puppetlabs · gavindidrichsen · Mar 10, 2025
@@ -33,6 +33,8 @@ jobs:
       BOLT_GEM: true
       BOLT_DISABLE_ANALYTICS: true
       LANG: en_US.UTF-8
+      PUPPET_FORGE_TOKEN: ${{ secrets.PUPPET_FORGE_TOKEN }}
+      BUNDLE_RUBYGEMS___PUPPETCORE__PUPPET__COM: forge-key:${{ secrets.PUPPET_FORGE_TOKEN }}
     strategy:
       fail-fast: false
       matrix:
@@ -59,10 +61,10 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: ${{ github.head_ref }}
-      - name: Activate Ruby 2.7
+      - name: Activate Ruby 3.2
         uses: ruby/setup-ruby@v1
         with:
-          ruby-version: '2.7'
+          ruby-version: '3.2'
           bundler-cache: true
       - name: Print bundle environment
         if: ${{ github.repository_owner == 'puppetlabs' }}

@@ -0,0 +1,32 @@
+---
+name: Validate Puppetcore Gem Sources
+on:
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: Branch, tag or SHA to checkout
+        required: true
+        default: main
+jobs:
+  verify-gemfile:
+    runs-on: ubuntu-latest
+    name: Verify Gemfile Dependencies
+    env:
+      PUPPET_FORGE_TOKEN: ${{ secrets.PUPPET_FORGE_TOKEN }}
+      BUNDLE_RUBYGEMS___PUPPETCORE__PUPPET__COM: forge-key:${{ secrets.PUPPET_FORGE_TOKEN }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.inputs.ref }}
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.2'
+          bundler-cache: true
+          cache-version: 0  # Helps manage cache versions explicitly
+          working-directory: .
+      - name: Install dependencies
+        run: bundle install
+      - name: Run Gemfile verification test
+        run: bundle exec rspec spec/support/gemfile_spec.rb --format documentation
@@ -49,18 +49,21 @@ group :release_prep do
   gem "puppetlabs_spec_helper", '~> 6.0', require: false
 end
 
-puppet_version = ENV['PUPPET_GEM_VERSION']
-facter_version = ENV['FACTER_GEM_VERSION']
-hiera_version = ENV['HIERA_GEM_VERSION']
-
 gems = {}
+puppet_version = ENV.fetch('PUPPET_GEM_VERSION', nil)
+facter_version = ENV.fetch('FACTER_GEM_VERSION', nil)
+hiera_version = ENV.fetch('HIERA_GEM_VERSION', nil)
 
-gems['puppet'] = location_for(puppet_version)
-
-# If facter or hiera versions have been specified via the environment
-# variables
+# If PUPPET_FORGE_TOKEN is set then use authenticated source for both puppet and facter, since facter is a transitive dependency of puppet
+# Otherwise, do as before and use location_for to fetch gems from the default source
+if !ENV['PUPPET_FORGE_TOKEN'].to_s.empty?
+  gems['puppet'] = [puppet_version || '~> 8.11', { require: false, source: 'https://rubygems-puppetcore.puppet.com' }]
+  gems['facter'] = [facter_version || '~> 4.0', { require: false, source: 'https://rubygems-puppetcore.puppet.com' }]
+else
+  gems['puppet'] = location_for(puppet_version)
+  gems['facter'] = location_for(facter_version) if facter_version
+end
 
-gems['facter'] = location_for(facter_version) if facter_version
 gems['hiera'] = location_for(hiera_version) if hiera_version
 
