From 30d9a7439ae2cf738c4992de2795097ed5f7e141 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 14 Nov 2024 14:27:40 +0000
Subject: [PATCH 01/22] Bump github/codeql-action from 3.27.2 to 3.27.4

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.27.2 to 3.27.4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/9278e421667d5d90a2839487a482448c4ec7df4d...ea9e4e37992a54ee68a9622e985e60c8e8f12d9f)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/codeql.yml     | 6 +++---
 .github/workflows/scorecards.yml | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 9c09bb39d2a..7b2938fd879 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -45,7 +45,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@9278e421667d5d90a2839487a482448c4ec7df4d # v3.27.2
+        uses: github/codeql-action/init@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -58,7 +58,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@9278e421667d5d90a2839487a482448c4ec7df4d # v3.27.2
+        uses: github/codeql-action/autobuild@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -71,6 +71,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@9278e421667d5d90a2839487a482448c4ec7df4d # v3.27.2
+        uses: github/codeql-action/analyze@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index 1cbb20eb5dc..77d45a51c4d 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -67,6 +67,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@9278e421667d5d90a2839487a482448c4ec7df4d # v3.27.2
+        uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
         with:
           sarif_file: results.sarif

From f0fdac34e79b0ae815dcaeb16bd423df7f06985e Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 14 Nov 2024 14:11:45 +0000
Subject: [PATCH 02/22] Bump browser from 6.0.0 to 6.1.0

Bumps [browser](https://github.com/fnando/browser) from 6.0.0 to 6.1.0.
- [Changelog](https://github.com/fnando/browser/blob/main/CHANGELOG.md)
- [Commits](https://github.com/fnando/browser/compare/v6.0.0...v6.1.0)

---
updated-dependencies:
- dependency-name: browser
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 Gemfile      | 2 +-
 Gemfile.lock | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Gemfile b/Gemfile
index 0d16a41cfb3..67aead4d036 100644
--- a/Gemfile
+++ b/Gemfile
@@ -50,7 +50,7 @@ gem "rqrcode", "~> 2.1"
 gem "rotp", "~> 6.2"
 gem "unpwn", "~> 1.0"
 gem "webauthn", "~> 3.1"
-gem "browser", "~> 6.0"
+gem "browser", "~> 6.1"
 gem "bcrypt", "~> 3.1"
 gem "maintenance_tasks", "~> 2.8"
 gem "strong_migrations", "~> 2.1"
diff --git a/Gemfile.lock b/Gemfile.lock
index 6b22f3f4f0c..1a94d975130 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -173,7 +173,7 @@ GEM
       msgpack (~> 1.2)
     brakeman (6.2.2)
       racc
-    browser (6.0.0)
+    browser (6.1.0)
     builder (3.3.0)
     byebug (11.1.3)
     capybara (3.40.0)
@@ -886,7 +886,7 @@ DEPENDENCIES
   better_html (~> 2.1)
   bootsnap (~> 1.18)
   brakeman (~> 6.2)
-  browser (~> 6.0)
+  browser (~> 6.1)
   capybara (~> 3.40)
   chartkick (~> 5.1)
   clearance (~> 2.9)
@@ -1039,7 +1039,7 @@ CHECKSUMS
   bloomer (1.0.0) sha256=57a0d3a78628db9a92c6723f06c67697e420abcdb05aa757c6dfae607251d272
   bootsnap (1.18.4) sha256=ac4c42af397f7ee15521820198daeff545e4c360d2772c601fbdc2c07d92af55
   brakeman (6.2.2) sha256=d502d653699f4d451b21225ff4d19a9ec9345d23eaab5576e246185ffd7bf618
-  browser (6.0.0) sha256=0399f0f12c925e529aa995b096a3824384e00ea2c7241fbb4b707d2a25e87920
+  browser (6.1.0) sha256=b9104e9d094800ec8243ad787f2289ea25b23921eb88c315cea53c89305424c7
   builder (3.3.0) sha256=497918d2f9dca528fdca4b88d84e4ef4387256d984b8154e9d5d3fe5a9c8835f
   byebug (11.1.3) sha256=2485944d2bb21283c593d562f9ae1019bf80002143cc3a255aaffd4e9cf4a35b
   capybara (3.40.0) sha256=42dba720578ea1ca65fd7a41d163dd368502c191804558f6e0f71b391054aeef

