Merge pull request #130 from denschub/prontohub

[CI] Run Pronto on GitHub Actions.

.github/workflows/ci.yml

@@ -9,25 +9,39 @@ on:
 
 jobs:
   test:
+    name: 'Ruby: ${{ matrix.ruby }}, Rails: ${{ matrix.rails }}'
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
         ruby:
+          - "3.2"
           - "3.1"
           - "3.0"
           - "2.7"
-        gemfile:
-          - Gemfile
-          - test/gemfiles/no-rails.Gemfile
+        rails:
+          - "7.0"
+          - "6.1"
+          - "6.0"
+          - "5.2"
+          - "none"
+        exclude:
+          - ruby: "3.2"
+            rails: "5.2"
+          - ruby: "3.1"
+            rails: "5.2"
+          - ruby: "3.0"
+            rails: "5.2"
     env:
-      BUNDLE_GEMFILE: ${{ matrix.gemfile }}
+      RAILS_VERSION: ${{ matrix.rails }}
       BUNDLE_WITHOUT: development
-      BUNDLE_FROZEN: true
       BUNDLE_DISABLE_SHARED_GEMS: true
       CC_TEST_REPORTER_ID: ${{ secrets.CC_TEST_REPORTER_ID }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
+      - name: Delete Gemfile.lock
+        run: rm Gemfile.lock
+        if: matrix.rails != '7.0' # Gemfile.lock is only generated for latest rails version
       - uses: ruby/setup-ruby@v1
         with:
           ruby-version: ${{ matrix.ruby }}

.github/workflows/lint.yml

@@ -0,0 +1,59 @@
+## SECURITY WARNING:
+##
+## Do not change this job unless you know what you're doing.
+##
+## This GitHub Action runs on: pull_request_target, which means the jobs run in
+## a context where they have access to a Access Token with write access to the
+## target repo, even if the PR is opened from an external contributor from their
+## fork.
+##
+## This means that if we're not careful, we could be running third-party code
+## within an authenticated scope, which isn't good. To mitigate this, this
+## implementation does:
+##
+##   1. checkout the target branch (i.e. the project's original sources)
+##   2. install the Gems from there, and install them into a directory that's
+##      outside the repository contents.
+##   3. checkout the PRs HEAD
+##   4. restore a bunch of files that would allow code execution from the
+##      project's upstream sources, namely:
+##      - bin/bundle - we'll run that in our Job
+##      - Gemfile/Gemfile.lock - to avoid loading a gem with an identical
+##        version number from a in-repo vendored directory
+
+name: Lint
+on:
+  pull_request_target:
+
+permissions:
+  contents: read
+  statuses: write
+  pull-requests: write
+
+jobs:
+  pronto:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Target branch
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.base_ref }}
+          fetch-depth: 0
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.1"
+          bundler-cache: true
+      - name: Checkout PR HEAD
+        run: |
+          git fetch -q origin +refs/pull/${{ github.event.pull_request.number }}/head:
+          git checkout -qf FETCH_HEAD
+      - name: Restore the bundle binstub and Gemfiles from the target branch
+        run: |
+          git restore -s ${{ github.base_ref }} -- bin/bundle
+          git restore -s ${{ github.base_ref }} -- Gemfile
+          git restore -s ${{ github.base_ref }} -- Gemfile.lock
+      - name: Run Pronto
+        run: bin/bundle exec pronto run -f github_status github_pr_review -c ${{ github.base_ref }}
+        env:
+          PRONTO_PULL_REQUEST_ID: ${{ github.event.pull_request.number }}
+          PRONTO_GITHUB_ACCESS_TOKEN: ${{ github.token }}

.ruby-version

@@ -1 +1 @@
-3.1
+3.2

Changelog.md

@@ -1,3 +1,7 @@
+# 1.1.0
+
+* Don't follow redirects when federating messages [#128](https://github.com/diaspora/diaspora_federation/pull/128)
+
 # 1.0.1
 
 * Disable rails forgery protection for the federation controller by default [#127](https://github.com/diaspora/diaspora_federation/pull/127)

Gemfile

@@ -9,7 +9,9 @@ gemspec name: "diaspora_federation"
 
 Dir["diaspora_federation-*.gemspec"].each do |gemspec|
   plugin = gemspec.scan(/diaspora_federation-(.*)\.gemspec/).flatten.first
-  gemspec(name: "diaspora_federation-#{plugin}", development_group: plugin)
+  unless ENV["RAILS_VERSION"] == "none" && plugin == "rails"
+    gemspec(name: "diaspora_federation-#{plugin}", development_group: plugin)
+  end
 end
 
 # Declare any dependencies that are still in development here instead of in
@@ -56,6 +58,14 @@ group :development, :test do
   gem "rake"
 
