From b94cf42a95d3e828d50991dd450898ba31e61210 Mon Sep 17 00:00:00 2001 From: Snehil Kishore Date: Tue, 21 Apr 2026 20:57:45 +0530 Subject: [PATCH 1/4] fix(ci): update Ruby matrix to 3.3 and 3.4 for v6 gemspec compatibility --- .github/workflows/matrix.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matrix.json b/.github/workflows/matrix.json index a0c8a97c..e2a69468 100644 --- a/.github/workflows/matrix.json +++ b/.github/workflows/matrix.json @@ -1,3 +1,3 @@ { - "include": [{ "ruby": "3.1" }, { "ruby": "3.2" }, { "ruby": "3.3" }] + "include": [{ "ruby": "3.3" }, { "ruby": "3.4" }] } From defa4b843bf05f9cca904f47c833e48286ebbd7b Mon Sep 17 00:00:00 2001 From: Snehil Kishore Date: Tue, 21 Apr 2026 21:05:54 +0530 Subject: [PATCH 2/4] fix(ci): remove semgrep.yml, replaced by semgrep cloud scan --- .github/workflows/semgrep.yml | 41 ----------------------------------- 1 file changed, 41 deletions(-) delete mode 100644 .github/workflows/semgrep.yml diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml deleted file mode 100644 index afb53267..00000000 --- a/.github/workflows/semgrep.yml +++ /dev/null @@ -1,41 +0,0 @@ -name: Semgrep - -on: - merge_group: - pull_request: - types: - - opened - - synchronize - push: - branches: - - master - - v6 - schedule: - - cron: '30 0 1,15 * *' - -permissions: - contents: read - -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: ${{ github.ref != 'refs/heads/master' && github.ref != 'refs/heads/v6' }} - -jobs: - run: - name: Check for Vulnerabilities - runs-on: ubuntu-latest - - container: - image: returntocorp/semgrep - - steps: - - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group' - run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection. - - - uses: actions/checkout@v6 - with: - ref: ${{ github.event.pull_request.head.sha || github.ref }} - - - run: semgrep ci - env: - SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} From 117fefe0946768598b4eb4001f587c53e04b1137 Mon Sep 17 00:00:00 2001 From: Snehil Kishore Date: Fri, 24 Apr 2026 13:26:33 +0530 Subject: [PATCH 3/4] fix(ci): pass ruby-version to sca-scan and remove redundant gem install --- .github/workflows/sca_scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sca_scan.yml b/.github/workflows/sca_scan.yml index 0af4ad9b..e4e471b2 100644 --- a/.github/workflows/sca_scan.yml +++ b/.github/workflows/sca_scan.yml @@ -8,8 +8,8 @@ jobs: snyk-cli: uses: auth0/devsecops-tooling/.github/workflows/sca-scan.yml@main with: + ruby-version: "3.4" additional-arguments: "--exclude=README.md,.jfrog" pre-scan-commands: | - gem install bundler bundle install secrets: inherit \ No newline at end of file From 5d5e536129537992cebac29fac71015137725e08 Mon Sep 17 00:00:00 2001 From: Snehil Kishore Date: Fri, 24 Apr 2026 13:30:09 +0530 Subject: [PATCH 4/4] fix(ci): exclude examples from SCA scan (no lockfiles) --- .github/workflows/sca_scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sca_scan.yml b/.github/workflows/sca_scan.yml index e4e471b2..d134e1e6 100644 --- a/.github/workflows/sca_scan.yml +++ b/.github/workflows/sca_scan.yml @@ -9,7 +9,7 @@ jobs: uses: auth0/devsecops-tooling/.github/workflows/sca-scan.yml@main with: ruby-version: "3.4" - additional-arguments: "--exclude=README.md,.jfrog" + additional-arguments: "--exclude=README.md,.jfrog,examples" pre-scan-commands: | bundle install secrets: inherit \ No newline at end of file