Add native gem precompilation support

Package precompiled native gems for Ruby 3.3, 3.4, and 4.0 across 10
platforms: aarch64-linux-gnu, aarch64-linux-musl, aarch64-mingw-ucrt,
arm-linux-gnu, arm-linux-musl, arm64-darwin, x64-mingw-ucrt,
x86_64-darwin, x86_64-linux-gnu, and x86_64-linux-musl.

- Add Ruby-version-aware extension loader in lib/prism.rb with GLIBC
  error message for musl/glibc mismatches
- Add cross-compilation support to Rakefile using rake-compiler-dock
- Add a reusable `build-gems.yml` workflow called by both the CI
  workflow (`native-gem-precompilation.yml`) and the publish workflow,
  building source and native gems across all platforms and Ruby versions
- Add bin/ scripts for building, installing, testing, and verifying gems

Update `publish-gem.yml` to handle multi-gem publishing:
`rubygems/release-gem` only supports a single gem, so this uses
`rubygems/configure-rubygems-credentials` and loops `gem push` over
each built `.gem`. Add a `workflow_dispatch` trigger alongside the
existing tag-push trigger, and create/update a GitHub release for the
tag with all gems plus a `CHECKSUMS.txt` manifest.

Pin all GitHub Actions to commit SHAs and apply zizmor-style hardening
across the new and modified workflows.

Author: flavorjones

.github/workflows/build-gems.yml

@@ -0,0 +1,101 @@
+name: Build gems
+on:
+  workflow_call:
+    inputs:
+      release:
+        description: "Pass --release to bin/test-gem-build (skip timestamp version)"
+        type: boolean
+        default: false
+      artifact_prefix:
+        description: "Prefix for artifact names (e.g., 'release-v1.10.0-')"
+        type: string
+        default: ""
+      ref:
+        description: "Git ref to check out (e.g., a version tag). Defaults to the caller's ref."
+        type: string
+        default: ""
+
+permissions:
+  contents: read
+
+jobs:
+  native_setup:
+    name: "Setup"
+    runs-on: ubuntu-latest
+    outputs:
+      rcd_image_version: ${{ steps.rcd_image_version.outputs.rcd_image_version }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ inputs.ref || github.ref }}
+          persist-credentials: false
+      - uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1.306.0
+        with:
+          ruby-version: "3.4"
+          bundler-cache: true
+      - id: rcd_image_version
+        run: bundle exec ruby -e 'require "rake_compiler_dock"; puts "rcd_image_version=#{RakeCompilerDock::IMAGE_VERSION}"' >> "$GITHUB_OUTPUT"
+
+  build_source_gem:
+    name: "build source"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ inputs.ref || github.ref }}
+          persist-credentials: false
+      - uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1.306.0
+        with:
+          ruby-version: "3.4"
+          bundler-cache: true
+      - run: |
+          # shellcheck disable=SC2086 # RELEASE_FLAG intentionally word-splits (empty or "--release")
+          ./bin/test-gem-build ${RELEASE_FLAG} gems ruby
+        env:
+          RELEASE_FLAG: ${{ inputs.release && '--release' || '' }}
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: "${{ inputs.artifact_prefix }}source-gem"
+          path: gems
+          retention-days: 1
+
+  build_native_gem:
+    needs: native_setup
+    name: "build native ${{ matrix.platform }}"
+    strategy:
+      # CI runs want to surface every platform's failure (fail-fast: false);
+      # release runs should stop on first failure to avoid pushing a partial
+      # set of gems.
+      fail-fast: ${{ inputs.release }}
+      matrix:
+        platform:
+          - aarch64-linux-gnu
+          - aarch64-linux-musl
+          - aarch64-mingw-ucrt
+          - arm-linux-gnu
+          - arm-linux-musl
+          - arm64-darwin
+          - x64-mingw-ucrt
+          - x86_64-darwin
+          - x86_64-linux-gnu
+          - x86_64-linux-musl
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ inputs.ref || github.ref }}
+          persist-credentials: false
+      - run: |
+          # shellcheck disable=SC2086 # RELEASE_FLAG intentionally word-splits (empty or "--release")
+          docker run --rm -v "$PWD:/work" -w /work \
+            "ghcr.io/rake-compiler/rake-compiler-dock-image:${RCD_IMAGE_VERSION}-mri-${PLATFORM}" \
+            ./bin/test-gem-build ${RELEASE_FLAG} gems "${PLATFORM}"
+        env:
+          RCD_IMAGE_VERSION: ${{ needs.native_setup.outputs.rcd_image_version }}
+          RELEASE_FLAG: ${{ inputs.release && '--release' || '' }}
+          PLATFORM: ${{ matrix.platform }}
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: "${{ inputs.artifact_prefix }}cruby-${{ matrix.platform }}-gem"
+          path: gems
+          retention-days: 1