   # unit tests
-  gem "rspec", "~> 3.11.0"
-  gem "rspec-rails", "~> 5.1.2"
+  gem "rspec", "~> 3.12.0"
+
+  unless ENV["RAILS_VERSION"] == "none"
+    gem "rspec-rails", "~> 5.1.2"
+
+    # The default rails version needs to be kept up to date also in:
+    # - test/dummy/config/application.rb (config.load_defaults)
+    # - .github/workflows/ci.yml ('Delete Gemfile.lock' step)
+    gem "actionpack", "~> #{ENV['RAILS_VERSION'] || '7.0'}.0"
+  end
 end

Gemfile.lock

@@ -1,18 +1,18 @@
 PATH
   remote: .
   specs:
-    diaspora_federation (1.0.1)
+    diaspora_federation (1.1.0)
       faraday (>= 1.0, < 3)
       faraday-follow_redirects (~> 0.3)
       nokogiri (~> 1.6, >= 1.6.8)
       typhoeus (~> 1.0)
       valid (~> 1.0)
-    diaspora_federation-json_schema (1.0.1)
-    diaspora_federation-rails (1.0.1)
+    diaspora_federation-json_schema (1.1.0)
+    diaspora_federation-rails (1.1.0)
       actionpack (>= 5.2, < 8)
-      diaspora_federation (= 1.0.1)
-    diaspora_federation-test (1.0.1)
-      diaspora_federation (= 1.0.1)
+      diaspora_federation (= 1.1.0)
+    diaspora_federation-test (1.1.0)
+      diaspora_federation (= 1.1.0)
       fabrication (~> 2.29)
       uuid (~> 2.3, >= 2.3.8)
 
@@ -50,7 +50,7 @@ GEM
     diff-lcs (1.5.0)
     docile (1.4.0)
     erubi (1.12.0)
-    ethon (0.15.0)
+    ethon (0.16.0)
       ffi (>= 1.15.0)
     fabrication (2.30.0)
     faraday (2.7.6)
@@ -142,21 +142,21 @@ GEM
       ffi (~> 1.0)
     regexp_parser (2.8.1)
     rexml (3.2.5)
-    rspec (3.11.0)
-      rspec-core (~> 3.11.0)
-      rspec-expectations (~> 3.11.0)
-      rspec-mocks (~> 3.11.0)
+    rspec (3.12.0)
+      rspec-core (~> 3.12.0)
+      rspec-expectations (~> 3.12.0)
+      rspec-mocks (~> 3.12.0)
     rspec-collection_matchers (1.2.0)
       rspec-expectations (>= 2.99.0.beta1)
-    rspec-core (3.11.0)
-      rspec-support (~> 3.11.0)
-    rspec-expectations (3.11.0)
+    rspec-core (3.12.2)
+      rspec-support (~> 3.12.0)
+    rspec-expectations (3.12.3)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.11.0)
+      rspec-support (~> 3.12.0)
     rspec-json_expectations (2.2.0)
-    rspec-mocks (3.11.1)
+    rspec-mocks (3.12.5)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.11.0)
+      rspec-support (~> 3.12.0)
     rspec-rails (5.1.2)
       actionpack (>= 5.2)
       activesupport (>= 5.2)
@@ -165,7 +165,7 @@ GEM
       rspec-expectations (~> 3.10)
       rspec-mocks (~> 3.10)
       rspec-support (~> 3.10)
-    rspec-support (3.11.0)
+    rspec-support (3.12.0)
     rubocop (1.52.0)
       json (~> 2.3)
       parallel (~> 1.10)
@@ -221,6 +221,7 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
+  actionpack (~> 7.0.0)
   diaspora_federation!
   diaspora_federation-json_schema!
   diaspora_federation-rails!
@@ -234,7 +235,7 @@ DEPENDENCIES
   pry
   pry-byebug
   rake
-  rspec (~> 3.11.0)
+  rspec (~> 3.12.0)
   rspec-collection_matchers (~> 1.2.0)
   rspec-json_expectations (~> 2.1)
   rspec-rails (~> 5.1.2)

lib/diaspora_federation/version.rb

@@ -2,5 +2,5 @@
 
 module DiasporaFederation
   # the gem version
-  VERSION = "1.0.1"
+  VERSION = "1.1.0"
 end

lib/tasks/build.rake

@@ -26,5 +26,7 @@ end
 
 desc "Tags version, pushes to remote, and pushes gem"
 task release: :build do
-  sh "ls pkg/diaspora_federation-*-*.gem | xargs -n 1 gem push"
+  Dir["pkg/diaspora_federation-*-*.gem"].each do |gem|
+    sh "gem push #{gem}"
+  end
 end