 gems.each do |gem_name, gem_params|

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'bundler'
+
+RSpec.describe 'Gemfile.lock verification' do
+  let(:parser) { Bundler::LockfileParser.new(Bundler.read_file(Bundler.default_lockfile)) }
+  let(:private_source) { 'https://rubygems-puppetcore.puppet.com/' }
+  let(:public_source) { 'https://rubygems.org/' }
+  let(:auth_token_present?) { !ENV['PUPPET_FORGE_TOKEN'].nil? }
+
+  # Helper method to get source remotes for a specific gem
+  def get_gem_source_remotes(gem_name)
+    spec = parser.specs.find { |s| s.name == gem_name }
+    return [] unless spec
+
+    source = spec.source
+    return [] unless source.is_a?(Bundler::Source::Rubygems)
+
+    source.remotes.map(&:to_s)
+  end
+
+  context 'when PUPPET_FORGE_TOKEN is present' do
+    before(:each) do
+      skip 'Skipping private source tests - PUPPET_FORGE_TOKEN not present' unless auth_token_present?
+    end
+
+    it 'has puppet under private source' do
+      remotes = get_gem_source_remotes('puppet')
+      expect(remotes).to eq([private_source]),
+                         "Expected puppet to use private source #{private_source}, got: #{remotes.join(', ')}"
+      expect(remotes).not_to eq([public_source]),
+                             "Expected puppet to not use public source #{public_source}, got: #{remotes.join(', ')}"
+    end
+
+    it 'has facter under private source' do
+      remotes = get_gem_source_remotes('facter')
+      expect(remotes).to eq([private_source]),
+                         "Expected facter to use private source #{private_source}, got: #{remotes.join(', ')}"
+      expect(remotes).not_to eq([public_source]),
+                             "Expected facter to not use public source #{public_source}, got: #{remotes.join(', ')}"
+    end
+  end
+
+  context 'when PUPPET_FORGE_TOKEN is not present' do
+    before(:each) do
+      skip 'Skipping public source tests - PUPPET_FORGE_TOKEN is present' if auth_token_present?
+    end
+
+    it 'has puppet under public source' do
+      remotes = get_gem_source_remotes('puppet')
+      expect(remotes).to eq([public_source]),
+                         "Expected puppet to use public source #{public_source}, got: #{remotes.join(', ')}"
+      expect(remotes).not_to eq([private_source]),
+                             "Expected puppet to not use private source #{private_source}, got: #{remotes.join(', ')}"
+    end
+
+    it 'has facter under public source' do
+      remotes = get_gem_source_remotes('facter')
+      expect(remotes).to eq([public_source]),
+                         "Expected facter to use public source #{public_source}, got: #{remotes.join(', ')}"
+      expect(remotes).not_to eq([private_source]),
+                             "Expected facter to not use private source #{private_source}, got: #{remotes.join(', ')}"
+    end
+  end
+end
diff --git a/spec/functions/get_targets_spec.rb b/spec/functions/get_targets_spec.rb
  end

  context 'string arguments' do
    it 'converts a string input to a Target array without count' do
      skip 'Being able to stub the get_targets() function'
      is_expected.to run.with_params('fqdn').and_return(['fqdn'])
    end
    it 'converts a string input to a Target array with count' do
      skip 'Being able to stub the get_targets() function'
      is_expected.to run.with_params('fqdn', 1).and_return(['fqdn'])
    end
  end

  context 'array arguments' do
    it 'converts an array input to a Target array without count' do
      skip 'Being able to stub the get_targets() function'
      is_expected.to run.with_params(['fqdn']).and_return(['fqdn'])
    end
    it 'converts an array input to a Target array with count' do
      skip 'Being able to stub the get_targets() function'
      is_expected.to run.with_params(['fqdn'], 1).and_return(['fqdn'])
    end
diff --git a/spec/functions/file_or_content_spec.rb b/spec/functions/file_or_content_spec.rb
    'some_value_goes_here'
  end

  xit { is_expected.to run.with_params(param_name, file, content).and_return('some_value') }
 end
diff --git a/spec/plans/util/sanitize_pg_pe_conf_spec.rb b/spec/plans/util/sanitize_pg_pe_conf_spec.rb
    JSON.parse File.read(File.expand_path(File.join(fixtures, 'plans', 'pe_conf.json')))
  end

  it 'Runs' do
    allow_any_out_message
    #  1) peadm::util::sanitize_pg_pe_conf  Runs
    # Failure/Error: expect(run_plan('peadm::util::sanitize_pg_pe_conf', 'targets' => 'foo,bar', 'primary_host' => 'pe-server-d8b317-0.us-west1-a.c.davidsand.internal')).to be_ok
	end

	context 'string arguments' do
	it 'converts a string input to a Target array without count' do
Check warning on line 20 in spec/functions/get_targets_spec.rb GitHub Actions / Spec Tests (Puppet: ~> 8.0, Ruby Ver: 3.2) `peadm::get_targets string arguments converts a string input to a Target array without count Skipped: Being able to stub the get_targets() function` Check warning on line 20 in spec/functions/get_targets_spec.rb GitHub Actions / Spec Tests (Puppet: ~> 7.24, Ruby Ver: 2.7) `peadm::get_targets string arguments converts a string input to a Target array without count Skipped: Being able to stub the get_targets() function`
	skip 'Being able to stub the get_targets() function'
	is_expected.to run.with_params('fqdn').and_return(['fqdn'])
	end
	it 'converts a string input to a Target array with count' do
Check warning on line 24 in spec/functions/get_targets_spec.rb GitHub Actions / Spec Tests (Puppet: ~> 8.0, Ruby Ver: 3.2) `peadm::get_targets string arguments converts a string input to a Target array with count Skipped: Being able to stub the get_targets() function` Check warning on line 24 in spec/functions/get_targets_spec.rb GitHub Actions / Spec Tests (Puppet: ~> 7.24, Ruby Ver: 2.7) `peadm::get_targets string arguments converts a string input to a Target array with count Skipped: Being able to stub the get_targets() function`
	skip 'Being able to stub the get_targets() function'
	is_expected.to run.with_params('fqdn', 1).and_return(['fqdn'])
	end
	end