.github/workflows/native-gem-precompilation.yml

@@ -0,0 +1,165 @@
+name: Native gem precompilation
+concurrency:
+  group: "${{ github.workflow }}-${{ github.ref }}"
+  cancel-in-progress: true
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - v*
+  pull_request:
+    paths:
+      - Rakefile
+      - Gemfile
+      - Gemfile.lock
+      - prism.gemspec
+      - ext/prism/**
+      - lib/prism.rb
+      - bin/test-gem-*
+      - bin/build-gems
+      - .github/workflows/build-gems.yml
+      - .github/workflows/native-gem-precompilation.yml
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    uses: ./.github/workflows/build-gems.yml
+
+  install_source_gem:
+    needs: build
+    name: "test source ${{ matrix.os }} ${{ matrix.ruby }}"
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu, macos, windows]
+        ruby: ["3.3", "3.4", "4.0"]
+    runs-on: ${{ matrix.os }}-latest
+    steps:
+      - if: matrix.os == 'windows'
+        name: configure git crlf
+        run: |
+          git config --system core.autocrlf false
+          git config --system core.eol lf
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1.306.0
+        with:
+          ruby-version: ${{ matrix.ruby }}
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: source-gem
+          path: gems
+      - run: ./bin/test-gem-install gems
+        shell: sh
+
+  test_linux_native:
+    name: "${{ matrix.platform }} ${{ matrix.ruby }}"
+    needs: build
+    strategy:
+      fail-fast: false
+      matrix:
+        platform:
+          - aarch64-linux-gnu
+          - aarch64-linux-musl
+          - arm-linux-gnu
+          - arm-linux-musl
+          - x86_64-linux-gnu
+          - x86_64-linux-musl
+        ruby: ["3.3", "3.4", "4.0"]
+        include:
+          # musl platforms need alpine image and build-base
+          - { platform: aarch64-linux-musl, docker_tag: "-alpine", bootstrap: "apk add build-base linux-headers yaml-dev &&" }
+          - { platform: arm-linux-musl, docker_tag: "-alpine", bootstrap: "apk add build-base linux-headers yaml-dev &&" }
+          - { platform: x86_64-linux-musl, docker_tag: "-alpine", bootstrap: "apk add build-base linux-headers yaml-dev &&" }
+          # docker platform for each platform
+          - { platform: aarch64-linux-gnu, runner: ubuntu-24.04-arm, docker_platform: "--platform=linux/arm64" }
+          - { platform: aarch64-linux-musl, runner: ubuntu-24.04-arm, docker_platform: "--platform=linux/arm64" }
+          - { platform: arm-linux-gnu, runner: ubuntu-24.04-arm, docker_platform: "--platform=linux/arm/v7" }
+          - { platform: arm-linux-musl, runner: ubuntu-24.04-arm, docker_platform: "--platform=linux/arm/v7" }
+    runs-on: ${{ matrix.runner || 'ubuntu-latest' }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: cruby-${{ matrix.platform }}-gem
+          path: gems
+      - env:
+          DOCKER_PLATFORM: ${{ matrix.docker_platform }}
+          RUBY_VERSION: ${{ matrix.ruby }}
+          DOCKER_TAG: ${{ matrix.docker_tag }}
+          BOOTSTRAP: ${{ matrix.bootstrap }}
+        run: |
+          # shellcheck disable=SC2086 # DOCKER_PLATFORM intentionally word-splits (empty or "--platform=...")
+          docker run --rm -v "$PWD:/work" -w /work \
+            ${DOCKER_PLATFORM} "ruby:${RUBY_VERSION}${DOCKER_TAG}" \
+            sh -c "
+              ${BOOTSTRAP}
+              ./bin/test-gem-install ./gems
+            "
+
+  test_darwin_native:
+    name: "${{ matrix.platform }} ${{ matrix.ruby }}"
+    needs: build
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [macos-15, macos-15-intel]
+        ruby: ["3.3", "3.4", "4.0"]
+        include:
+          - os: macos-15
+            platform: arm64-darwin
+          - os: macos-15-intel
+            platform: x86_64-darwin
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1.306.0
+        with:
+          ruby-version: "${{ matrix.ruby }}"
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: cruby-${{ matrix.platform }}-gem
+          path: gems
+      - run: ./bin/test-gem-install gems
+
+  test_windows_native:
+    name: "${{ matrix.platform }} ${{ matrix.ruby }}"
+    needs: build
+    strategy:
+      fail-fast: false
+      matrix:
+        platform: [x64-mingw-ucrt, aarch64-mingw-ucrt]
+        ruby: ["3.3", "3.4", "4.0"]
+        include:
+          - { platform: x64-mingw-ucrt, os: windows-latest }
+          - { platform: aarch64-mingw-ucrt, os: windows-11-arm }
+        exclude:
+          - { platform: aarch64-mingw-ucrt, ruby: "3.3" }
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: configure git crlf
+        run: |
+          git config --system core.autocrlf false
+          git config --system core.eol lf
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1.306.0
+        with:
+          ruby-version: "${{ matrix.ruby }}"
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: cruby-${{ matrix.platform }}-gem
+          path: gems
+      - run: ./bin/test-gem-install gems
+        shell: sh