lib/tasks/gemfiles.rake

@@ -1,24 +0,0 @@
-# frozen_string_literal: true
-
-namespace :gemfiles do
-  desc "Generates no-rails.Gemfile"
-  task :generate do
-    FileUtils.mkdir_p("test/gemfiles")
-    FileUtils.rm(Dir["test/gemfiles/*.Gemfile.lock"])
-
-    original_gemfile = File.read("Gemfile")
-    original_gemfile.sub!(/(gemspec name:.*)/) { "#{Regexp.last_match[1]}, path: \"../../\"" }
-    original_gemfile.sub!(/(gemspec\(name:.*)\)/) { "#{Regexp.last_match[1]}, path: \"../../\")" }
-    original_gemfile.sub!(/^group :development do$.*?^end$\n\n/m, "")
-
-    no_rails_gemfile = original_gemfile.dup
-    no_rails_gemfile.sub!(/(gemspec\(name:.*)/) { "#{Regexp.last_match[1]} unless plugin == \"rails\"" }
-    no_rails_gemfile.sub!(/^.*rspec-rails.*$\n/, "")
-    no_rails_path = "test/gemfiles/no-rails.Gemfile"
-    File.write(no_rails_path, no_rails_gemfile)
-
-    Bundler.with_unbundled_env do
-      system("BUNDLE_GEMFILE=#{no_rails_path} bundle install")
-    end
-  end
-end

spec/lib/diaspora_federation/entities/relayable_spec.rb

@@ -474,7 +474,7 @@ module DiasporaFederation
                 parent:           remote_parent
               }.merge("new_property" => new_property),
               %w[author guid parent_guid new_property property],
-              "new_property" => new_property
+              {"new_property" => new_property}
             ).and_call_original
             Entities::SomeRelayable.from_hash(entity_data, property_order)
           end

spec/lib/diaspora_federation/entity_spec.rb

@@ -200,9 +200,11 @@ module DiasporaFederation
 
       it "calls .from_hash with the hash representation of provided XML" do
         expect(Entities::TestDefaultEntity).to receive(:from_hash).with(
-          test1: "asdf",
-          test2: "qwer",
-          test3: true
+          {
+            test1: "asdf",
+            test2: "qwer",
+            test3: true
+          }
         )
         Entities::TestDefaultEntity.from_xml(Nokogiri::XML(<<~XML).root)
           <test_default_entity>
@@ -340,7 +342,7 @@ module DiasporaFederation
         }
         expect(Entities::TestEntity).to receive(:json_parser_class).and_call_original
         expect_any_instance_of(Parsers::JsonParser).to receive(:parse).with(json).and_call_original
-        expect(Entities::TestEntity).to receive(:from_hash).with(test: "value")
+        expect(Entities::TestEntity).to receive(:from_hash).with({test: "value"})
         Entities::TestEntity.from_json(json)
       end
 
@@ -388,7 +390,7 @@ module DiasporaFederation
 
       it "calls a constructor of the entity of the appropriate type" do
         entity_data = {test1: "abc", test2: "123"}
-        expect(Entities::TestDefaultEntity).to receive(:new).with(test1: "abc", test2: "123")
+        expect(Entities::TestDefaultEntity).to receive(:new).with({test1: "abc", test2: "123"})
         Entities::TestDefaultEntity.from_hash(entity_data)
       end
 

test/dummy/config/application.rb

@@ -24,7 +24,7 @@ require "diaspora_federation/rails"
 module Dummy
   class Application < Rails::Application
     # Initialize configuration defaults for originally generated Rails version.
-    config.load_defaults 7.0
+    config.load_defaults(ENV["RAILS_VERSION"] || "7.0")
 
     # Configuration for the application, engines, and railties goes here.
     #

test/gemfiles/no-rails.Gemfile

@@ -1,41 +0,0 @@
-# frozen_string_literal: true
-
-source "https://rubygems.org"
-
-# Declare your gem's dependencies in diaspora_federation.gemspec.
-# Bundler will treat runtime dependencies like base dependencies, and
-# development dependencies will be added by default to the :development group.
-gemspec name: "diaspora_federation", path: "../../"
-
-Dir["diaspora_federation-*.gemspec"].each do |gemspec|
-  plugin = gemspec.scan(/diaspora_federation-(.*)\.gemspec/).flatten.first
-  gemspec(name: "diaspora_federation-#{plugin}", development_group: plugin, path: "../../") unless plugin == "rails"
-end
-
-# Declare any dependencies that are still in development here instead of in
-# your gemspec. These might include edge Rails or gems from your path or
-# Git. Remember to move these dependencies to your gemspec before releasing
-# your gem to rubygems.org.
-
-group :test do
-  # rspec formatter
-  gem "fuubar", "2.5.1",    require: false
-  gem "nyan-cat-formatter", require: false
-
-  # test coverage
-  gem "simplecov",                 "0.21.2",   require: false
-  gem "simplecov-rcov",            "0.3.1",    require: false
-
-  # test helpers
-  gem "json-schema",               "~> 3.0"
-  gem "rspec-collection_matchers", "~> 1.2.0"
-  gem "rspec-json_expectations",   "~> 2.1"
-  gem "webmock",                   "~> 3.0"
-end
-
-group :development, :test do
-  gem "rake"
-
-  # unit tests
-  gem "rspec", "~> 3.11.0"
-end

