Precompiled ruby 2.7.8 / 3.1.7 / 3.2.11 releases; fix Release workflow for Homebrew 6

[narze]

Summary

Adds precompiled portable ruby releases for 2.7.8, 3.1.7, and 3.2.11 to this fork, so mise installs ruby in seconds via the precompiled_url template in the app repo's mise.toml instead of compiling from source (~5 min of every cold bootstrap on Claude Code on the web; also benefits Linux/mac dev machines). Upstream jdx/ruby only builds 3.2.1+, hence the fork.

All three releases are published, with every asset verified (HTTP 302) and the x86_64 Linux tarballs smoke-tested on an Ubuntu 24.04 / glibc 2.39 sandbox (extract to /tmp, run, exercise openssl/zlib/yaml):

Version	x86_64_linux	arm64_linux	macos	no_yjit (x86+arm)	pinned -1
2.7.8	✅ (OpenSSL 1.1.1w)	✅	✅	✅	✅
3.1.7	✅ (OpenSSL 3.5.5)	✅	✅	✅	✅
3.2.11	✅ (YJIT present)	✅	✅	✅	✅

New formulae

• Abstract/jdx-ruby-31.rb — the 3.2 abstract minus Rust YJIT (3.1's YJIT is the C implementation: no rustup dep, no --enable-yjit, make pkgconfig-data instead of the missing ruby.pc alias). All differences verified against the 3.1.7 tarball.
• Abstract/jdx-ruby-27.rb — 2.7 support: depends on OpenSSL 1.1.1 (2.7's openssl ext can't build against 3.x), boolean --enable-libedit + --with-libedit-dir (no --enable-libedit=DIR in 2.7), dbm/gdbm stdlib exts excluded (they link whatever libgdbm is around and fail the portability check), no make extract-gems (2.7's target needs the not-yet-built miniruby; rbinstall installs from gems/*.gem directly), and 2.7-appropriate tests (byebug pinned to 11.1.3, BUNDLER_VERSION unset — 2.7's RubyGems honors the leaked variable and errors instead of resolving downward).
• Formula/portable-openssl@1.1.1w.rb — OpenSSL 1.1.1 for rubies ≤ 3.0, porting the 3.5.5 formula's runtime cert auto-detection patch to 1.1.1's simpler x509_def.c (patch targets verified byte-for-byte against the tarball; the patched file compiles under -Wall -Werror).
• Formula/jdx-ruby@3.1.7.rb, Formula/jdx-ruby@2.7.8.rb — sha256s computed from fresh cache.ruby-lang.org downloads.
• gperf pin for 2.7/3.1: touch enc/jis/props.h before make — regenerating it with gperf ≥ 3.1 yields size_t prototypes that conflict with the unsigned int declaration those rubies ship (fixed upstream in 3.2).

CI fixes (Homebrew 6 broke the workflow for all versions)

These were preventing any release from this fork, including stock 3.x:

• Tap trust — Homebrew now refuses to load external tap commands (brew jdx-package) from untrusted taps; bin/setup runs brew trust (with a fallback for older brews).
• Linux build sandbox — Homebrew aborts source builds without a rootless bwrap, which runner images don't ship; HOMEBREW_NO_SANDBOX_LINUX=1 (Homebrew's own suggested workaround) in the workflow env.
• glibc 2.39 baseline — the deepest one: on ubuntu-22.04 (host glibc 2.35) every bottle pour drags in Homebrew's own glibc+gcc, which broke glibc@2.17's post-install and linked built rubies against .linuxbrew/glibc, correctly failing the portability check. The Linux matrix now runs on ubuntu-24.04 (host glibc satisfies the baseline, host toolchain builds, binaries link system libc). Plain assets now have a glibc ≥ 2.39 runtime floor; no_yjit variants keep the glibc 2.17 toolchain for older hosts.
• Helper deps from bottles — cmd/jdx-package.rb now source-builds only this tap's portable-* formulae (the statically-linked inputs, with brew linkage enforcing nothing else leaks in) and installs every other dependency from bottles, completing what ci: install Linux helper deps from bottles jdx/ruby#43 started. Linux legs got ~3× faster.
• Workflow hygiene — dropped the notify job (needs a secret this fork lacks) and the SLSA provenance job (third-party reusable workflow that can block upload-assets; mise skips attestation verification for custom URL templates anyway); the GitHub attestation step is continue-on-error.

