Skip to content

chore(deps): automate Gemfile.lock maintenance (phase 1)#34666

Open
torreypayne wants to merge 4 commits into
mainfrom
chore/automate-gemfile-locks-phase-1
Open

chore(deps): automate Gemfile.lock maintenance (phase 1)#34666
torreypayne wants to merge 4 commits into
mainfrom
chore/automate-gemfile-locks-phase-1

Conversation

@torreypayne

@torreypayne torreypayne commented Jun 24, 2026

Copy link
Copy Markdown
Member

Overview

This PR implements Phase 1 of the organization-wide compliance initiative to generate and maintain deterministic Gemfile.lock files across Ruby client libraries (resolving b/509981628).

For the full architectural strategy, throughput analysis, and multi-phase rollout cadence, please see the proposal document in Google Drive:
📄 Scale & Automate Dependency Security across Ruby Repositories (P1 Compliance)

Phase 1 Scope & Changes

Rather than attempting to generate and maintain ~880 lockfiles across google-cloud-ruby in a single unmanageable PR, this PR establishes a hybrid automation architecture rolling out in manageable weekly batches:

  1. Renovate Lockfile Maintenance (.github/renovate.json):

    • Enables weekly scheduled bundle lock --update runs (before 5am on monday).
    • Enforces Conventional Commits (chore(deps): maintain Gemfile.lock files) in compliance with Ruby Cloud SDK team versioning rules.
    • Scopes Phase 1 maintenance exclusively to core handwritten gems:
      • google-cloud-core
      • google-cloud-storage
      • google-cloud-pubsub
      • google-cloud-spanner
      • google-cloud-bigquery
      • google-cloud-errors

  2. Batch Generation Workflow (.github/workflows/generate-lockfiles.yml):

    • Adds a matrix sharding workflow to generate initial Gemfile.lock files in parallel batches without exceeding hosted runner container timeout limits.

Rollout Cadence

  • Phase 1 (This PR): Core & Handwritten Gems (~20 gems)
  • Phase 2 (Week 2): Generated Gems (google-cloud-[a-d]*)
  • Phase 3 (Week 3): Generated Gems (google-cloud-[e-o]*)
  • Phase 4 (Week 4): Generated Gems (google-cloud-[p-z]*)

Reviewed and coordinated with @andreassa as part of the multi-phase compliance rollout.

Torrey Payne and others added 2 commits June 24, 2026 03:05
@torreypayne torreypayne marked this pull request as ready for review June 25, 2026 20:34
@torreypayne torreypayne requested review from a team and yoshi-approver as code owners June 25, 2026 20:34
suztomo
suztomo reviewed Jun 25, 2026
View reviewed changes

@suztomo suztomo left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you familiarize yourself with this zizmor tool? go/github-zizmor-help?polyglot=github-com#local-scans-run-zizmor-on-your-cloudtop It tells fixes for GitHub actions.

Comment thread .github/workflows/generate-lockfiles.yml Outdated
@torreypayne

torreypayne commented Jun 25, 2026

Copy link
Copy Markdown
Member Author

Would you familiarize yourself with this zizmor tool? go/github-zizmor-help?polyglot=github-com#local-scans-run-zizmor-on-your-cloudtop It tells fixes for GitHub actions.

Installed, ran, and fixes applied! Thanks for introducing me to the tool 👍🏿

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@suztomo suztomo suztomo left review comments
@yoshi-approver yoshi-approver Awaiting requested review from yoshi-approver yoshi-approver is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@torreypayne @suztomo @yoshi-automation