5 Commits

Author SHA1 Message Date
Mike Dalessio 732126b5df Update bundle-drift to handle subdependencies (#2824) 2026-04-09 13:46:37 -04:00
Mike Dalessio 759e6079e8 Update bin/bundle-drift to catch dependency requirement diffs (#2821)
* Detect dependency requirement drift in bin/bundle-drift

The checker only compared resolved spec versions between Gemfile.lock
and Gemfile.saas.lock. When dependabot bumped solid_queue from ~> 1.3
to ~> 1.4, the forward command patched the resolved version but left
the stale dependency requirement. The checker didn't catch it because
both lockfiles resolved to the same version.

Now find_drift also compares dependency requirements for shared direct
dependencies, and forward patches the DEPENDENCIES section too.

Includes built-in self-test (bin/bundle-drift self-test).

* Sync solid_queue dependency requirement in Gemfile.saas.lock

Updates ~> 1.3 to ~> 1.4 to match Gemfile.lock.
2026-04-09 12:19:52 -04:00
Mike Dalessio ba6fc495da ci: fix bin/bundle-drift forward to support native gems (#2723)
See #2704 where only the ruby platform gem for thruster was replaced.
2026-03-17 22:29:47 -04:00
dependabot[bot] 0ead67f85b Bump the development-dependencies group across 1 directory with 3 updates (#2546)
* Bump the development-dependencies group across 1 directory with 3 updates

Bumps the development-dependencies group with 3 updates in the / directory: [brakeman](https://github.com/presidentbeef/brakeman), [faker](https://github.com/faker-ruby/faker) and [selenium-webdriver](https://github.com/SeleniumHQ/selenium).


Updates `brakeman` from 7.1.2 to 8.0.1
- [Release notes](https://github.com/presidentbeef/brakeman/releases)
- [Changelog](https://github.com/presidentbeef/brakeman/blob/main/CHANGES.md)
- [Commits](https://github.com/presidentbeef/brakeman/compare/v7.1.2...v8.0.1)

Updates `faker` from 3.5.3 to 3.6.0
- [Release notes](https://github.com/faker-ruby/faker/releases)
- [Changelog](https://github.com/faker-ruby/faker/blob/main/CHANGELOG.md)
- [Commits](https://github.com/faker-ruby/faker/compare/v3.5.3...v3.6.0)

Updates `selenium-webdriver` from 4.39.0 to 4.40.0
- [Release notes](https://github.com/SeleniumHQ/selenium/releases)
- [Changelog](https://github.com/SeleniumHQ/selenium/blob/trunk/rb/CHANGES)
- [Commits](https://github.com/SeleniumHQ/selenium/compare/selenium-4.39.0...selenium-4.40.0)

---
updated-dependencies:
- dependency-name: brakeman
  dependency-version: 8.0.1
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: development-dependencies
- dependency-name: faker
  dependency-version: 3.6.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: development-dependencies
- dependency-name: selenium-webdriver
  dependency-version: 4.40.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: development-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>

* Auto-sync Gemfile.saas.lock on Dependabot PRs

Dependabot can't update custom-named Gemfiles, so Gemfile.saas.lock
drifts whenever it bumps shared gems in Gemfile.lock.

Add `bin/bundle-drift forward` to push oss lockfile changes into the
saas lockfile (the reverse of `correct`), and a GitHub Actions workflow
that runs it automatically on Dependabot bundler branches.

* Update brakeman ignore fingerprint for 8.0.1

Brakeman 8.0.1 changed how it computes warning fingerprints, so the
existing ignore entry for the safe_constantize warning in Notifier
became obsolete. Update to the new fingerprint.

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jeremy Daer <jeremy@37signals.com>
2026-02-16 15:29:51 -08:00
Jeremy Daer 586015c3f9 Bundle drift detection and correction (#2101)
Gemfile.saas evals Gemfile, so shared gems should have identical versions
in both lockfiles. This adds bin/bundle-drift to detect and fix drift:

* `bin/bundle-drift check` compares shared gem versions
* `bin/bundle-drift correct` seeds Gemfile.lock from Gemfile.saas.lock
  and re-locks, letting Bundler prune SaaS-only gems while preserving
  shared versions

Adds drift check to bin/ci and GitHub CI. Corrects existing drift.
2025-12-11 21:32:34 -08:00