Verification

curl -sI https://github.com/eventpop/ruby/releases/download/3.1.7/ruby-3.1.7.x86_64_linux.tar.gz | head -1   # HTTP/2 302
curl -fsSL https://github.com/eventpop/ruby/releases/download/3.1.7/ruby-3.1.7.x86_64_linux.tar.gz | tar -xz -C /tmp
/tmp/ruby-3.1.7/bin/ruby --version   # ruby 3.1.7p261 (2025-03-26 revision 0a3704f218) [x86_64-linux]

End-to-end through mise: a fresh checkout with the app repo's precompiled_url setting downloads these assets directly from github.com (no rate-limited api.github.com listing involved).

https://claude.ai/code/session_015m4jwUW8kgyeWx6XkVvxeV

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds portable Ruby 2.7 and 3.1 Homebrew formulas, a portable OpenSSL 1.1.1w formula, simplifies the release workflow by removing provenance jobs and adding a non-blocking attestation step, and updates setup/package tooling to handle portable dependencies.

Changes

Release Workflow Simplification

Layer / File(s)

Summary

Release workflow provenance and attestation updates .github/workflows/release.yml

Workflow removes the combine-hashes job and SLSA provenance pipeline, sets HOMEBREW_NO_SANDBOX_LINUX: 1, removes top-level actions: read, updates Linux runner images, simplifies upload-assets dependencies to [build, create-release], adds an advisory "Attest build provenance" step (continue-on-error: true), updates publish-release to depend on [create-release, upload-assets], and removes the notify job.

Portable Ruby Formulas and Infrastructure

Layer / File(s)	Summary
Portable OpenSSL 1.1.1w formula Formula/portable-openssl@1.1.1w.rb	Defines PortableOpensslAT111w with source/mirror/checksum, cacert resource and livecheck parsing, arch-specific arch_args and OpenSSL 1.1.1 tuned configure_args, patches x509_def.c for JDX_RUBY_SSL_CERT_FILE/DIR and system cert auto-detection, runs Configure/make/make install_dev, removes Libs.private from libcrypto.pc, installs cert.pem, and includes a C test that links against built libcrypto.
Ruby 2.7 portable base formula Abstract/jdx-ruby-27.rb	Adds JdxRuby27 with livecheck for 2.7.x, keg-only, without-yjit option, portable dependency wiring (portable-openssl/libyaml and conditional Linux libs), constructs configure args (HOMEBREW_BASERUBY/MJIT handling), builds Ruby, generates portable_ruby_gems.rb, patches shell polyglot executables, normalizes Linux rbconfig.rb, copies portable dependency headers/libs/pkg-config for native gems, overrides bundled OpenSSL Ruby wrapper for CA fallback, and includes comprehensive tests.
Ruby 3.1 portable base formula Abstract/jdx-ruby-31.rb	Adds JdxRuby31 with livecheck for 3.1.x, keg-only, without-yjit option, bundled-gems staging, configure/make install (MJIT/HOMEBREW_BASERUBY behavior), generates bundled-gems load helper, patches shell executables for RubyGems detection, normalizes Linux rbconfig.rb, copies portable native artifacts, bundles a CA cert and conditions OpenSSL cert use, and includes tests for stdlib and native gem behavior.
Ruby version-specific concrete formulas Formula/jdx-ruby@2.7.8.rb, Formula/jdx-ruby@3.1.7.rb	Concrete formulas: JdxRubyAT278 inherits from JdxRuby27 (Ruby 2.7.8 URL and sha256); JdxRubyAT317 inherits from JdxRuby31 (Ruby 3.1.7 URL and sha256).
Setup and package tool integration bin/setup, cmd/jdx-package.rb	bin/setup adds a non-fatal brew trust "jdx/$DIRNAME" call with explanatory comments. cmd/jdx-package.rb introduces a portable_dep predicate to detect portable-* formulae, excludes them from main dependency expansion, and partitions dependencies into bottled vs source builds based on portability.

