feat: unflag Ruby gem support and add e2e bundler tests (#41)

* feat: unflag Ruby gem support and add e2e bundler tests

Remove the `gem` feature flag so Ruby gem support is always compiled in,
matching npm and PyPI which are already default-on. This ensures gem
support ships in every release binary built with `cargo build --release`.

- Remove `gem = []` from both Cargo.toml feature sections
- Remove all `#[cfg(feature = "gem")]` gates from crawler module,
  Ecosystem enum, PURL functions, and ecosystem dispatch
- Rewrite e2e_gem.rs with full bundler lifecycle tests targeting
  activestorage@5.2.0 (CVE-2022-21831) with 3-file hash verification
- Add Ruby 3.2 setup step in CI for e2e_gem suite
- Update READMEs to reflect gem as default, not feature-flagged

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: split clippy into own CI job and fix broken update.rs tests

- Move clippy into a dedicated `clippy` job so it runs independently
  from tests and is separately visible in PR checks
- Remove `components: clippy` from the test job (no longer needed)
- Fix 2 pre-existing test failures in package_json::update::tests:
  assertions checked for "socket patch apply" (space) but the
  SOCKET_PATCH_COMMAND writes "socket-patch apply" (hyphen)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: pin ruby/setup-ruby action to full commit SHA

GitHub org policy requires all actions to be pinned to full-length
commit SHAs. Pin ruby/setup-ruby@v1 to its current SHA.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use dynamic hash verification in gem e2e tests

Instead of hardcoded before/after hashes (which were incorrect
placeholders), read expected hashes from the manifest after `get`
and record original hashes dynamically after install. This matches
the pattern used by the pypi e2e tests.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: mikolalysenko

.github/workflows/ci.yml

@@ -9,6 +9,31 @@ permissions:
   contents: read
 
 jobs:
+  clippy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # stable
+        with:
+          toolchain: stable
+          components: clippy
+
+      - name: Cache cargo
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: ubuntu-latest-cargo-clippy-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: ubuntu-latest-cargo-clippy-
+
+      - name: Run clippy
+        run: cargo clippy --workspace --all-features -- -D warnings
+
   test:
     strategy:
       matrix:
@@ -22,7 +47,6 @@ jobs:
         uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # stable
         with:
           toolchain: stable
-          components: clippy
 
       - name: Cache cargo
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
@@ -34,9 +58,6 @@ jobs:
           key: ${{ matrix.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
           restore-keys: ${{ matrix.os }}-cargo-
 
-      - name: Run clippy
-        run: cargo clippy --workspace --all-features -- -D warnings
-
       - name: Run tests
         run: cargo test --workspace --all-features
 
@@ -120,5 +141,12 @@ jobs:
         with:
           python-version: "3.12"
 
+      - name: Setup Ruby
+        if: matrix.suite == 'e2e_gem'
+        uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
+        with:
+          ruby-version: '3.2'
+          bundler-cache: false
+
       - name: Run e2e tests
         run: cargo test -p socket-patch-cli --all-features --test ${{ matrix.suite }} -- --ignored

Cargo.lock

@@ -66,7 +66,7 @@ cargo install socket-patch-cli
 By default this builds with npm and PyPI support. For additional ecosystems:
 
 ```bash
-cargo install socket-patch-cli --features cargo,golang,maven,gem,composer,nuget
+cargo install socket-patch-cli --features cargo,golang,maven,composer,nuget
 ```
 
 ## Quick Start

README.md

@@ -26,7 +26,6 @@ tempfile = { workspace = true }
 [features]
 default = []
 cargo = ["socket-patch-core/cargo"]
-gem = ["socket-patch-core/gem"]
 golang = ["socket-patch-core/golang"]
 maven = ["socket-patch-core/maven"]
 composer = ["socket-patch-core/composer"]

crates/socket-patch-cli/Cargo.toml

@@ -7,7 +7,6 @@ use std::path::PathBuf;
 
 #[cfg(feature = "cargo")]
 use socket_patch_core::crawlers::CargoCrawler;
-#[cfg(feature = "gem")]
 use socket_patch_core::crawlers::RubyCrawler;
 #[cfg(feature = "golang")]
 use socket_patch_core::crawlers::GoCrawler;
@@ -141,7 +140,6 @@ pub async fn find_packages_for_purls(
     }
 
     // gem
-    #[cfg(feature = "gem")]
     if let Some(gem_purls) = partitioned.get(&Ecosystem::Gem) {
         if !gem_purls.is_empty() {
             let ruby_crawler = RubyCrawler;
@@ -323,7 +321,6 @@ pub async fn crawl_all_ecosystems(
         all_packages.extend(cargo_packages);
     }
 
-    #[cfg(feature = "gem")]
     {
         let ruby_crawler = RubyCrawler;
         let gem_packages = ruby_crawler.crawl_all(options).await;
@@ -468,7 +465,6 @@ pub async fn find_packages_for_rollback(
     }
 
     // gem
-    #[cfg(feature = "gem")]
     if let Some(gem_purls) = partitioned.get(&Ecosystem::Gem) {
         if !gem_purls.is_empty() {
             let ruby_crawler = RubyCrawler;