test/gemfiles/no-rails.Gemfile.lock

@@ -1,107 +0,0 @@
-PATH
-  remote: ../..
-  specs:
-    diaspora_federation (1.0.1)
-      faraday (>= 1.0, < 3)
-      faraday-follow_redirects (~> 0.3)
-      nokogiri (~> 1.6, >= 1.6.8)
-      typhoeus (~> 1.0)
-      valid (~> 1.0)
-    diaspora_federation-json_schema (1.0.1)
-    diaspora_federation-test (1.0.1)
-      diaspora_federation (= 1.0.1)
-      fabrication (~> 2.29)
-      uuid (~> 2.3, >= 2.3.8)
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    addressable (2.8.0)
-      public_suffix (>= 2.0.2, < 5.0)
-    crack (0.4.5)
-      rexml
-    diff-lcs (1.5.0)
-    docile (1.4.0)
-    ethon (0.15.0)
-      ffi (>= 1.15.0)
-    fabrication (2.29.0)
-    faraday (2.3.0)
-      faraday-net_http (~> 2.0)
-      ruby2_keywords (>= 0.0.4)
-    faraday-follow_redirects (0.3.0)
-      faraday (>= 1, < 3)
-    faraday-net_http (2.0.3)
-    ffi (1.15.5)
-    fuubar (2.5.1)
-      rspec-core (~> 3.0)
-      ruby-progressbar (~> 1.4)
-    hashdiff (1.0.1)
-    json-schema (3.0.0)
-      addressable (>= 2.8)
-    macaddr (1.7.2)
-      systemu (~> 2.6.5)
-    nokogiri (1.13.8-x86_64-linux)
-      racc (~> 1.4)
-    nyan-cat-formatter (0.12.0)
-      rspec (>= 2.99, >= 2.14.2, < 4)
-    public_suffix (4.0.7)
-    racc (1.6.0)
-    rake (13.0.6)
-    rexml (3.2.5)
-    rspec (3.11.0)
-      rspec-core (~> 3.11.0)
-      rspec-expectations (~> 3.11.0)
-      rspec-mocks (~> 3.11.0)
-    rspec-collection_matchers (1.2.0)
-      rspec-expectations (>= 2.99.0.beta1)
-    rspec-core (3.11.0)
-      rspec-support (~> 3.11.0)
-    rspec-expectations (3.11.0)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.11.0)
-    rspec-json_expectations (2.2.0)
-    rspec-mocks (3.11.1)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.11.0)
-    rspec-support (3.11.0)
-    ruby-progressbar (1.11.0)
-    ruby2_keywords (0.0.5)
-    simplecov (0.21.2)
-      docile (~> 1.1)
-      simplecov-html (~> 0.11)
-      simplecov_json_formatter (~> 0.1)
-    simplecov-html (0.12.3)
-    simplecov-rcov (0.3.1)
-      simplecov (>= 0.4.1)
-    simplecov_json_formatter (0.1.4)
-    systemu (2.6.5)
-    typhoeus (1.4.0)
-      ethon (>= 0.9.0)
-    uuid (2.3.9)
-      macaddr (~> 1.0)
-    valid (1.2.0)
-    webmock (3.14.0)
-      addressable (>= 2.8.0)
-      crack (>= 0.3.2)
-      hashdiff (>= 0.4.0, < 2.0.0)
-
-PLATFORMS
-  x86_64-linux
-
-DEPENDENCIES
-  diaspora_federation!
-  diaspora_federation-json_schema!
-  diaspora_federation-test!
-  fuubar (= 2.5.1)
-  json-schema (~> 3.0)
-  nyan-cat-formatter
-  rake
-  rspec (~> 3.11.0)
-  rspec-collection_matchers (~> 1.2.0)
-  rspec-json_expectations (~> 2.1)
-  simplecov (= 0.21.2)
-  simplecov-rcov (= 0.3.1)
-  webmock (~> 3.0)
-
-BUNDLED WITH
-   2.3.7