Skip to content

ci: add manual gem yank workflow#129

Merged
cb-alish merged 2 commits into
masterfrom
ci/gem-yank-workflow
Jul 2, 2026
Merged

ci: add manual gem yank workflow#129
cb-alish merged 2 commits into
masterfrom
ci/gem-yank-workflow

Conversation

@cb-alish

@cb-alish cb-alish commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Adds a workflow_dispatch workflow to yank (or un-yank) a published chargebee version from RubyGems, reusing the GEM_HOST_API_KEY secret. Requires re-typing the version to confirm to avoid accidental yanks.

Added a manual GitHub Actions workflow to yank or un-yank a published chargebee gem version from RubyGems. It validates the requested version, requires re-entering the version as confirmation, sets up Ruby, and uses GEM_HOST_API_KEY to run the appropriate gem yank command.

Adds a workflow_dispatch workflow to yank (or un-yank) a published
chargebee version from RubyGems, reusing the GEM_HOST_API_KEY secret.
Requires re-typing the version to confirm to avoid accidental yanks.

Co-authored-by: Cursor <cursoragent@cursor.com>
@snyk-io

snyk-io Bot commented Jul 2, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

Adds a new GitHub Actions workflow (yank.yml) triggered manually via workflow_dispatch. It accepts version, confirm, and undo inputs, validates them, sets up Ruby 3.0, and executes gem yank chargebee (or with --undo) using a stored API key secret.

Changes

Yank Workflow

Layer / File(s) Summary
Dispatch inputs and validation
.github/workflows/yank.yml
Defines workflow_dispatch inputs (version, confirm, undo), job-level environment variables, and a validation step aborting on mismatch or invalid version format.
Ruby setup and gem yank execution
.github/workflows/yank.yml
Sets up Ruby 3.0 and runs gem yank chargebee -v "$VERSION", optionally with --undo, authenticated via GEM_HOST_API_KEY.

Estimated code review effort: 2 (Simple) | ~10 minutes

Sequence Diagram(s)

sequenceDiagram
  participant User
  participant GitHubActions
  participant RubyGems

  User->>GitHubActions: Trigger workflow_dispatch (version, confirm, undo)
  GitHubActions->>GitHubActions: Validate version == confirm and format
  GitHubActions->>GitHubActions: Setup Ruby 3.0
  GitHubActions->>RubyGems: gem yank chargebee -v VERSION [--undo]
  RubyGems-->>GitHubActions: Yank/un-yank result
Loading

Related issues: None referenced.

Related PRs: None referenced.

Suggested labels: ci, workflow

Suggested reviewers: None specified.

Poem: 🐇 A rabbit taps the gem release,
"Yank or undo, if you please!"
Ruby set, the version checked,
Confirm and version must connect.
With one click, the gem's set free (or not) — release!


Comment @coderabbitai help to get the list of available commands.

@cb-alish cb-alish merged commit 58f0744 into master Jul 2, 2026
9 of 10 checks passed
@cb-alish cb-alish deleted the ci/gem-yank-workflow branch July 2, 2026 04:56

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
.github/workflows/yank.yml (2)

22-29: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

No permissions: block set.

This workflow doesn't need repo write access (no checkout, no git push), yet it inherits the default (often broad) GITHUB_TOKEN permissions. Restrict to least privilege.

🔒 Suggested fix
 jobs:
   yank:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     env:
       VERSION: ${{ inputs.version }}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/yank.yml around lines 22 - 29, The yank workflow currently
omits a permissions block, so it inherits broader default GITHUB_TOKEN access
than needed. Add a least-privilege permissions setting to the yank job/workflow
in the yank job definition, keeping only the minimal scopes required for the
existing steps in yank.yml since there is no checkout or git push.

5-20: 🧹 Nitpick | 🔵 Trivial

Consider an environment protection gate for approval before yanking.

Yanking permanently deletes the gem file from RubyGems.org's CDN and index — a largely irreversible, high-impact action. The confirm-retype only guards against typos, not against an unintended or unauthorized dispatch. Gating this job behind a GitHub environment: with required reviewers would add a real approval checkpoint before execution.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/yank.yml around lines 5 - 20, Add an environment
protection gate to the yanking workflow so the destructive release action
requires approval before execution. Update the job that performs the
yank/un-yank logic in the yanking workflow to use a GitHub environment with
required reviewers, and keep the existing workflow_dispatch inputs such as
version, confirm, and undo unchanged. Ensure the approval gate applies before
the step that talks to RubyGems.org.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/yank.yml:
- Around line 16-20: The workflow currently exposes an unsupported undo/un-yank
path through the inputs and branch logic in the yank workflow. Remove the undo
input and any conditional handling tied to it in the workflow logic, and keep
only the standard yank behavior in the job flow; if an alternate un-yank process
is needed, move it to a separate manual support path outside the workflow.

---

Nitpick comments:
In @.github/workflows/yank.yml:
- Around line 22-29: The yank workflow currently omits a permissions block, so
it inherits broader default GITHUB_TOKEN access than needed. Add a
least-privilege permissions setting to the yank job/workflow in the yank job
definition, keeping only the minimal scopes required for the existing steps in
yank.yml since there is no checkout or git push.
- Around line 5-20: Add an environment protection gate to the yanking workflow
so the destructive release action requires approval before execution. Update the
job that performs the yank/un-yank logic in the yanking workflow to use a GitHub
environment with required reviewers, and keep the existing workflow_dispatch
inputs such as version, confirm, and undo unchanged. Ensure the approval gate
applies before the step that talks to RubyGems.org.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 020361fa-466c-448e-b62b-658610fb0bd6

📥 Commits

Reviewing files that changed from the base of the PR and between dec82e4 and 1e21be6.

📒 Files selected for processing (1)
  • .github/workflows/yank.yml

Comment on lines +16 to +20
undo:
description: "Un-yank instead (re-list a previously yanked version)"
required: false
type: boolean
default: false

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🔴 Critical | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

sed -n '1,220p' .github/workflows/yank.yml

Repository: chargebee/chargebee-ruby

Length of output: 1901


🌐 Web query:

RubyGems yank undo support gem yank --undo rubygems.org documentation

💡 Result:

The --undo option for the gem yank command is no longer supported in RubyGems [1]. While earlier versions of RubyGems included an --undo flag to facilitate "unyanking" a gem, this functionality was removed around 2015 [1]. Consequently, modern versions of the RubyGems CLI do not recognize the --undo argument and will return an error if it is used [1]. There is no official "undo" mechanism for yanking a gem via the command-line interface [2][3]. If a gem version has been yanked, it is typically necessary to push a new version of the gem to the server to make it available again [3].

Citations:


Remove the undo path; gem yank --undo is unsupported by RubyGems.org.
This workflow exposes an option that modern RubyGems rejects, so the “un-yank” branch will fail in practice. Remove the input/branch or replace it with a manual support flow.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/yank.yml around lines 16 - 20, The workflow currently
exposes an unsupported undo/un-yank path through the inputs and branch logic in
the yank workflow. Remove the undo input and any conditional handling tied to it
in the workflow logic, and keep only the standard yank behavior in the job flow;
if an alternate un-yank process is needed, move it to a separate manual support
path outside the workflow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants