From a54773b5b6566a5785892ba63aa6369cb1b3da0c Mon Sep 17 00:00:00 2001 From: Rhuan Barreto Date: Fri, 29 May 2026 02:57:47 +0200 Subject: [PATCH] fix(release): repair shim publishing for pypi and rubygem MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The v0.41.0 Publish Shims run failed two jobs: - publish-pypi: `pip install build --hash=...` errored with `no such option: --hash` — `--hash` is only valid inside a requirements file, not on the pip command line. Switch to `uv build`, which provisions its own pinned, isolated build environment, removing the unpinned `pip install build` line entirely (Scorecard Pinned-Dependencies stays satisfied). - publish-rubygem: `bundle exec rake release` failed with `rake is not currently included in the bundle` because Ruby 4.0 no longer ships rake as a bundled default gem. Declare it in the Gemfile. Both fixes validated locally: `uv build` + `twine check` pass, and `bundle install` + `bundle exec rake -T` (showing `release[remote]`) pass in a ruby:4.0 container. Signed-off-by: Rhuan Barreto --- .../archgate-developer/project_shim_publishing.md | 4 ++-- .github/workflows/publish-shims.yml | 13 ++++--------- shims/rubygem/Gemfile | 4 ++++ 3 files changed, 10 insertions(+), 11 deletions(-) diff --git a/.claude/agent-memory/archgate-developer/project_shim_publishing.md b/.claude/agent-memory/archgate-developer/project_shim_publishing.md index 49714d34..73af813a 100644 --- a/.claude/agent-memory/archgate-developer/project_shim_publishing.md +++ b/.claude/agent-memory/archgate-developer/project_shim_publishing.md @@ -9,8 +9,8 @@ metadata: **When editing any shim under `shims/` or `publish-shims.yml`:** -- **PyPI** (`shims/pypi/`): `pyproject.toml` declares `readme = "README.md"`, so `shims/pypi/README.md` MUST exist or `python -m build` fails with `OSError: Readme file does not exist`. -- **RubyGem** (`shims/rubygem/`): `rubygems/release-gem` runs `bundle exec rake release` from its `working-directory`. Requires (1) `working-directory: shims/rubygem` on BOTH `ruby/setup-ruby` (with `bundler-cache: true`) and `rubygems/release-gem`; (2) a `shims/rubygem/Rakefile` with `require "bundler/gem_tasks"` for the `release` task. Do NOT commit `Gemfile.lock` — bundler-cache generates it untracked, keeping `release:guard_clean` happy. +- **PyPI** (`shims/pypi/`): `pyproject.toml` declares `readme = "README.md"`, so `shims/pypi/README.md` MUST exist or the build fails with `OSError: Readme file does not exist`. The job builds with **`uv build --python 3.12`** (via `astral-sh/setup-uv`, SHA-pinned) — uv provisions its own version-pinned, isolated build env, so there is no `pip install build` line for Scorecard Pinned-Dependencies to flag. Do NOT reintroduce the `pip install build==X --hash=...` form: **`--hash` is NOT a valid `pip install` command-line option** (only valid inside a requirements file), so it fails with `no such option: --hash` — that broke the v0.41.0 release (introduced unverified in #361 since the workflow only runs at release time). +- **RubyGem** (`shims/rubygem/`): `rubygems/release-gem` runs `bundle exec rake release` from its `working-directory`. Requires (1) `working-directory: shims/rubygem` on BOTH `ruby/setup-ruby` (with `bundler-cache: true`) and `rubygems/release-gem`; (2) a `shims/rubygem/Rakefile` with `require "bundler/gem_tasks"` for the `release` task; (3) **`gem "rake"` declared in `shims/rubygem/Gemfile`** — Ruby 4.0 no longer ships rake as a bundled default gem, so `bundle exec rake` fails with `rake is not currently included in the bundle` (broke the v0.41.0 release when the runner moved to Ruby 4.0.5). Do NOT commit `Gemfile.lock` — bundler-cache generates it untracked, keeping `release:guard_clean` happy. - **Maven** (`shims/maven/pom.xml`): use `validated` with `true`, NOT `published` — the latter blocks until Sonatype finishes publishing, which routinely exceeds the job timeout (upload succeeds, then the build hangs on "Waiting until Deployment ... is published"). **Re-runs are not idempotent:** `publish-go-tag` (creates a git tag), `publish-nuget`, and an already-uploaded Maven deploy fail on "already exists" on a second run. After a partial failure, apply the fix to the next version bump or `workflow_dispatch` only the failed ecosystems. diff --git a/.github/workflows/publish-shims.yml b/.github/workflows/publish-shims.yml index 7e832565..d2089449 100644 --- a/.github/workflows/publish-shims.yml +++ b/.github/workflows/publish-shims.yml @@ -58,17 +58,12 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ github.event.release.tag_name || inputs.tag }} - - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 - with: - python-version: "3.12" + - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 - name: Build package working-directory: shims/pypi - run: | - pip install 'build==1.5.0' \ - --require-hashes \ - --hash=sha256:13f3eecb844759ab66efec90ca17639bbf14dc06cb2fdf37a9010322d9c50a6f \ - --hash=sha256:302c22c3ba2a0fd5f3911918651341ebb3896176cbdec15bd421f80b1afc7647 - python -m build + # `uv build` provisions an isolated, version-pinned build environment + # itself — no unpinned `pip install build` (Scorecard Pinned-Dependencies). + run: uv build --python 3.12 - name: Publish to PyPI uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 with: diff --git a/shims/rubygem/Gemfile b/shims/rubygem/Gemfile index 838eb874..208d60ac 100644 --- a/shims/rubygem/Gemfile +++ b/shims/rubygem/Gemfile @@ -4,6 +4,10 @@ source "https://rubygems.org" gemspec +# rake is required by `bundle exec rake release` (rubygems/release-gem action). +# Ruby 4.0 no longer ships rake as a bundled default gem, so it must be declared. +gem "rake", "~> 13.0" + group :test do gem "minitest", "~> 6.0" gem "minitest-mock", "~> 5.0"