Merge pull request #9327 from ruby/copilot/sub-pr-9325

hsbt · web-flow · commit 9f87b0f62936 · 2026-02-10T19:29:26.000+09:00
Use Tempfile for auto-attestation bundles to avoid file conflicts and cleanup issues
diff --git a/lib/rubygems/commands/push_command.rb b/lib/rubygems/commands/push_command.rb
@@ -121,7 +121,12 @@ def send_push_request_with_attestation(name, args)
         Gem.read_binary(attestation)
       end
     else
-      [Gem.read_binary(attest!(name))]
+      bundle_path = attest!(name)
+      begin
+        [Gem.read_binary(bundle_path)]
+      ensure
+        File.unlink(bundle_path) if bundle_path && File.exist?(bundle_path)
+      end
     end
     bundles = "[" + attestations.join(",") + "]"
 
@@ -136,8 +141,14 @@ def send_push_request_with_attestation(name, args)
 
   def attest!(name)
     require "open3"
+    require "tempfile"
+
+    # Create a temporary file for the bundle
+    basename = File.basename(name, ".*")
+    tempfile = Tempfile.new([basename, ".sigstore.json"])
+    bundle = tempfile.path
+    tempfile.close(false) # Close but don't unlink - we need the file for sigstore-cli
 
-    bundle = "#{name}.sigstore.json"
     env = defined?(Bundler.unbundled_env) ? Bundler.unbundled_env : ENV.to_h
     out, st = Open3.capture2e(
       env,
diff --git a/test/rubygems/test_gem_commands_push_command.rb b/test/rubygems/test_gem_commands_push_command.rb
@@ -123,7 +123,8 @@ def test_execute_attestation_auto
     @fetcher.data["#{Gem.host}/api/v1/gems"] = HTTPResponseFactory.create(body: @response, code: 200, msg: "OK")
 
     attestation_path = "#{@path}.sigstore.json"
-    File.write(attestation_path, "auto-attestation")
+    attestation_content = "auto-attestation"
+    File.write(attestation_path, attestation_content)
     @cmd.options[:args] = [@path]
 
     @cmd.stub(:attest!, attestation_path) do
@@ -133,7 +134,7 @@ def test_execute_attestation_auto
     assert_equal Gem::Net::HTTP::Post, @fetcher.last_request.class
     content_length = @fetcher.last_request["Content-Length"].to_i
     assert_equal content_length, @fetcher.last_request.body.length
-    assert_attestation_multipart Gem.read_binary(attestation_path)
+    assert_attestation_multipart attestation_content
   end
 
   def test_execute_attestation_fallback