Sequence Diagram(s):

sequenceDiagram
  participant PatchX509 as Patch x509_def.c
  participant Configure as Configure/Build
  participant Make as make
  participant InstallDev as make install_dev
  participant EditPc as Edit libcrypto.pc
  participant InstallCACert as Install cert.pem
  participant TestProg as C test program
  PatchX509->>Configure: apply JDX_RUBY_SSL_CERT_FILE/DIR patch
  Configure->>Make: run Configure and make
  Make->>InstallDev: run make install_dev
  InstallDev->>EditPc: remove Libs.private from libcrypto.pc
  InstallDev->>InstallCACert: write cert.pem into openssldir
  TestProg->>InstallDev: link against built libcrypto and run EVP_sha256

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I hopped through formulas, certs, and build-machine light,

Packed Portable OpenSSL snug and tight,
Two Rubies stitched—three-one and two-seven bright,
Workflows trimmed, attested with gentle might,
Now portable gems leap on CI-night.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title accurately describes the main changes: adding precompiled Ruby releases (2.7.8, 3.1.7, 3.2.11) and fixing the Release workflow for Homebrew 6.
Description check	✅ Passed	The description is detailed and comprehensive, covering new formulae, CI fixes, verification steps, and the rationale for precompiled ruby releases to speed up mise installations.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/nifty-cerf-1rck4z

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

291-297: 💤 Low value

Consider adding visibility for attestation failures.

With continue-on-error: true, attestation failures will be silent and may go unnoticed. While the comment correctly explains the rationale (advisory-only, mise skips verification), consider adding a summary annotation so failures are at least visible in the workflow run.

📝 Optional: Add failure visibility

       - name: Attest build provenance
+        id: attest
         # Attestation is advisory (mise skips verification for custom
         # precompiled_url templates); never block the release on it.
         continue-on-error: true
         uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4
         with:
           subject-path: 'rubies/*.tar.gz'
+
+      - name: Report attestation status
+        if: steps.attest.outcome == 'failure'
+        run: echo "::warning::Build provenance attestation failed (non-blocking)"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 291 - 297, The "Attest build
provenance" step uses continue-on-error: true which hides failures; add a
follow-up step (e.g., "Report attestation failure" or "Annotate attestation
failure") that only runs when the attestation step fails and emits a visible
workflow annotation or summary so failures are surfaced. Target the existing
step name "Attest build provenance" and implement the follow-up with an
if-condition that checks the attestation step outcome (or uses failure() /
steps.<attest-step>.outcome) and then calls a summary/annotation action or
prints a ::error/::warning log to make the failure visible in the run UI. Ensure
the follow-up step does not block the job (keeps advisory behavior) but makes
failures easy to spot.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Abstract/jdx-ruby-27.rb`:
- Around line 78-91: The code calls an external program using shell
interpolation (%x[#{baseruby} -v]) on ENV["HOMEBREW_BASERUBY"], which risks
command injection; replace those uses (e.g., the baseruby_version assignment and
any other %x[#{baseruby} ...] occurrences in Abstract/jdx-ruby-27.rb and
jdx-ruby-31.rb) with a safe, non-shell invocation such as Open3.capture2e or
IO.popen / Process.spawn using the argument-array form (pass baseruby and "-v"
as separate args) to avoid the shell and read the output into baseruby_version,
keeping the existing odie checks and args handling intact.

---

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 291-297: The "Attest build provenance" step uses
continue-on-error: true which hides failures; add a follow-up step (e.g.,
"Report attestation failure" or "Annotate attestation failure") that only runs
when the attestation step fails and emits a visible workflow annotation or
summary so failures are surfaced. Target the existing step name "Attest build
provenance" and implement the follow-up with an if-condition that checks the
attestation step outcome (or uses failure() / steps.<attest-step>.outcome) and
then calls a summary/annotation action or prints a ::error/::warning log to make
the failure visible in the run UI. Ensure the follow-up step does not block the
job (keeps advisory behavior) but makes failures easy to spot.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9db1b691-7fba-4c25-8a9d-ec5c5f3122ef

📥 Commits

Reviewing files that changed from the base of the PR and between bd3ee62 and 6d24732.

📒 Files selected for processing (8)

• .github/workflows/release.yml
• Abstract/jdx-ruby-27.rb
• Abstract/jdx-ruby-31.rb
• Formula/jdx-ruby@2.7.8.rb
• Formula/jdx-ruby@3.1.7.rb
• Formula/portable-openssl@1.1.1w.rb
• bin/setup
• cmd/jdx-package.rb

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Abstract/jdx-ruby-27.rb (1)

217-242: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Mirror the portable OpenSSL cert checks here.

This openssl.rb patch no longer matches the portable-openssl@1.1.1w contract: it accepts any existing JDX_RUBY_SSL_CERT_FILE / JDX_RUBY_SSL_CERT_DIR path, and it only treats system cert files as evidence that a system trust store exists. On a host with only a readable cert directory, or with an unreadable env override, this can force SSL_CERT_FILE to the bundled PEM and change the trust-store selection you just moved into the C layer.

🩹 Suggested fix

       if ENV["SSL_CERT_FILE"].to_s.empty? && ENV["SSL_CERT_DIR"].to_s.empty?
         jdx_cert_file = ENV["JDX_RUBY_SSL_CERT_FILE"].to_s
-        if !jdx_cert_file.empty? && File.exist?(jdx_cert_file)
+        if !jdx_cert_file.empty? && File.file?(jdx_cert_file) && File.readable?(jdx_cert_file)
           ENV["SSL_CERT_FILE"] = jdx_cert_file
         else
           jdx_cert_dir = ENV["JDX_RUBY_SSL_CERT_DIR"].to_s
-          ENV["SSL_CERT_DIR"] = jdx_cert_dir if !jdx_cert_dir.empty? && Dir.exist?(jdx_cert_dir)
+          if !jdx_cert_dir.empty? && Dir.exist?(jdx_cert_dir) && File.readable?(jdx_cert_dir)
+            ENV["SSL_CERT_DIR"] = jdx_cert_dir
+          end
         end
       end
       if ENV["SSL_CERT_FILE"].to_s.empty? && ENV["SSL_CERT_DIR"].to_s.empty?
-        system_certs = %w[
+        system_cert_files = %w[
           /etc/ssl/certs/ca-certificates.crt
           /etc/pki/tls/certs/ca-bundle.crt
           /etc/ssl/ca-bundle.pem
           /opt/homebrew/etc/openssl@3/cert.pem
           /usr/local/etc/openssl@3/cert.pem
           /opt/homebrew/etc/ca-certificates/cert.pem
           /usr/local/etc/ca-certificates/cert.pem
           /home/linuxbrew/.linuxbrew/etc/openssl@3/cert.pem
           /home/linuxbrew/.linuxbrew/etc/ca-certificates/cert.pem
           /etc/ssl/cert.pem
         ]
-        unless system_certs.any? { |f| File.exist?(f) }
+        system_cert_dirs = %w[
+          /etc/ssl/certs
+          /etc/pki/tls/certs
+          /opt/homebrew/etc/openssl@3/certs
+          /usr/local/etc/openssl@3/certs
+          /home/linuxbrew/.linuxbrew/etc/openssl@3/certs
+        ]
+        has_system_certs =
+          system_cert_files.any? { |f| File.file?(f) && File.readable?(f) } ||
+          system_cert_dirs.any? { |d| Dir.exist?(d) && File.readable?(d) }
+        unless has_system_certs
           bundled = File.expand_path("../../libexec/cert.pem", RbConfig.ruby)
-          ENV["SSL_CERT_FILE"] = bundled if File.exist?(bundled)
+          ENV["SSL_CERT_FILE"] = bundled if File.file?(bundled) && File.readable?(bundled)
         end
       end

