATFORM} to branch ${{ env.BRANCH }}." && git push -f git log --oneline -10 fi build-check: @@ -331,11 +331,20 @@ jobs: git reset --hard "origin/${{ env.BRANCH }}" git pull --rebase origin master && git push -f git log --oneline -10 + - name: Get GH Token + id: get_workflow_token + uses: peter-murray/workflow-application-token-action@v4 + with: + application_id: ${{ secrets.APPLICATION_ID }} + application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }} + organization: chromebrew + revoke_token: true - name: Create Pull Request if: ${{ github.event.inputs.with_pr == 'true' }} env: CHANGED_MANIFEST_FILES: ${{ steps.changed-manifest-files.outputs.all_changed_files }} CHANGED_PACKAGES: ${{ needs.setup.outputs.changed_packages }} + GH_BACKUP_TOKEN: ${{ steps.get_workflow_token.outputs.token }} TIMESTAMP: ${{ needs.setup.outputs.timestamp }} i686_PACKAGES: ${{ needs.setup.outputs.i686_packages }} x86_64_PACKAGES: ${{ needs.setup.outputs.x86_64_packages }} @@ -360,15 +369,16 @@ jobs: echo -e "CREW_REPO=https://github.com/chromebrew/chromebrew.git CREW_BRANCH=${{ env.BRANCH }} crew update \\" >> /tmp/pr.txt echo -e "&& yes | crew upgrade\n\`\`\`" >> /tmp/pr.txt cat /tmp/pr.txt + gh auth status >/dev/null 2>&1 || export GH_TOKEN="${GH_BACKUP_TOKEN}" PR_NUMBER=$(gh pr create --title "AutoBuild: ${{ env.BRANCH }} started at ${TIMESTAMP}" -F /tmp/pr.txt | rev | cut -d"/" -f1 | rev) echo "PR_NUMBER is ${PR_NUMBER}" echo "PR_NUMBER=${PR_NUMBER}" >> "$GITHUB_ENV" - name: Trigger Unit Test Workflow & Add Reviewer Team if: ${{ github.event.inputs.with_pr == 'true' }} env: + GH_BACKUP_TOKEN: ${{ steps.get_workflow_token.outputs.token }} GH_TOKEN: ${{ secrets.CREW_PR_TOKEN }} run: | - echo "Flipping pr ${PR_NUMBER} state." - gh pr close "${PR_NUMBER}" && gh pr reopen "${PR_NUMBER}" + gh auth status >/dev/null 2>&1 || export GH_TOKEN="${GH_BACKUP_TOKEN}" gh pr edit "${PR_NUMBER}" --add-reviewer chromebrew/active gh pr merge "${PR_NUMBER}" --auto diff --git a/.github/workflows/Gen-Token.yml b/.github/workflows/Gen-Token.yml index 9a2e85449..1770b43d2 100644 --- a/.github/workflows/Gen-Token.yml +++ b/.github/workflows/Gen-Token.yml @@ -2,7 +2,7 @@ name: Generate GitHub Actions Token on: schedule: - - cron: 30 * * * * + - cron: 25,55 * * * * workflow_dispatch: null permissions: issues: write diff --git a/.github/workflows/Unit-Test.yml b/.github/workflows/Unit-Test.yml index 7d9400f6e..4bb975986 100644 --- a/.github/workflows/Unit-Test.yml +++ b/.github/workflows/Unit-Test.yml @@ -6,7 +6,9 @@ on: - created merge_group: pull_request: - # push: + types: + - opened + - ready_for_review workflow_dispatch: # workflow_run: # workflows: [Build] diff --git a/lib/buildsystems/ruby.rb b/lib/buildsystems/ruby.rb index a0395dc99..2447c1048 100644 --- a/lib/buildsystems/ruby.rb +++ b/lib/buildsystems/ruby.rb @@ -47,7 +47,7 @@ def set_vars(passed_name = nil, passed_version = nil) # here: https://guides.rubygems.org/rubygems-org-compact-index-api/ # Figure out gem name, noting that there may be dashes and underscores # in the name. - gem_test = $gems.grep(/#{"^#{passed_name.gsub(/^ruby_/, '')}\\s.*$"}/).last.blank? ? $gems.grep(/#{"^\(#{passed_name.gsub(/^ruby_/, '').gsub('_', ')*.(')}\\s\).*$"}/).last : $gems.grep(/#{"^#{passed_name.gsub(/^ruby_/, '')}\\s.*$"}/).last + gem_test = $gems.grep(/#{"^#{passed_name.gsub(/^ruby_/, '')}\\s.*$"}/).last.blank? ? $gems.grep(/#{"^\(#{passed_name.gsub(/^ruby_/, '').gsub('_', ')+.(')}\\s\).*$"}/).last : $gems.grep(/#{"^#{passed_name.gsub(/^ruby_/, '')}\\s.