Migrate from Gemstash to Cloudsmith#20
Draft
pawfectshah wants to merge 2 commits into
Draft
Conversation
Gemstash is being sunset org-wide; Cloudsmith replaces it with
OIDC-minted CI credentials and a single private+public gem source.
Read-path changes:
- Gemfile: source rubygems.org -> dl.cloudsmith.io/basic/gusto/gusto/ruby/
(Cloudsmith proxies rubygems.org for public gems)
- Gemfile.lock: remote URL updated to match (hand-edited; lockfile is
not regenerated locally and will reconcile on first CI run)
- Dockerfile.test:
- add BuildKit syntax directive
- drop the legacy bundler mirror line pointing at gemstash
- mount cloudsmith_api_key as a BuildKit secret and set
BUNDLE_DL__CLOUDSMITH__IO inline on the bundle install RUN
- .buildkite/docker-compose.yml (new): wires the cloudsmith_api_key
secret into the docker build context and forwards CLOUDSMITH_API_KEY
to the runner container
- .buildkite/pipeline.yml:
- rspec + sorbet steps now run via the docker-compose plugin with the
cloudsmith-auth plugin attached (v2.2.0)
- publish step is unchanged (gem still pushes to public rubygems.org;
agents queue: gemstash-publish is preserved verbatim as a label)
Rollback: revert this PR. Gemstash continues to serve while it is
sunset, so reads remain working pre- and post-revert.
…mpose version Inside docker-compose's runner container WORKDIR=/var/www; bare 'test.sh' isn't on PATH so the command lookup failed with 'test.sh: not found' (exit 127). Prefix with './' to invoke as an executable in the cwd. Same for typecheck.sh. Also drop 'version: "3"' from docker-compose.yml — Compose v2 warns the attribute is obsolete.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Gemstash is being sunset org-wide; this PR moves the repo onto Cloudsmith for read-path access to private gems and adopts the canonical
cloudsmith-auth-buildkite-pluginfor CI credential minting.The publish step still pushes to public rubygems.org (
gem push --key rubygems) — that is unaffected by the Gemstash sunset. Theagents queue: gemstash-publishlabel is preserved verbatim per migration convention (it is a queue label, not a coupling to Gemstash; the queue still has the publish-specific network/permissions config).Changes
Gemfile— source URL swapped fromhttps://rubygems.orgtohttps://dl.cloudsmith.io/basic/gusto/gusto/ruby/. Cloudsmith proxies rubygems.org transparently for public gems, so one source covers both private and public deps.Gemfile.lock—remote:URL updated to match the Gemfile. Hand-edited (not regenerated locally); bundler will reconcile on the first CI run.Dockerfile.test—# syntax=docker/dockerfile:1.10.0directive for--mount=type=secretsupport.bundle config --local "mirror.https://rubygems.org" "https://gemstash.zp-int.com"line; not needed once the source is Cloudsmith.bundle installRUN now mounts thecloudsmith_api_keyBuildKit secret and assignsBUNDLE_DL__CLOUDSMITH__IOinline on the same line..buildkite/docker-compose.yml(new) — wires thecloudsmith_api_keysecret into the docker build context (sourced from theCLOUDSMITH_API_KEYenv var minted by the cloudsmith-auth plugin) and forwardsCLOUDSMITH_API_KEYto the runner container..buildkite/pipeline.yml—BUILDKITE_DOCKER/BUILDKITE_DOCKER_FILEenv-based docker driver and onto thedocker-compose#v5.6.0plugin, withcloudsmith-auth-buildkite-plugin#v2.2.0attached for credential minting.gemstash-publishqueue.Validation
pipeline.yml,docker-compose.yml).Gusto/danger-gusto(same agent/queue/topology, also-published gem).Rollback
Revert this PR. Gemstash continues to serve in parallel during the sunset window, so the previous read path is recoverable until Gemstash is fully retired.