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Abstract/jdx-ruby-27.rb` around lines 217 - 242, The code currently accepts
any JDX_RUBY_SSL_CERT_FILE/JDX_RUBY_SSL_CERT_DIR values and only treats system
cert FILES as evidence of a system trust store; update the checks to mirror the
portable OpenSSL behavior by requiring a readable cert file for
JDX_RUBY_SSL_CERT_FILE (use File.file? && File.readable?) and requiring a
readable cert directory for JDX_RUBY_SSL_CERT_DIR (Dir.exist? && readable by
listing or File.readable? on a known file), and when detecting system trust use
both common cert files and common cert directories (check for either an existing
readable file in system_certs or existing cert directories) before falling back
to the bundled variable (bundled); update the branches around
jdx_cert_file/jdx_cert_dir, the system_certs any? check, and the bundled
assignment accordingly so only truly usable system stores prevent using the
bundled cert.pem.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@Abstract/jdx-ruby-27.rb`:
- Around line 217-242: The code currently accepts any
JDX_RUBY_SSL_CERT_FILE/JDX_RUBY_SSL_CERT_DIR values and only treats system cert
FILES as evidence of a system trust store; update the checks to mirror the
portable OpenSSL behavior by requiring a readable cert file for
JDX_RUBY_SSL_CERT_FILE (use File.file? && File.readable?) and requiring a
readable cert directory for JDX_RUBY_SSL_CERT_DIR (Dir.exist? && readable by
listing or File.readable? on a known file), and when detecting system trust use
both common cert files and common cert directories (check for either an existing
readable file in system_certs or existing cert directories) before falling back
to the bundled variable (bundled); update the branches around
jdx_cert_file/jdx_cert_dir, the system_certs any? check, and the bundled
assignment accordingly so only truly usable system stores prevent using the
bundled cert.pem.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0db5059e-19b8-41a3-a3f4-b7a6ce242aac

📥 Commits

Reviewing files that changed from the base of the PR and between 6d24732 and da9e81c.

📒 Files selected for processing (1)

• Abstract/jdx-ruby-27.rb

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Abstract/jdx-ruby-31.rb (1)

282-309: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Remove live network from the formula test.

Lines 282-309 make test depend on outbound access to google.com and RubyGems. That turns relocatability/native-extension verification into a flaky integration test: DNS/egress restrictions, transient RubyGems outages, or rate limiting will fail the formula even when the package itself is fine. Please switch these checks to staged local fixtures/resources, or move the networked coverage to a separate CI job.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Abstract/jdx-ruby-31.rb` around lines 282 - 309, The test is performing live
network calls (e.g. shell_output("#{ruby} -ropen-uri -e
'URI.open(\"https://google.com\")...') and multiple system calls to
testpath/"bin/gem" install which relies on RubyGems network access); replace
these with local staged fixtures and offline gem files: remove the URI.open/http
check and instead assert against a local fixture file accessed via ruby; replace
all system testpath/"bin/gem" "install" invocations (openssl, psych, byebug,
ruby-lsp) with installs from pre-staged .gem files added as test resources and
invoke gem install --local or point GEM_HOME/GEM_PATH to the staged vendor cache
so no network is used; keep the ri/bundle/gem environment checks but use the
local fixtures for ri data and bundle init, or alternatively move any remaining
external-network assertions into a separate CI job and ensure the test only
exercises offline verification (use the symbols shell_output(...), system ruby
..., system testpath/"bin/gem" "install", system testpath/"bin/byebug
--version", and shell_output("#{ruby} #{testpath}/bin/ri ...") to locate the
spots to change).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@Abstract/jdx-ruby-31.rb`:
- Around line 282-309: The test is performing live network calls (e.g.
shell_output("#{ruby} -ropen-uri -e 'URI.open(\"https://google.com\")...') and
multiple system calls to testpath/"bin/gem" install which relies on RubyGems
network access); replace these with local staged fixtures and offline gem files:
remove the URI.open/http check and instead assert against a local fixture file
accessed via ruby; replace all system testpath/"bin/gem" "install" invocations
(openssl, psych, byebug, ruby-lsp) with installs from pre-staged .gem files
added as test resources and invoke gem install --local or point
GEM_HOME/GEM_PATH to the staged vendor cache so no network is used; keep the
ri/bundle/gem environment checks but use the local fixtures for ri data and
bundle init, or alternatively move any remaining external-network assertions
into a separate CI job and ensure the test only exercises offline verification
(use the symbols shell_output(...), system ruby ..., system testpath/"bin/gem"
"install", system testpath/"bin/byebug --version", and shell_output("#{ruby}
#{testpath}/bin/ri ...") to locate the spots to change).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d0f7fb93-9510-47ed-b4d5-cdc5c8f0c98c

📥 Commits

Reviewing files that changed from the base of the PR and between da9e81c and 1f45b26.

📒 Files selected for processing (1)

• Abstract/jdx-ruby-31.rb