From a86b8454bf32431b6cd3ce9eb51d32c2b44593dd Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 14 Nov 2024 14:06:25 +0000
Subject: [PATCH 03/22] Bump datadog from 2.6.0 to 2.7.0

Bumps [datadog](https://github.com/DataDog/dd-trace-rb) from 2.6.0 to 2.7.0.
- [Release notes](https://github.com/DataDog/dd-trace-rb/releases)
- [Changelog](https://github.com/DataDog/dd-trace-rb/blob/master/CHANGELOG.md)
- [Commits](https://github.com/DataDog/dd-trace-rb/compare/v2.6.0...v2.7.0)

---
updated-dependencies:
- dependency-name: datadog
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 Gemfile      |  2 +-
 Gemfile.lock | 20 ++++++++++----------
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/Gemfile b/Gemfile
index 67aead4d036..03bccc7e69c 100644
--- a/Gemfile
+++ b/Gemfile
@@ -10,7 +10,7 @@ gem "aws-sdk-sqs", "~> 1.88"
 gem "bootsnap", "~> 1.18"
 gem "clearance", "~> 2.9"
 gem "dalli", "~> 3.2"
-gem "datadog", "~> 2.4"
+gem "datadog", "~> 2.7"
 gem "dogstatsd-ruby", "~> 5.6"
 gem "google-protobuf", "~> 4.28"
 gem "faraday", "~> 2.12"
diff --git a/Gemfile.lock b/Gemfile.lock
index 1a94d975130..5370c2d0f79 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -213,9 +213,9 @@ GEM
       addressable
     csv (3.3.0)
     dalli (3.2.8)
-    datadog (2.6.0)
+    datadog (2.7.0)
       datadog-ruby_core_source (~> 3.3)
-      libdatadog (~> 14.0.0.1.0)
+      libdatadog (~> 14.1.0.1.0)
       libddwaf (~> 1.15.0.0.0)
       msgpack
     datadog-ci (1.8.1)
@@ -399,9 +399,9 @@ GEM
       letter_opener (~> 1.9)
       railties (>= 6.1)
       rexml
-    libdatadog (14.0.0.1.0)
-    libdatadog (14.0.0.1.0-aarch64-linux)
-    libdatadog (14.0.0.1.0-x86_64-linux)
+    libdatadog (14.1.0.1.0)
+    libdatadog (14.1.0.1.0-aarch64-linux)
+    libdatadog (14.1.0.1.0-x86_64-linux)
     libddwaf (1.15.0.0.0)
       ffi (~> 1.0)
     libddwaf (1.15.0.0.0-aarch64-linux)
@@ -893,7 +893,7 @@ DEPENDENCIES
   compact_index (~> 0.15.0)
   csv (~> 3.3)
   dalli (~> 3.2)
-  datadog (~> 2.4)
+  datadog (~> 2.7)
   datadog-ci (~> 1.8)
   derailed_benchmarks (~> 2.2)
   discard (~> 1.4)
@@ -1059,7 +1059,7 @@ CHECKSUMS
   css_parser (1.19.1) sha256=1940dce01e3b9be18d6880e6d65162d984cc04ff28998cf4759beb999275209e
   csv (3.3.0) sha256=0bbd1defdc31134abefed027a639b3723c2753862150f4c3ee61cab71b20d67d
   dalli (3.2.8) sha256=2e63595084d91fae2655514a02c5d4fc0f16c0799893794abe23bf628bebaaa5
-  datadog (2.6.0) sha256=2655bb82bc91b1ddf604d1ef601997d7d2424b134e7cfdad647ada892617e0d7
+  datadog (2.7.0) sha256=cea0c125acff6630966a2ad0bc01863ba1e1ff2886b4d38dc29f254f89ad02a2
   datadog-ci (1.8.1) sha256=c461acd83d36b5894716ea7b1c207fd4b7fa103994c0773e3936a68da4dfa594
   datadog-ruby_core_source (3.3.6) sha256=007c72450d3f5838c6d0ae4a6a77e5008bb29dd97d10ea3bf367f978d7c02f36
   date (3.3.4) sha256=971f2cb66b945bcbea4ddd9c7908c9400b31a71bc316833cb42fa584b59d3291
@@ -1133,9 +1133,9 @@ CHECKSUMS
   ld-eventsource (2.2.2) sha256=5ea087a6f06bbd8e325d2c1aaead50f37f13d025b952985739e9380a78a96beb
   letter_opener (1.10.0) sha256=2ff33f2e3b5c3c26d1959be54b395c086ca6d44826e8bf41a14ff96fdf1bdbb2
   letter_opener_web (3.0.0) sha256=3f391efe0e8b9b24becfab5537dfb17a5cf5eb532038f947daab58cb4b749860
-  libdatadog (14.0.0.1.0) sha256=37d602c2a6c70dfdc71479a507fadfdd684783f2c1ecf825bae508bb7d641d59
-  libdatadog (14.0.0.1.0-aarch64-linux) sha256=63dce2d1f45d413ad13c9fd36fa39b3415591f46438c1e06b62dd08e13a7c72d
-  libdatadog (14.0.0.1.0-x86_64-linux) sha256=78ba05673eecedc1d87b1d0eb93763be04d09655a5c903601e84db476a8e0b3f
+  libdatadog (14.1.0.1.0) sha256=6b5c7d03a6f67e148425d98cc5f43a6b1a85da32862e7689cb08db94cabc151e
+  libdatadog (14.1.0.1.0-aarch64-linux) sha256=cdde91ca08c8cface9420f00a217fd0140337ec24c962342dffc9a1b3fdf5691
+  libdatadog (14.1.0.1.0-x86_64-linux) sha256=136a79e3abc24b07376a1e2a8be9ddc5212b002bcad546af866385b4d986b28e
   libddwaf (1.15.0.0.0) sha256=5a0b6bb1bf9208cc3c8df4393e0f19ae1faf9846e8e8dbc2e10ecd5cb3c756f0
   libddwaf (1.15.0.0.0-aarch64-linux) sha256=1630f38b57bc1a20bc1102bfbfc328fd7c522cf5828aebb02dbb45460cb834e7
   libddwaf (1.15.0.0.0-arm64-darwin) sha256=714d497c080a385ad1a735b9163d58ea67a861df8d61e8f5669dbfdf8df744ea

From 126e4ca5aed7c49ce304033d64be19c66fe6d2f1 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 14 Nov 2024 22:47:26 +0000
Subject: [PATCH 04/22] Bump pp from 0.6.0 to 0.6.1 (#5229)

Bumps [pp](https://github.com/ruby/pp) from 0.6.0 to 0.6.1.
- [Release notes](https://github.com/ruby/pp/releases)
- [Commits](https://github.com/ruby/pp/compare/v0.6.0...v0.6.1)

---
updated-dependencies:
- dependency-name: pp
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 Gemfile      | 2 +-
 Gemfile.lock | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Gemfile b/Gemfile
index 03bccc7e69c..691033f4b45 100644
--- a/Gemfile
+++ b/Gemfile
@@ -80,7 +80,7 @@ end
 # Logging
 gem "amazing_print", "~> 1.6"
 gem "rails_semantic_logger", "~> 4.17"
-gem "pp", "0.6.0"
+gem "pp", "0.6.1"
 
 # Former default gems
 gem "csv", "~> 3.3" # zeitwerk-2.6.12
diff --git a/Gemfile.lock b/Gemfile.lock
index 5370c2d0f79..5f76ac42a4b 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -557,7 +557,7 @@ GEM
     phlex-rails (1.2.2)
       phlex (>= 1.10, < 2)
       railties (>= 6.1, < 9)
-    pp (0.6.0)
+    pp (0.6.1)
       prettyprint
     prettyprint (0.2.0)
     prop_initializer (0.2.0)
@@ -941,7 +941,7 @@ DEPENDENCIES
   pg_query (~> 5.1)
   pghero (~> 3.6)
   phlex-rails (~> 1.2)
-  pp (= 0.6.0)
+  pp (= 0.6.1)
   prop_initializer (~> 0.2)
   propshaft (~> 1.1.0)
   prosopite (~> 1.4)
@@ -1199,7 +1199,7 @@ CHECKSUMS
   pghero (3.6.1) sha256=e6d4f6ec3979d4828dafcd1eaa4214e70279fe2502b9fe5bd632d8333aa79cd4
   phlex (1.11.0) sha256=979548e79a205c981612f1ab613addc8fa128c8092694d02f41aad4cea905e73
   phlex-rails (1.2.2) sha256=a20218449e71bc9fa5a71b672fbede8a654c6b32a58f1c4ea83ddc1682307a4c
-  pp (0.6.0) sha256=4e2baf0da59f6e2c682dbe913f8ade3271eb8e3d277642c4f538750d776df5be
+  pp (0.6.1) sha256=16d45bd9972616e81090ba08e119161131eb5b6348e85e43c4efffc8c5fe9fea
   prettyprint (0.2.0) sha256=2bc9e15581a94742064a3cc8b0fb9d45aae3d03a1baa6ef80922627a0766f193
   prop_initializer (0.2.0) sha256=bd27704d0df8c59c3baf0df5cf448eba2b140fb9934fb31b2e379b5c842d8820
   propshaft (1.1.0) sha256=d389361faf66aeb17e8d204828962c1e506edd14a1a17adb3fa475435c070f6b

From 09a9a92c3be2ddc01730584bbeca595f3a89a198 Mon Sep 17 00:00:00 2001
From: Samuel Giddins <segiddins@segiddins.me>
Date: Thu, 14 Nov 2024 16:51:05 -0600
Subject: [PATCH 05/22] Fix seed attestation (#5239)

Need a valid attestation for gem view

Signed-off-by: Samuel Giddins <segiddins@segiddins.me>
---
 db/seeds.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/db/seeds.rb b/db/seeds.rb
index f6931352ef7..7af1eed39f6 100644
--- a/db/seeds.rb
+++ b/db/seeds.rb
@@ -302,7 +302,7 @@
 
 rubygem0.versions.find_by(full_name: "rubygem0-1.0.0").attestations.find_or_create_by!(
   media_type: Sigstore::BundleType::BUNDLE_0_3.media_type,
-  body: { media_type: Sigstore::BundleType::BUNDLE_0_3.media_type }
+  body: JSON.parse(Rails.root.join("test", "gems", "sigstore-1.0.0.gem.sigstore.json").read)
 )
 
 author.oidc_pending_trusted_publishers.create_with(

From de0b4475bcbf8eefc00f711376498bfc9c589c58 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 15 Nov 2024 10:45:09 -0600
Subject: [PATCH 06/22] Bump clearance from 2.9.1 to 2.9.2 (#5244)

Bumps [clearance](https://github.com/thoughtbot/clearance) from 2.9.1 to 2.9.2.
- [Release notes](https://github.com/thoughtbot/clearance/releases)
- [Changelog](https://github.com/thoughtbot/clearance/blob/main/CHANGELOG.md)
- [Commits](https://github.com/thoughtbot/clearance/compare/v2.9.1...v2.9.2)

---
updated-dependencies:
- dependency-name: clearance
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 Gemfile.lock | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 5f76ac42a4b..cbce59b8fea 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -190,7 +190,7 @@ GEM
     childprocess (5.0.0)
     choice (0.2.0)
     chunky_png (1.4.0)
-    clearance (2.9.1)
+    clearance (2.9.2)
       actionmailer (>= 5.0)
       activemodel (>= 5.0)
       activerecord (>= 5.0)
@@ -222,7 +222,7 @@ GEM
       datadog (~> 2.4)
       msgpack
     datadog-ruby_core_source (3.3.6)
-    date (3.3.4)
+    date (3.4.0)
     derailed_benchmarks (2.2.1)
       base64
       benchmark-ips (~> 2)
@@ -456,7 +456,7 @@ GEM
     method_source (1.1.0)
     mini_histogram (0.3.1)
     mini_mime (1.1.5)
-    mini_portile2 (2.8.7)
+    mini_portile2 (2.8.8)
     minitest (5.25.1)
     minitest-gcstats (1.3.1)
       minitest (~> 5.0)
@@ -477,7 +477,7 @@ GEM
     mutex_m (0.2.0)
     net-http (0.5.0)
       uri
-    net-imap (0.5.0)
+    net-imap (0.5.1)
       date
       net-protocol
     net-pop (0.1.2)
@@ -1048,7 +1048,7 @@ CHECKSUMS
   childprocess (5.0.0) sha256=0746b7ab1d6c68156e64a3767631d7124121516192c0492929a7f0af7310d835
   choice (0.2.0) sha256=a19617f7dfd4921b38a85d0616446620de685a113ec6d1ecc85bdb67bf38c974
   chunky_png (1.4.0) sha256=89d5b31b55c0cf4da3cf89a2b4ebc3178d8abe8cbaf116a1dba95668502fdcfe
-  clearance (2.9.1) sha256=fb30b78c36a542555ea6913f2ca3814fb72a2f145133d3407254c8eb74aca08e
+  clearance (2.9.2) sha256=d4981644d7b78ec26b95ed72b9c65a22b4ce2efe7ffb81f9dd4c4b43cf03d159
   coderay (1.1.3) sha256=dc530018a4684512f8f38143cd2a096c9f02a1fc2459edcfe534787a7fc77d4b
   compact_index (0.15.0) sha256=5c6c404afca8928a7d9f4dde9524f6e1610db17e675330803055db282da84a8b
   concurrent-ruby (1.3.4) sha256=d4aa926339b0a86b5b5054a0a8c580163e6f5dcbdfd0f4bb916b1a2570731c32
@@ -1062,7 +1062,7 @@ CHECKSUMS
   datadog (2.7.0) sha256=cea0c125acff6630966a2ad0bc01863ba1e1ff2886b4d38dc29f254f89ad02a2
   datadog-ci (1.8.1) sha256=c461acd83d36b5894716ea7b1c207fd4b7fa103994c0773e3936a68da4dfa594
   datadog-ruby_core_source (3.3.6) sha256=007c72450d3f5838c6d0ae4a6a77e5008bb29dd97d10ea3bf367f978d7c02f36
-  date (3.3.4) sha256=971f2cb66b945bcbea4ddd9c7908c9400b31a71bc316833cb42fa584b59d3291
+  date (3.4.0) sha256=2e7fadaded625c9b3e35e254e42068d4bd8b8646ceab0744cbcbcfdafaa0a711
   derailed_benchmarks (2.2.1) sha256=654280664fded41c9cd8fc27fc0fcfaf096023afab90eb4ac1185ba70c5d4439
   diff-lcs (1.5.1) sha256=273223dfb40685548436d32b4733aa67351769c7dea621da7d9dd4813e63ddfe
   discard (1.4.0) sha256=6efcd2a53ddf96781f81b825d398f1c88ab88c0faa84e131bea6e16ef95d65d0
@@ -1156,7 +1156,7 @@ CHECKSUMS
   method_source (1.1.0) sha256=181301c9c45b731b4769bc81e8860e72f9161ad7d66dd99103c9ab84f560f5c5
   mini_histogram (0.3.1) sha256=6a114b504e4618b0e076cc672996036870f7cc6f16b8e5c25c0c637726d2dd94
   mini_mime (1.1.5) sha256=8681b7e2e4215f2a159f9400b5816d85e9d8c6c6b491e96a12797e798f8bccef
-  mini_portile2 (2.8.7) sha256=13eef5ab459bbfd33d61e539564ec25a9c2cf593b0a5ea6d4d7ef8c19b162ee0
+  mini_portile2 (2.8.8) sha256=8e47136cdac04ce81750bb6c09733b37895bf06962554e4b4056d78168d70a75
   minitest (5.25.1) sha256=3db6795a80634def1cf86fda79d2d83b59b25ce5e186fa675f73c565589d2ad8
   minitest-gcstats (1.3.1) sha256=cb25490f93aac02e3a5ff307e560d41afcdcafa7952c1c32efdeb9886b1f4711
   minitest-reporters (1.7.1) sha256=5060413a0c95b8c32fe73e0606f3631c173a884d7900e50013e15094eb50562c
@@ -1168,7 +1168,7 @@ CHECKSUMS
   multipart-post (2.4.1) sha256=9872d03a8e552020ca096adadbf5e3cb1cd1cdd6acd3c161136b8a5737cdb4a8
   mutex_m (0.2.0) sha256=b6ef0c6c842ede846f2ec0ade9e266b1a9dac0bc151682b04835e8ebd54840d5
   net-http (0.5.0) sha256=ed7f88205afe03bf53142a4b81ded91f2c01522dcf03089cb6ad4acb476ce1da
-  net-imap (0.5.0) sha256=b8281598f3c1860679a88de19287673c6835bed6cf0fe1710fb96a5ffcb94aa0
+  net-imap (0.5.1) sha256=c0ceb85d8459f7081d5ed1ac86159f8e80d25e704eb52dbf0d9f703b7bc838d7
   net-pop (0.1.2) sha256=848b4e982013c15b2f0382792268763b748cce91c9e91e36b0f27ed26420dff3
   net-protocol (0.2.2) sha256=aa73e0cba6a125369de9837b8d8ef82a61849360eba0521900e2c3713aa162a8
   net-smtp (0.5.0) sha256=5fc0415e6ea1cc0b3dfea7270438ec22b278ca8d524986a3ae4e5ae8d087b42a

