Update to 4.0.0-preview2

[tianon]

3.5 is now 4.0: ruby/ruby@6d81969

[tianon]

lol, lmao, great; it lights up like the Christmas tree 4.0 will eventually be

[yosifkit]

Could not find compatible versions

Because bundler-audit >= 0.6.1 depends on bundler >= 1.2.0, < 3
and the current Bundler version (4.0.0.dev) does not satisfy bundler >= 1.2.0,
< 3,
  bundler-audit >= 0.6.1 cannot be used.
So, because Gemfile depends on bundler-audit = 0.9.1,
  version solving has failed.

ruby-binstubs test will be fixed by rubysec/bundler-audit#409 once a release happens (and we bump our Gemfile)

The `--deployment` flag has been removed because it relied on being remembered
across bundler invocations, which bundler no longer does. Instead please use
`bundle config set deployment true`, and stop using this flag
	'ruby-nonroot' [6/8]...failed

For ruby-bundler and ruby-nonroot, I think we just need to do the config set or maybe BUNDLE_DEPLOYMENT would work.

[tianon]

Close + reopen to pick up docker-library/official-images#20310 in CI

[Earlopain]

Do the test containers have git available (no idea how this gets run)? If that is the case, you can temporarily pin to the repository, that should get this green then:

# Pinned to commit to allow bundler 4. Revert once https://github.com/rubysec/bundler-audit/pull/409 is released
gem 'bundler-audit', git: "https://github.com/rubysec/bundler-audit", ref: "309d20356a7ea435d0f92982b6fcb2a4bd57db66"

[tianon]

Heh, yeah, the rabbit hole goes deeper though, unfortunately! Here's what I'm at right now:

diff --git a/test/tests/ruby-binstubs/Gemfile b/test/tests/ruby-binstubs/Gemfile
index dd9516655..5760efb93 100644
--- a/test/tests/ruby-binstubs/Gemfile
+++ b/test/tests/ruby-binstubs/Gemfile
@@ -1,3 +1,8 @@
 source 'https://rubygems.org'
-gem 'bundler-audit', '0.9.1'
+
+# https://github.com/rubysec/bundler-audit/pull/409
+# TODO drop this all back down to just "gem 'bundler-audit', '0.9.3'" once it's released: https://github.com/rubysec/bundler-audit/releases
+gem 'rubygems-tasks', github: 'postmodern/rubygems-tasks', ref: '8a080d9a730218e957bb8a1c9ab72f025c61d229' # https://github.com/postmodern/rubygems-tasks/pull/28 (this is a dep of bundler-audit)
+gem 'bundler-audit', github: 'rubysec/bundler-audit', ref: '309d20356a7ea435d0f92982b6fcb2a4bd57db66'
+
 gem 'brakeman', '5.4.1'

and it fails like this, after bundle install:

/usr/local/lib/ruby/4.0.0+0/rubygems.rb:263:in 'Gem.find_spec_for_exe': can't find gem bundler-audit (>= 0.a) with executable bundler-audit (Gem::GemNotFoundException)
	from /usr/local/lib/ruby/4.0.0+0/rubygems.rb:237:in 'Gem.find_and_activate_spec_for_exe'
	from /usr/local/lib/ruby/4.0.0+0/rubygems.rb:282:in 'Gem.activate_and_load_bin_path'
	from /usr/local/bundle/bin/bundler-audit:25:in '<main>'

(adding rubygems-tasks explicitly was an attempt to fix this issue, because I wasn't convinced it was installing bundler-audit successfully since the output changes and in a way that makes very little sense, so it's probably not necessary since it didn't fix this)

[Earlopain]

Hm, it works locally for me. How are you testing in the container? I didn't really figure that one out.

[tianon]

Our test harness effectively does ./run.sh image, so I'm doing ./run.sh ruby:4.0-rc. A few layers of abstraction later, it essentially does docker build to copy Gemfile and container.sh into the image, then runs container.sh, which copies the Gemfile to a new (known-writable) directory, and then goes into it and runs bundle install and then bundle audit version.

https://github.com/docker-library/official-images/tree/215fa7075010e3f2da20008b1a3a223b788beb0d/test/tests/ruby-binstubs

[tianon]

It's really driving me nuts; bundle info bundler-audit just before bundle audit version works fine:

Use `bundle info [gemname]` to see where a bundled gem is installed.
  * bundler-audit (0.9.2 309d203)
	Summary: Patch-level verification for Bundler
	Homepage: https://github.com/rubysec/bundler-audit#readme
	Documentation: https://rubydoc.info/gems/bundler-audit
	Source Code: https://github.com/rubysec/bundler-audit
	Changelog: https://github.com/rubysec/bundler-audit/blob/master/ChangeLog.md
	Bug Tracker: https://github.com/rubysec/bundler-audit/issues
	Path: /usr/local/bundle/bundler/gems/bundler-audit-309d20356a7e

[Earlopain]

Oh, this might just not work as a git gem. I already had bundler-audit available previously, if I uninstall it fails to find the git gem locally for me as well.

Seems irrelevant actually which version is in the gemfile, it always uses the latest available version. So the gemfile is just there to install the gems, and for bundler audit it is irrelevant and simply uses whatever is already installed (I wonder if that is a bundler bug)

I guess this is ruby/rubygems#6957 or one of the related PRs/Issues

[tianon]

I've opened docker-library/official-images#20318 with a different potential solution that hopefully still preserves the intent of the test -- I'm running it against all current tags of ruby and jruby now. 👍

[Earlopain]

Nice, I looked for a different one but no luck. I think this is a good replacement, it adds the command in exactly the same way