.github/workflows/publish-gem.yml

@@ -1,39 +1,87 @@
 name: Publish gem to rubygems.org
+concurrency:
+  group: "release-${{ inputs.version_tag || github.ref }}"
+  cancel-in-progress: false
 
 on:
   push:
     tags:
       - 'v*'
+  workflow_dispatch:
+    inputs:
+      version_tag:
+        description: "Version tag to release (e.g., v1.10.0)"
+        required: true
+        type: string
 
 permissions:
   contents: read
 
 jobs:
+  build:
+    uses: ./.github/workflows/build-gems.yml
+    with:
+      release: true
+      artifact_prefix: "release-${{ inputs.version_tag || github.ref_name }}-"
+      ref: ${{ inputs.version_tag || github.ref }}
+
   push:
+    name: "Push gems and create GitHub release"
+    needs: build
     if: github.repository == 'ruby/prism'
     runs-on: ubuntu-latest
-
     environment:
       name: rubygems.org
       url: https://rubygems.org/gems/prism
-
     permissions:
-      contents: write
-      id-token: write
-
+      contents: write # create/update GitHub releases and upload .gem assets
+      id-token: write # OIDC token for rubygems.org trusted publishing
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@v2
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ inputs.version_tag || github.ref }}
+          persist-credentials: false
 
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1.306.0 # zizmor: ignore[cache-poisoning] -- cache is for gem-push tooling only; release artifacts come from prior job's uploaded artifacts, not this Ruby env
         with:
           ruby-version: "3.4"
           bundler-cache: true
 
-      - name: Publish to RubyGems
-        uses: rubygems/release-gem@v1
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          path: gems
+          pattern: "release-${{ inputs.version_tag || github.ref_name }}-*"
+          merge-multiple: true
+
+      - name: Print and record checksums
+        run: |
+          cd gems
+          sha256sum ./*.gem | tee CHECKSUMS.txt
+
+      - uses: rubygems/configure-rubygems-credentials@762a4b77c3300434bb57c7ce80b20e36231927aa # v2.0.0
+
+      # TODO: once RubyGems >= 4.1 is in setup-ruby, `gem push` will auto-attest (ruby/rubygems#9325).
+      - name: Push gems to RubyGems.org
+        run: |
+          for gem in gems/*.gem; do
+            echo "Pushing ${gem} ..."
+            gem push "${gem}" || echo "WARNING: Failed to push ${gem} (may already exist)"
+          done
+
+      - name: Create or update GitHub release
+        env:
+          GH_TOKEN: ${{ github.token }}
+          TAG: ${{ inputs.version_tag || github.ref_name }}
+          REPO: ${{ github.repository }}
+        run: |
+          if gh release view "$TAG" --repo "$REPO" >/dev/null 2>&1 ; then
+            gh release upload "$TAG" --repo "$REPO" --clobber gems/*.gem gems/CHECKSUMS.txt
+          else
+            gh release create "$TAG" --repo "$REPO" --title "$TAG" --generate-notes gems/*.gem gems/CHECKSUMS.txt
+          fi

Gemfile

@@ -8,6 +8,7 @@ gem "benchmark-ips"
 gem "parser"
 gem "rake"
 gem "rake-compiler"
+gem "rake-compiler-dock", "~> 1.12.0"
 gem "ruby_parser"
 gem "test-unit"