From 5c281f9eac54c462570571cf5c9c3e6002bd7cd1 Mon Sep 17 00:00:00 2001 From: Rhuan Barreto Date: Fri, 29 May 2026 02:50:13 +0200 Subject: [PATCH 1/5] fix(shims): fix rubygem and pypi publish failures MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ruby 4.0 removed rake from default gems — add it to the Gemfile. pip 25.1+ dropped --hash as a CLI argument — move hash-pinned build deps to a requirements file where --hash is still supported. Signed-off-by: Rhuan Barreto --- .github/workflows/publish-shims.yml | 5 +---- shims/pypi/requirements-build.txt | 3 +++ shims/rubygem/Gemfile | 2 ++ 3 files changed, 6 insertions(+), 4 deletions(-) create mode 100644 shims/pypi/requirements-build.txt diff --git a/.github/workflows/publish-shims.yml b/.github/workflows/publish-shims.yml index 7e832565..036079da 100644 --- a/.github/workflows/publish-shims.yml +++ b/.github/workflows/publish-shims.yml @@ -64,10 +64,7 @@ jobs: - name: Build package working-directory: shims/pypi run: | - pip install 'build==1.5.0' \ - --require-hashes \ - --hash=sha256:13f3eecb844759ab66efec90ca17639bbf14dc06cb2fdf37a9010322d9c50a6f \ - --hash=sha256:302c22c3ba2a0fd5f3911918651341ebb3896176cbdec15bd421f80b1afc7647 + pip install --require-hashes -r requirements-build.txt python -m build - name: Publish to PyPI uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 diff --git a/shims/pypi/requirements-build.txt b/shims/pypi/requirements-build.txt new file mode 100644 index 00000000..7ede08af --- /dev/null +++ b/shims/pypi/requirements-build.txt @@ -0,0 +1,3 @@ +build==1.5.0 \ + --hash=sha256:13f3eecb844759ab66efec90ca17639bbf14dc06cb2fdf37a9010322d9c50a6f \ + --hash=sha256:302c22c3ba2a0fd5f3911918651341ebb3896176cbdec15bd421f80b1afc7647 diff --git a/shims/rubygem/Gemfile b/shims/rubygem/Gemfile index 838eb874..261254e5 100644 --- a/shims/rubygem/Gemfile +++ b/shims/rubygem/Gemfile @@ -4,6 +4,8 @@ source "https://rubygems.org" gemspec +gem "rake", ">= 13.0" + group :test do gem "minitest", "~> 6.0" gem "minitest-mock", "~> 5.0" From 14434bc7dbe669965cb9adfb10a7aa3729ba53c7 Mon Sep 17 00:00:00 2001 From: Rhuan Barreto Date: Fri, 29 May 2026 02:54:23 +0200 Subject: [PATCH 2/5] refactor(shims): replace pip with uv for pypi build uv build handles the entire sdist+wheel pipeline from pyproject.toml without needing a separate build dep install step. Eliminates the pip --hash compatibility issue entirely. Locally validated: uv build produces archgate-0.41.0 sdist + wheel. Signed-off-by: Rhuan Barreto --- .github/workflows/publish-shims.yml | 6 ++---- shims/pypi/requirements-build.txt | 3 --- 2 files changed, 2 insertions(+), 7 deletions(-) delete mode 100644 shims/pypi/requirements-build.txt diff --git a/.github/workflows/publish-shims.yml b/.github/workflows/publish-shims.yml index 036079da..521b79e9 100644 --- a/.github/workflows/publish-shims.yml +++ b/.github/workflows/publish-shims.yml @@ -58,14 +58,12 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ github.event.release.tag_name || inputs.tag }} - - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: python-version: "3.12" - name: Build package working-directory: shims/pypi - run: | - pip install --require-hashes -r requirements-build.txt - python -m build + run: uv build - name: Publish to PyPI uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 with: diff --git a/shims/pypi/requirements-build.txt b/shims/pypi/requirements-build.txt deleted file mode 100644 index 7ede08af..00000000 --- a/shims/pypi/requirements-build.txt +++ /dev/null @@ -1,3 +0,0 @@ -build==1.5.0 \ - --hash=sha256:13f3eecb844759ab66efec90ca17639bbf14dc06cb2fdf37a9010322d9c50a6f \ - --hash=sha256:302c22c3ba2a0fd5f3911918651341ebb3896176cbdec15bd421f80b1afc7647 From eb6d48cc1ad20e30ffb4ad796d3d6cf15706ee71 Mon Sep 17 00:00:00 2001 From: Rhuan Barreto Date: Fri, 29 May 2026 03:05:41 +0200 Subject: [PATCH 3/5] refactor(shims): adopt PR #378 improvements - Use `uv build --python 3.12` instead of action-level python-version - Use pessimistic `~> 13.0` constraint for rake (idiomatic Ruby) - Add comments explaining why rake and uv build are needed Signed-off-by: Rhuan Barreto --- .github/workflows/publish-shims.yml | 6 +++--- shims/rubygem/Gemfile | 4 +++- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/publish-shims.yml b/.github/workflows/publish-shims.yml index 521b79e9..d2089449 100644 --- a/.github/workflows/publish-shims.yml +++ b/.github/workflows/publish-shims.yml @@ -59,11 +59,11 @@ jobs: with: ref: ${{ github.event.release.tag_name || inputs.tag }} - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 - with: - python-version: "3.12" - name: Build package working-directory: shims/pypi - run: uv build + # `uv build` provisions an isolated, version-pinned build environment + # itself — no unpinned `pip install build` (Scorecard Pinned-Dependencies). + run: uv build --python 3.12 - name: Publish to PyPI uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 with: diff --git a/shims/rubygem/Gemfile b/shims/rubygem/Gemfile