From 274be085c7383387f1cea1126082ac40490ad99c Mon Sep 17 00:00:00 2001 From: Torrey Payne Date: Wed, 24 Jun 2026 03:05:54 +0000 Subject: [PATCH 1/4] chore(deps): automate Gemfile.lock maintenance (phase 1) Automate Gemfile.lock generation and periodic maintenance for compliance mandate https://b.corp.google.com/issues/509981628. --- .github/renovate.json | 35 +++++++++++++++++++++- .github/workflows/generate-lockfiles.yml | 37 ++++++++++++++++++++++++ 2 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/generate-lockfiles.yml diff --git a/.github/renovate.json b/.github/renovate.json index 3f7cf1598b24..8b54d78920ba 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -1,6 +1,39 @@ { + "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ "config:base" ], - "rangeStrategy": "widen" + "semanticCommits": "enabled", + "semanticCommitType": "chore", + "semanticCommitScope": "deps", + "rangeStrategy": "widen", + "bundler": { + "enabled": true + }, + "lockFileMaintenance": { + "enabled": true, + "automerge": false, + "schedule": [ + "before 5am on monday" + ], + "commitMessageAction": "maintain Gemfile.lock files" + }, + "packageRules": [ + { + "description": "Phase 1: Core & Handwritten Gems Lockfile Rollout", + "matchFileNames": [ + "google-cloud-core/**", + "google-cloud-storage/**", + "google-cloud-pubsub/**", + "google-cloud-spanner/**", + "google-cloud-bigquery/**", + "google-cloud-errors/**" + ], + "groupName": "core handwritten gems lockfiles", + "rangeStrategy": "update-lockfile", + "lockFileMaintenance": { + "enabled": true + } + } + ] } diff --git a/.github/workflows/generate-lockfiles.yml b/.github/workflows/generate-lockfiles.yml new file mode 100644 index 000000000000..b5128678d039 --- /dev/null +++ b/.github/workflows/generate-lockfiles.yml @@ -0,0 +1,37 @@ +name: Generate Gemfile.lock Batches + +on: + workflow_dispatch: + inputs: + batch_pattern: + description: "Gem directory glob pattern (e.g., google-cloud-core or google-cloud-a*)" + required: true + default: "google-cloud-core google-cloud-storage google-cloud-pubsub google-cloud-spanner google-cloud-bigquery google-cloud-errors" + +jobs: + generate-locks: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: ruby/setup-ruby@v1 + with: + ruby-version: "3.3" + bundler-cache: false + - name: Generate Lockfiles for Batch + run: | + for gemdir in ${{ inputs.batch_pattern }}; do + if [ -f "$gemdir/Gemfile" ]; then + echo "Locking $gemdir..." + (cd "$gemdir" && bundle lock) + fi + done + - name: Create Pull Request + uses: peter-evans/create-pull-request@v6 + with: + commit-message: "chore(deps): generate Gemfile.lock files for ${{ inputs.batch_pattern }}" + title: "chore(deps): generate Gemfile.lock files (${{ inputs.batch_pattern }})" + body: | + Automated initial `Gemfile.lock` generation for compliance mandate https://b.corp.google.com/issues/509981628. + + Reviewed and coordinated with André as part of the multi-phase rollout. + branch: "chore/generate-locks-batch" From d5d0d3794fcc8bedf808ccfd1383788a57147e29 Mon Sep 17 00:00:00 2001 From: Yoshi Automation Bot Date: Thu, 25 Jun 2026 20:32:37 +0000 Subject: [PATCH 2/4] fix(deps): exclude spanner from default batch and force-stage generated lockfiles --- .github/workflows/generate-lockfiles.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/generate-lockfiles.yml b/.github/workflows/generate-lockfiles.yml index b5128678d039..4b57aa362248 100644 --- a/.github/workflows/generate-lockfiles.yml +++ b/.github/workflows/generate-lockfiles.yml @@ -6,7 +6,7 @@ on: batch_pattern: description: "Gem directory glob pattern (e.g., google-cloud-core or google-cloud-a*)" required: true - default: "google-cloud-core google-cloud-storage google-cloud-pubsub google-cloud-spanner google-cloud-bigquery google-cloud-errors" + default: "google-cloud-core google-cloud-storage google-cloud-pubsub google-cloud-bigquery google-cloud-errors" jobs: generate-locks: @@ -25,6 +25,7 @@ jobs: (cd "$gemdir" && bundle lock) fi done + git add -f */Gemfile.lock - name: Create Pull Request uses: peter-evans/create-pull-request@v6 with: From 8a44aff03d6e96f0188a24e6622734152a9b8faa Mon Sep 17 00:00:00 2001 From: Yoshi Automation Bot Date: Thu, 25 Jun 2026 21:33:04 +0000 Subject: [PATCH 3/4] fix(ci): pin action references to SHAs and harden workflow permissions per zizmor audit --- .github/workflows/generate-lockfiles.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/workflows/generate-lockfiles.yml b/.github/workflows/generate-lockfiles.yml index 4b57aa362248..6b9c0ebc75ec 100644 --- a/.github/workflows/generate-lockfiles.yml +++ b/.github/workflows/generate-lockfiles.yml @@ -11,23 +11,30 @@ on: jobs: generate-locks: runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write steps: - - uses: actions/checkout@v4 - - uses: ruby/setup-ruby@v1 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + - uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1 with: ruby-version: "3.3" bundler-cache: false - name: Generate Lockfiles for Batch run: | - for gemdir in ${{ inputs.batch_pattern }}; do + for gemdir in ${INPUTS_BATCH_PATTERN}; do if [ -f "$gemdir/Gemfile" ]; then echo "Locking $gemdir..." (cd "$gemdir" && bundle lock) fi done git add -f */Gemfile.lock + env: + INPUTS_BATCH_PATTERN: ${{ inputs.batch_pattern }} - name: Create Pull Request - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6 with: commit-message: "chore(deps): generate Gemfile.lock files for ${{ inputs.batch_pattern }}" title: "chore(deps): generate Gemfile.lock files (${{ inputs.batch_pattern }})" From 3d427407b021d3d8be9b5d529c18fff5dc6cffe9 Mon Sep 17 00:00:00 2001 From: Yoshi Automation Bot Date: Thu, 25 Jun 2026 22:09:02 +0000 Subject: [PATCH 4/4] fix(deps): remove spanner from renovate config and scope lockfile staging --- .github/renovate.json | 1 - .github/workflows/generate-lockfiles.yml | 4 +++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/renovate.json b/.github/renovate.json index 8b54d78920ba..4ff729004c37 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -25,7 +25,6 @@ "google-cloud-core/**", "google-cloud-storage/**", "google-cloud-pubsub/**", - "google-cloud-spanner/**", "google-cloud-bigquery/**", "google-cloud-errors/**" ], diff --git a/.github/workflows/generate-lockfiles.yml b/.github/workflows/generate-lockfiles.yml index 6b9c0ebc75ec..85825e5429d4 100644 --- a/.github/workflows/generate-lockfiles.yml +++ b/.github/workflows/generate-lockfiles.yml @@ -28,9 +28,11 @@ jobs: if [ -f "$gemdir/Gemfile" ]; then echo "Locking $gemdir..." (cd "$gemdir" && bundle lock) + if [ -f "$gemdir/Gemfile.lock" ]; then + git add -f "$gemdir/Gemfile.lock" + fi fi done - git add -f */Gemfile.lock env: INPUTS_BATCH_PATTERN: ${{ inputs.batch_pattern }} - name: Create Pull Request