	context 'array arguments' do
	it 'converts an array input to a Target array without count' do
Check warning on line 31 in spec/functions/get_targets_spec.rb GitHub Actions / Spec Tests (Puppet: ~> 8.0, Ruby Ver: 3.2) `peadm::get_targets array arguments converts an array input to a Target array without count Skipped: Being able to stub the get_targets() function` Check warning on line 31 in spec/functions/get_targets_spec.rb GitHub Actions / Spec Tests (Puppet: ~> 7.24, Ruby Ver: 2.7) `peadm::get_targets array arguments converts an array input to a Target array without count Skipped: Being able to stub the get_targets() function`
	skip 'Being able to stub the get_targets() function'
	is_expected.to run.with_params(['fqdn']).and_return(['fqdn'])
	end
	it 'converts an array input to a Target array with count' do
Check warning on line 35 in spec/functions/get_targets_spec.rb GitHub Actions / Spec Tests (Puppet: ~> 8.0, Ruby Ver: 3.2) `peadm::get_targets array arguments converts an array input to a Target array with count Skipped: Being able to stub the get_targets() function` Check warning on line 35 in spec/functions/get_targets_spec.rb GitHub Actions / Spec Tests (Puppet: ~> 7.24, Ruby Ver: 2.7) `peadm::get_targets array arguments converts an array input to a Target array with count Skipped: Being able to stub the get_targets() function`
	skip 'Being able to stub the get_targets() function'
	is_expected.to run.with_params(['fqdn'], 1).and_return(['fqdn'])
	end
	'some_value_goes_here'
	end

	xit { is_expected.to run.with_params(param_name, file, content).and_return('some_value') }
Check warning on line 16 in spec/functions/file_or_content_spec.rb GitHub Actions / Spec Tests (Puppet: ~> 8.0, Ruby Ver: 3.2) `peadm::file_or_content Skipped: Temporarily skipped with xit` Check warning on line 16 in spec/functions/file_or_content_spec.rb GitHub Actions / Spec Tests (Puppet: ~> 7.24, Ruby Ver: 2.7) `peadm::file_or_content Skipped: Temporarily skipped with xit`
	end
	JSON.parse File.read(File.expand_path(File.join(fixtures, 'plans', 'pe_conf.json')))
	end

	it 'Runs' do
Check warning on line 11 in spec/plans/util/sanitize_pg_pe_conf_spec.rb GitHub Actions / Spec Tests (Puppet: ~> 8.0, Ruby Ver: 3.2) peadm::util::sanitize_pg_pe_conf Runs Failure/Error: expect(run_plan('peadm::util::sanitize_pg_pe_conf', 'targets' => 'foo,bar', 'primary_host' => 'pe-server-d8b317-0.us-west1-a.c.davidsand.internal')).to be_ok expected `#<Bolt::PlanResult:0x00007fa808f07f78 @value=#<Bolt::PAL::PALError: no implicit conversion of Hash into String>, @status="failure">.ok?` to be truthy, got false Check warning on line 11 in spec/plans/util/sanitize_pg_pe_conf_spec.rb GitHub Actions / Spec Tests (Puppet: ~> 7.24, Ruby Ver: 2.7) peadm::util::sanitize_pg_pe_conf Runs Failure/Error: expect(run_plan('peadm::util::sanitize_pg_pe_conf', 'targets' => 'foo,bar', 'primary_host' => 'pe-server-d8b317-0.us-west1-a.c.davidsand.internal')).to be_ok expected `#<Bolt::PlanResult:0x000056067f7b6b38 @value=#<Bolt::PAL::PALError: no implicit conversion of Hash into String>, @status="failure">.ok?` to be truthy, got false
	allow_any_out_message
	# 1) peadm::util::sanitize_pg_pe_conf Runs
	# Failure/Error: expect(run_plan('peadm::util::sanitize_pg_pe_conf', 'targets' => 'foo,bar', 'primary_host' => 'pe-server-d8b317-0.us-west1-a.c.davidsand.internal')).to be_ok