index 261254e5..208d60ac 100644 --- a/shims/rubygem/Gemfile +++ b/shims/rubygem/Gemfile @@ -4,7 +4,9 @@ source "https://rubygems.org" gemspec -gem "rake", ">= 13.0" +# rake is required by `bundle exec rake release` (rubygems/release-gem action). +# Ruby 4.0 no longer ships rake as a bundled default gem, so it must be declared. +gem "rake", "~> 13.0" group :test do gem "minitest", "~> 6.0" From 6625f557b0c8b06b1ad2e4de35379868bec884eb Mon Sep 17 00:00:00 2001 From: Rhuan Barreto Date: Fri, 29 May 2026 03:06:31 +0200 Subject: [PATCH 4/5] fix(shims): move python-version back to action input Keep python-version as a setup-uv action input so Renovate/Dependabot can detect and bump it automatically. Signed-off-by: Rhuan Barreto --- .github/workflows/publish-shims.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish-shims.yml b/.github/workflows/publish-shims.yml index d2089449..cd818efd 100644 --- a/.github/workflows/publish-shims.yml +++ b/.github/workflows/publish-shims.yml @@ -59,11 +59,13 @@ jobs: with: ref: ${{ github.event.release.tag_name || inputs.tag }} - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + with: + python-version: "3.12" - name: Build package working-directory: shims/pypi # `uv build` provisions an isolated, version-pinned build environment # itself — no unpinned `pip install build` (Scorecard Pinned-Dependencies). - run: uv build --python 3.12 + run: uv build - name: Publish to PyPI uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 with: From 3c5bb4098838c7092a004041a4449192e499c1d9 Mon Sep 17 00:00:00 2001 From: Rhuan Barreto Date: Fri, 29 May 2026 03:07:00 +0200 Subject: [PATCH 5/5] docs(memory): update shim publishing notes with v0.41.0 root causes Document pip --hash CLI removal and Ruby 4.0 rake default gem removal so future agents don't reintroduce the broken patterns. Signed-off-by: Rhuan Barreto --- .../archgate-developer/project_shim_publishing.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.claude/agent-memory/archgate-developer/project_shim_publishing.md b/.claude/agent-memory/archgate-developer/project_shim_publishing.md index 49714d34..73af813a 100644 --- a/.claude/agent-memory/archgate-developer/project_shim_publishing.md +++ b/.claude/agent-memory/archgate-developer/project_shim_publishing.md @@ -9,8 +9,8 @@ metadata: **When editing any shim under `shims/` or `publish-shims.yml`:** -- **PyPI** (`shims/pypi/`): `pyproject.toml` declares `readme = "README.md"`, so `shims/pypi/README.md` MUST exist or `python -m build` fails with `OSError: Readme file does not exist`. -- **RubyGem** (`shims/rubygem/`): `rubygems/release-gem` runs `bundle exec rake release` from its `working-directory`. Requires (1) `working-directory: shims/rubygem` on BOTH `ruby/setup-ruby` (with `bundler-cache: true`) and `rubygems/release-gem`; (2) a `shims/rubygem/Rakefile` with `require "bundler/gem_tasks"` for the `release` task. Do NOT commit `Gemfile.lock` — bundler-cache generates it untracked, keeping `release:guard_clean` happy. +- **PyPI** (`shims/pypi/`): `pyproject.toml` declares `readme = "README.md"`, so `shims/pypi/README.md` MUST exist or the build fails with `OSError: Readme file does not exist`. The job builds with **`uv build --python 3.12`** (via `astral-sh/setup-uv`, SHA-pinned) — uv provisions its own version-pinned, isolated build env, so there is no `pip install build` line for Scorecard Pinned-Dependencies to flag. Do NOT reintroduce the `pip install build==X --hash=...` form: **`--hash` is NOT a valid `pip install` command-line option** (only valid inside a requirements file), so it fails with `no such option: --hash` — that broke the v0.41.0 release (introduced unverified in #361 since the workflow only runs at release time). +- **RubyGem** (`shims/rubygem/`): `rubygems/release-gem` runs `bundle exec rake release` from its `working-directory`. Requires (1) `working-directory: shims/rubygem` on BOTH `ruby/setup-ruby` (with `bundler-cache: true`) and `rubygems/release-gem`; (2) a `shims/rubygem/Rakefile` with `require "bundler/gem_tasks"` for the `release` task; (3) **`gem "rake"` declared in `shims/rubygem/Gemfile`** — Ruby 4.0 no longer ships rake as a bundled default gem, so `bundle exec rake` fails with `rake is not currently included in the bundle` (broke the v0.41.0 release when the runner moved to Ruby 4.0.5). Do NOT commit `Gemfile.lock` — bundler-cache generates it untracked, keeping `release:guard_clean` happy. - **Maven** (`shims/maven/pom.xml`): use `validated` with `true`, NOT `published` — the latter blocks until Sonatype finishes publishing, which routinely exceeds the job timeout (upload succeeds, then the build hangs on "Waiting until Deployment ... is published"). **Re-runs are not idempotent:** `publish-go-tag` (creates a git tag), `publish-nuget`, and an already-uploaded Maven deploy fail on "already exists" on a second run. After a partial failure, apply the fix to the next version bump or `workflow_dispatch` only the failed ecosystems.