turkdevops · pull · Mar 30, 2026 · Mar 19, 2026 · Mar 19, 2026 · Mar 19, 2026
diff --git a/.github/actions/compilers/action.yml b/.github/actions/compilers/action.yml
@@ -152,3 +152,13 @@ runs:
         GITHUB_PR_HEAD_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
         GITHUB_PULL_REQUEST_URL: ${{ github.event.pull_request.html_url }}
         GITHUB_REF: ${{ github.ref }}
+
+    # Clean up non-default docker images to save disk space.
+    # The default image (clang-20) is reused across multiple steps
+    # within the same job, so we keep it to avoid redundant pulls.
+    - name: clean up docker image
+      shell: bash
+      run: docker rmi "ghcr.io/ruby/ruby-ci-image:${INPUT_TAG}" || true
+      if: ${{ always() && inputs.tag != 'clang-20' }}
+      env:
+        INPUT_TAG: ${{ inputs.tag }}
diff --git a/.github/workflows/annocheck.yml b/.github/workflows/annocheck.yml
@@ -73,7 +73,7 @@ jobs:
           builddir: build
           makeup: true
 
-      - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1.295.0
+      - uses: ruby/setup-ruby@3ff19f5e2baf30647122352b96108b1fbe250c64 # v1.299.0
         with:
           ruby-version: '3.1'
           bundler: none

diff --git a/.github/workflows/auto_review_pr.yml b/.github/workflows/auto_review_pr.yml
@@ -29,7 +29,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1.295.0
+      - uses: ruby/setup-ruby@3ff19f5e2baf30647122352b96108b1fbe250c64 # v1.299.0
         with:
           ruby-version: '3.4'
           bundler: none

diff --git a/.github/workflows/baseruby.yml b/.github/workflows/baseruby.yml
@@ -48,7 +48,7 @@ jobs:
           - ruby-3.3
 
     steps:
-      - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1.295.0
+      - uses: ruby/setup-ruby@3ff19f5e2baf30647122352b96108b1fbe250c64 # v1.299.0
         with:
           ruby-version: ${{ matrix.ruby }}
           bundler: none

diff --git a/.github/workflows/bundled_gems.yml b/.github/workflows/bundled_gems.yml
@@ -38,7 +38,7 @@ jobs:
         with:
           token: ${{ (github.repository == 'ruby/ruby' && !startsWith(github.event_name, 'pull')) && secrets.MATZBOT_AUTO_UPDATE_TOKEN || secrets.GITHUB_TOKEN }}
 
-      - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1.295.0
+      - uses: ruby/setup-ruby@3ff19f5e2baf30647122352b96108b1fbe250c64 # v1.299.0
         with:
           ruby-version: 4.0
 

diff --git a/.github/workflows/check_dependencies.yml b/.github/workflows/check_dependencies.yml
@@ -42,7 +42,7 @@ jobs:
 
       - uses: ./.github/actions/setup/directories
 
-      - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1.295.0
+      - uses: ruby/setup-ruby@3ff19f5e2baf30647122352b96108b1fbe250c64 # v1.299.0
         with:
           ruby-version: '3.1'
           bundler: none

diff --git a/.github/workflows/check_misc.yml b/.github/workflows/check_misc.yml
@@ -23,7 +23,7 @@ jobs:
           token: ${{ (github.repository == 'ruby/ruby' && !startsWith(github.event_name, 'pull')) && secrets.MATZBOT_AUTO_UPDATE_TOKEN || secrets.GITHUB_TOKEN }}
           persist-credentials: false
 
-      - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1.295.0
+      - uses: ruby/setup-ruby@3ff19f5e2baf30647122352b96108b1fbe250c64 # v1.299.0
         with:
           ruby-version: head
 

diff --git a/.github/workflows/check_sast.yml b/.github/workflows/check_sast.yml
@@ -78,13 +78,13 @@ jobs:
           persist-credentials: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
+        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
         with:
           languages: ${{ matrix.language }}
           build-mode: none
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
+        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
         with:
           category: '/language:${{ matrix.language }}'
           upload: False
@@ -125,7 +125,7 @@ jobs:
         continue-on-error: true
 
