ci: harden portable Ruby native gem builds

[renovate]

Summary

This PR started as a Renovate update for the Homebrew/actions digest, but the CI fallout exposed issues in the portable Ruby packaging path for native gems.

It now also:

• initializes Homebrew correctly on GitHub-hosted runners and trusts the checked-out tap
• installs the legacy Linux build dependencies needed to produce portable bottles
• preserves runtime linkage for packaged Linux Rubies while removing build-only Linuxbrew glibc / linux-headers flags from packaged rbconfig.rb
• normalizes packaged compiler config to generic cc / c++ instead of Homebrew build-time compiler paths
• exposes the packaged pkgconfig path and native build flags so gems can find bundled libraries such as openssl and libyaml
• keeps the Linux openssl and psych native-gem rebuild smoke tests enabled so mise users remain covered for gem install openssl and gem install psych

Validation

• ruby -c on the touched Ruby files
• git diff --check
• actionlint
• GitHub Actions CI: https://github.com/jdx/ruby/actions/runs/27483288381

Original Renovate Update

• Homebrew/actions: 2ebcf16 -> 1141dcc

[greptile-apps]

PR author is in the excluded authors list.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Update CI workflows: change the Homebrew action pin in the tests workflow; write SETUP_RUBY_VERSION to GITHUB_ENV with quoting; export brew bin/sbin to GITHUB_PATH, evaluate brew shellenv, and run brew trust jdx/ruby in the build workflow. Also add --skip-post-install to bottle install/build invocations in cmd/jdx-package.rb.

Changes

CI & packaging updates

Layer / File(s)	Summary
Homebrew action version update .github/workflows/tests.yml	The Homebrew/actions/setup-homebrew action reference in the syntax job was changed to a different pinned commit hash.
Persist SETUP_RUBY_VERSION to GITHUB_ENV .github/workflows/build.yml	SETUP_RUBY_VERSION is now written using a quoted echo "SETUP_RUBY_VERSION=..." >> "$GITHUB_ENV" form.
Homebrew PATH, shellenv, and tap trust .github/workflows/build.yml	Adds HOMEBREW_NO_SANDBOX: 1 to env; selects brew_prefix by RUNNER_OS, appends ${brew_prefix}/bin and ${brew_prefix}/sbin to GITHUB_PATH, runs eval "$(${brew_prefix}/bin/brew" shellenv)", and runs brew trust jdx/ruby after tapping.
jdx-package: skip post-install for bottle ops cmd/jdx-package.rb	brew install calls used for installing bottled deps and building remaining bottles now include --skip-post-install on Linux via an install_flags array.

Sequence Diagram(s)

sequenceDiagram
  participant TestsYml as .github/workflows/tests.yml
  participant BuildYml as .github/workflows/build.yml
  participant GITHUB_PATH
  participant brew as brew
  participant Tap as jdx/ruby tap

  TestsYml->>BuildYml: CI workflow steps (syntax vs build)
  BuildYml->>GITHUB_PATH: add ${brew_prefix}/bin and ${brew_prefix}/sbin
  BuildYml->>brew: eval "$(${brew_prefix}/bin/brew shellenv)"
  BuildYml->>Tap: run `brew trust jdx/ruby`
  BuildYml->>brew: run brew install (bottled deps / build bottles) with `--skip-post-install`

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• jdx/ruby#43: Both PRs change cmd/jdx-package.rb’s packaging dependency bottle installation logic.
• jdx/ruby#40: Also updates the Homebrew action pin in .github/workflows/tests.yml.

Poem

🐰 I hop through YAML lines so spry,
I pin a brew, then quote with sigh,
Paths set, shellenv wakes the brew,
I trust the tap and skip a step or two,
CI hums along — a carrot for you 🥕

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	⚠️ Warning	The title 'ci: harden portable Ruby native gem builds' describes improvements to CI/build hardening, but the actual changes focus on updating a Homebrew action digest and conditionally skipping post-install steps—not general hardening of native gem builds.	Revise the title to accurately reflect the primary change, such as 'ci: update Homebrew action and skip post-install in Linux builds' or 'chore(deps): update homebrew/actions digest and improve build configuration'.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/tests.yml:
- Line 21: Update the pinned GitHub Action ref for
Homebrew/actions/setup-homebrew: verify that the SHA
caddd704cd8c1cbb45f9f3dfbd1f77d1f81e97f0 actually exists in the Homebrew/actions
repo and is reachable from main; if not, replace it with the correct full commit
SHA (or the tag/branch you intend, e.g., main) and ensure the previous reference
2ebcf16 is also a real full SHA if retained; finally, update or remove the
trailing "# main" comment so it accurately reflects whether the pinned SHA is on
the main branch (or remove the comment to avoid misleading callers).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 840ff9af-6797-4ffa-898a-7afead196aed

📥 Commits

Reviewing files that changed from the base of the PR and between bd3ee62 and 34b3a7f.

📒 Files selected for processing (1)

• .github/workflows/tests.yml

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.