*$"}/).last abort "Cannot find #{passed_name} gem to install.".lightred if gem_test.blank? gem_test_name = gem_test.split.first gem_test_versions = gem_test.split[1].split(',') diff --git a/packages/ruby_resolv.rb b/packages/ruby_resolv.rb index 058bced03..14cf1b90b 100644 --- a/packages/ruby_resolv.rb +++ b/packages/ruby_resolv.rb @@ -3,17 +3,17 @@ require 'buildsystems/ruby' class Ruby_resolv < RUBY description 'Thread-aware dns resolver library in ruby.' homepage 'https://github.com/ruby/resolv' - version "0.6.1-#{CREW_RUBY_VER}" + version "0.6.2-#{CREW_RUBY_VER}" license 'BSD-2-Clause' compatibility 'all' source_url 'SKIP' binary_compression 'gem' binary_sha256({ - aarch64: '05f7c1b496933738df9137d832add02f3dc410ccef7aa0a791556cc92104e9d5', - armv7l: '05f7c1b496933738df9137d832add02f3dc410ccef7aa0a791556cc92104e9d5', - i686: '840ce5ea587b975310568ff07592e46104291654cb46a62550e3114a770896c3', - x86_64: '5f3f544c343bcee028d5a9393205bb0c9b1b95eb730627496cd2412f203a9f4a' + aarch64: '12a1218aa609dec6d3224a70bec81048df66f7904dd8669e6a821812958ab1f7', + armv7l: '12a1218aa609dec6d3224a70bec81048df66f7904dd8669e6a821812958ab1f7', + i686: 'ec1d546a2e400b713cbfb3765a5e640d39f44c6a621ed39993c4ce7601a2e698', + x86_64: '8d6074bb8df8d1239230b9b6f118e99e1419c23d9fb13352cb9ceef73d057654' }) conflicts_ok diff --git a/tools/update_python_pip_packages.rb b/tools/update_python_pip_packages.rb index fb7f352ed..5414dc2bf 100755 --- a/tools/update_python_pip_packages.rb +++ b/tools/update_python_pip_packages.rb @@ -11,6 +11,7 @@ $LOAD_PATH.unshift './lib' require_relative '../lib/color' require_relative '../lib/const' +require_relative '../lib/convenience_functions' require_relative '../lib/package' require_relative '../lib/package_utils' require_relative '../lib/require_gem' @@ -71,7 +72,7 @@ def check_for_updated_python_packages pool.wait_for_termination puts "Done checking pypi for updates to #{total_files_to_check} python packages.".orange - puts "Updated versions were not listed in pypi for: #{packages_without_pypi_versions.join(' ')}".orange + puts "Updated versions were not listed in pypi for: #{packages_without_pypi_versions.join(' ')}".orange unless packages_without_pypi_versions.blank? return updateable_packages end diff --git a/tools/update_ruby_gem_packages.rb b/tools/update_ruby_gem_packages.rb index 35c5ea77d..be11de9de 100755 --- a/tools/update_ruby_gem_packages.rb +++ b/tools/update_ruby_gem_packages.rb @@ -1,5 +1,5 @@ #!/usr/local/bin/ruby -# update_ruby_gem_packages version 2.0 (for Chromebrew) +# update_ruby_gem_packages version 2.1 (for Chromebrew) # Author: Satadru Pramanik (satmandu) satadru at gmail dot com # Usage in root of cloned chromebrew repo: # tools/update_ruby_gem_packages.rb @@ -11,6 +11,7 @@ require 'json' require 'net/http' require_relative '../lib/color' require_relative '../lib/const' +require_relative '../lib/convenience_functions' require_relative '../lib/package' require_relative '../lib/package_utils' require_relative '../lib/require_gem' @@ -40,7 +41,11 @@ def check_for_updated_ruby_packages gem_name = pkg.name.sub('ruby_', '') # We replace all dashes with underscores in our initial package names, but some gems actually use underscores, so we need special cases. # This list was created by looking at what packages were listed as not having updates in rubygems, and then looking up the upstream name for them. - if %w[connection_pool error_highlight mini_mime multi_xml mutex_m power_assert regexp_parser repl_type_completor ruby2_keywords syntax_suggest].include?(gem_name) + if %w[ + connection_pool error_highlight lint_roller method_source + mini_mime multi_xml mutex_m power_assert regexp_parser + repl_type_completor ruby2_keywords syntax_suggest + ].include?(gem_name) # These gems used underscores originally, so don't replace anything elsif gem_name == 'language_server_protocol' # These gems have an underscore then a dash, but there's only one, so we hardcode the logic for now. @@ -75,7 +80,7 @@ def check_for_updated_ruby_packages pool.wait_for_termination puts "Done checking rubygems for updates to #{total_files_to_check} ruby packages.\r".orange - puts "Updated versions were not listed in rubygems for: #{packages_without_gem_versions.join(' ')}".orange + puts "Updated versions were not listed in rubygems for: #{packages_without_gem_versions.join(' ')}".orange unless packages_without_gem_versions.blank? return updateable_packages end