       - name: Upload SARIF
-        uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
         with:
           sarif_file: sarif-results/${{ matrix.language }}.sarif
         continue-on-error: true
diff --git a/.github/workflows/compilers.yml b/.github/workflows/compilers.yml
@@ -49,7 +49,7 @@ jobs:
     needs: compile-if
     if: ${{ needs.compile-if.result == 'success' }}
     timeout-minutes: 60
-    services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } }
+
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false }
@@ -72,7 +72,7 @@ jobs:
     needs: compile-if
     if: ${{ needs.compile-if.result == 'success' }}
     timeout-minutes: 60
-    services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } }
+
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false }
@@ -102,7 +102,7 @@ jobs:
     needs: compile-if
     if: ${{ needs.compile-if.result == 'success' }}
     timeout-minutes: 60
-    services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } }
+
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false }
@@ -124,7 +124,7 @@ jobs:
     needs: compile-if
     if: ${{ needs.compile-if.result == 'success' }}
     timeout-minutes: 60
-    services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } }
+
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false }
@@ -145,7 +145,7 @@ jobs:
     needs: compile-if
     if: ${{ needs.compile-if.result == 'success' }}
     timeout-minutes: 60
-    services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } }
+
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false }
@@ -171,7 +171,7 @@ jobs:
     needs: compile-if
     if: ${{ needs.compile-if.result == 'success' }}
     timeout-minutes: 60
-    services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } }
+
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false }
@@ -191,7 +191,7 @@ jobs:
     needs: compile-if
     if: ${{ needs.compile-if.result == 'success' }}
     timeout-minutes: 60
-    services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } }
+
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false }
@@ -213,7 +213,7 @@ jobs:
     needs: compile-if
     if: ${{ needs.compile-if.result == 'success' }}
     timeout-minutes: 60
-    services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } }
+
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false }
@@ -232,7 +232,7 @@ jobs:
     needs: compile-if
     if: ${{ needs.compile-if.result == 'success' }}
     timeout-minutes: 60
-    services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } }
+
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false }
@@ -252,7 +252,7 @@ jobs:
     needs: compile-if
     if: ${{ needs.compile-if.result == 'success' }}
     timeout-minutes: 60
-    services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } }
+
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false }
@@ -270,7 +270,7 @@ jobs:
     needs: compile-if
     if: ${{ needs.compile-if.result == 'success' }}
     timeout-minutes: 60
-    services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } }
+
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false }
@@ -289,7 +289,7 @@ jobs:
     needs: compile-if
     if: ${{ needs.compile-if.result == 'success' }}
     timeout-minutes: 60
-    services: { docuum: { image: 'stephanmisc/docuum', options: '--init', volumes: [ '/root', '/var/run/docker.sock:/var/run/docker.sock' ] } }
+
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with: { sparse-checkout-cone-mode: false, sparse-checkout: /.github, persist-credentials: false }

diff --git a/.github/workflows/crosscompile.yml b/.github/workflows/crosscompile.yml
@@ -0,0 +1,131 @@
+name: Cross compile
+on:
+  push:
+    paths-ignore:
+      - 'doc/**'
+      - '**/man/*'
+      - '**.md'
+      - '**.rdoc'
+      - '**/.document'
+      - '.*.yml'
+  pull_request:
+    # Do not use paths-ignore for required status checks
+    # https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/troubleshooting-required-status-checks
+  merge_group:
+
+concurrency:
+  group: ${{ github.workflow }} / ${{ startsWith(github.event_name, 'pull') && github.ref_name || github.sha }}
+  cancel-in-progress: ${{ startsWith(github.event_name, 'pull') }}
+
+permissions:
+  contents: read
+
+jobs:
+  make:
+    name: make (${{ matrix.host }} host on ${{ matrix.build }})
+    strategy:
+      matrix:
+        include:
+          - host: aarch64-linux-gnu
+            arch: arm64
+            build: x86_64-linux-gnu
+            runs-on: ubuntu-24.04
+            file_arch: ARM aarch64
+          - host: x86_64-linux-gnu
+            arch: amd64
+            build: aarch64-linux-gnu
+            runs-on: ubuntu-24.04-arm
+            file_arch: x86-64
+      fail-fast: false
+
+    env:
+      GITPULLOPTIONS: --no-tags origin ${{ github.ref }}
+
+    runs-on: ${{ matrix.runs-on }}
+
+    if: >-
+      ${{!(false
+      || contains(github.event.head_commit.message, '[DOC]')
+      || contains(github.event.pull_request.title, '[DOC]')
+      || contains(github.event.pull_request.labels.*.name, 'Documentation')
+      || (github.event.pull_request.user.login == 'dependabot[bot]')
+      )}}
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          sparse-checkout-cone-mode: false
+          sparse-checkout: /.github
+          persist-credentials: false
+
+      - uses: ./.github/actions/setup/directories
+        with:
+          srcdir: src
+          builddir: build
+          makeup: true
+
+      - name: Install cross-compilation toolchain
+        run: |
+          sudo dpkg --add-architecture ${{ matrix.arch }}
+          native_arch=$(dpkg --print-architecture)
+          # Restrict existing sources to native arch
+          sudo sed -i '/^Architectures:/d' /etc/apt/sources.list.d/ubuntu.sources
+          sudo sed -i "/^Types:/a Architectures: ${native_arch}" /etc/apt/sources.list.d/ubuntu.sources
+          # Add cross-arch sources
+          if [ "${{ matrix.arch }}" = "arm64" ]; then
+            cross_uri="http://ports.ubuntu.com/"
+          else
+            cross_uri="http://archive.ubuntu.com/ubuntu/"
+          fi
+          printf '%s\n' \
+            "Types: deb" \
+            "URIs: ${cross_uri}" \
+            "Suites: noble noble-updates noble-security" \
+            "Components: main universe" \
+            "Architectures: ${{ matrix.arch }}" \
+            | sudo tee /etc/apt/sources.list.d/cross-${{ matrix.arch }}.sources
+          sudo apt-get update -qq
+          sudo apt-get install --no-install-recommends -qq -y \
+            crossbuild-essential-${{ matrix.arch }} \
+            libssl-dev:${{ matrix.arch }} \
+            libyaml-dev:${{ matrix.arch }} \
+            zlib1g-dev:${{ matrix.arch }} \
+            libffi-dev:${{ matrix.arch }} \
+            libreadline-dev:${{ matrix.arch }} \
+            libncurses-dev:${{ matrix.arch }} \
+            autoconf ruby
+
+      - name: Build baseruby
+        run: |
+          mkdir ../baseruby
+          cd ../baseruby
+          ../src/configure --prefix=$PWD/install --disable-install-doc
+          make
+          make install
+
+      - name: Run configure
+        run: >-
+          ../src/configure -C --disable-install-doc
+          --prefix=/usr
+          --build=${{ matrix.build }}
+          --host=${{ matrix.host }}
+          --with-baseruby=$PWD/../baseruby/install/bin/ruby
+
+      - run: make
+
+      - run: make install DESTDIR=$PWD/install
+
+      - name: Verify cross-compiled binary
+        run: |
+          file install/usr/bin/ruby
+          file install/usr/bin/ruby | grep -q '${{ matrix.file_arch }}'
+
+      - uses: ./.github/actions/slack
+        with:
+          label: cross ${{ matrix.host }}
+          SLACK_WEBHOOK_URL: ${{ secrets.SIMPLER_ALERTS_URL }} # ruby-lang slack: ruby/simpler-alerts-bot
+        if: ${{ failure() }}
+
+defaults:
+  run:
+    working-directory: build
diff --git a/.github/workflows/dependabot_automerge.yml b/.github/workflows/dependabot_automerge.yml
@@ -13,11 +13,11 @@ jobs:
     if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'ruby/ruby'
     steps:
       - name: Dependabot metadata
-        uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0
+        uses: dependabot/fetch-metadata@ffa630c65fa7e0ecfa0625b5ceda64399aea1b36 # v3.0.0
         id: metadata
 
       - name: Wait for status checks
-        uses: lewagon/wait-on-check-action@74049309dfeff245fe8009a0137eacf28136cb3c # v1.5.0
+        uses: lewagon/wait-on-check-action@a08fbe2b86f9336198f33be6ad9c16b96f92799c # v1.6.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           ref: ${{ github.event.pull_request.head.sha || github.sha }}

diff --git a/.github/workflows/modgc.yml b/.github/workflows/modgc.yml
@@ -62,7 +62,7 @@ jobs:
         uses: ./.github/actions/setup/ubuntu
         if: ${{ contains(matrix.os, 'ubuntu') }}
 
-      - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1.295.0
+      - uses: ruby/setup-ruby@3ff19f5e2baf30647122352b96108b1fbe250c64 # v1.299.0
         with:
           ruby-version: '3.1'
           bundler: none

diff --git a/.github/workflows/parse_y.yml b/.github/workflows/parse_y.yml
@@ -59,7 +59,7 @@ jobs:
 
       - uses: ./.github/actions/setup/ubuntu
 
-      - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1.295.0
+      - uses: ruby/setup-ruby@3ff19f5e2baf30647122352b96108b1fbe250c64 # v1.299.0
         with:
           ruby-version: '3.1'
           bundler: none

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -19,7 +19,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1.295.0
+      - uses: ruby/setup-ruby@3ff19f5e2baf30647122352b96108b1fbe250c64 # v1.299.0
         with:
           ruby-version: 3.3.4
 

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -73,6 +73,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/spec_guards.yml b/.github/workflows/spec_guards.yml
@@ -49,7 +49,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1.295.0
+      - uses: ruby/setup-ruby@3ff19f5e2baf30647122352b96108b1fbe250c64 # v1.299.0
         with:
           ruby-version: ${{ matrix.ruby }}
           bundler: none

diff --git a/.github/workflows/sync_default_gems.yml b/.github/workflows/sync_default_gems.yml
@@ -36,7 +36,7 @@ jobs:
         with:
           token: ${{ github.repository == 'ruby/ruby' && secrets.MATZBOT_AUTO_UPDATE_TOKEN || secrets.GITHUB_TOKEN }}
 
-      - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1.295.0
+      - uses: ruby/setup-ruby@3ff19f5e2baf30647122352b96108b1fbe250c64 # v1.299.0
         with:
           ruby-version: '3.4'
           bundler: none