From 4819d1e541df4069b950ca91b886502b30cfdc2b Mon Sep 17 00:00:00 2001
From: Martin Emde <martinemde@users.noreply.github.com>
Date: Sat, 16 Nov 2024 16:56:56 -0600
Subject: [PATCH 07/22] fix avo resources for organizations (#5246)

---
 app/avo/resources/organization.rb | 11 +++++++++++
 app/avo/resources/rubygem.rb      |  2 ++
 app/models/organization.rb        |  4 +++-
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/app/avo/resources/organization.rb b/app/avo/resources/organization.rb
index f15ebb2922d..b70f952cf09 100644
--- a/app/avo/resources/organization.rb
+++ b/app/avo/resources/organization.rb
@@ -7,6 +7,10 @@ class Avo::Resources::Organization < Avo::BaseResource
            }
   }
 
+  self.find_record_method = lambda {
+    query.find_by_handle!(id)
+  }
+
   class DeletedFilter < Avo::Filters::ScopeBooleanFilter; end
 
   def filters
@@ -20,5 +24,12 @@ def fields
     field :name, as: :text
     field :deleted_at, as: :date_time
     # add fields here
+    tabs style: :pills do
+      field :memberships, as: :has_many
+      field :unconfirmed_memberships, as: :has_many
+      field :users, as: :has_many
+      field :rubygems, as: :has_many
+      field :organization_onboarding, as: :belongs_to
+    end
   end
 end
diff --git a/app/avo/resources/rubygem.rb b/app/avo/resources/rubygem.rb
index fd9da1ca5f1..4f3c81c1698 100644
--- a/app/avo/resources/rubygem.rb
+++ b/app/avo/resources/rubygem.rb
@@ -37,6 +37,7 @@ def fields
       field :ownerships_including_unconfirmed, as: :has_many
       field :ownership_calls, as: :has_many
       field :ownership_requests, as: :has_many
+      field :organization, as: :belongs_to
 
       field :subscriptions, as: :has_many
       field :subscribers, as: :has_many, through: :subscriptions
@@ -49,6 +50,7 @@ def fields
       field :oidc_rubygem_trusted_publishers, as: :has_many
 
       field :audits, as: :has_many
+      field :events, as: :has_many
     end
   end
 end
diff --git a/app/models/organization.rb b/app/models/organization.rb
index c13aadf846b..1e6560d26a9 100644
--- a/app/models/organization.rb
+++ b/app/models/organization.rb
@@ -13,7 +13,9 @@ class Organization < ApplicationRecord
   has_many :rubygems, dependent: :nullify
   has_one :organization_onboarding, foreign_key: :onboarded_organization_id, inverse_of: :organization, dependent: :destroy
 
-  scope :deleted, -> { where.not(deleted_at: nil) }
+  default_scope { not_deleted }
+  scope :not_deleted, -> { where(deleted_at: nil) }
+  scope :deleted, -> { unscoped.where.not(deleted_at: nil) }
 
   after_create do
     record_event!(Events::OrganizationEvent::CREATED, actor_gid: memberships.first&.to_gid)

From 66da1d787f7ea4da472e5cc0d5f15f4c35cf6ccb Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sat, 16 Nov 2024 17:01:16 -0600
Subject: [PATCH 08/22] Bump aws-sdk-s3 from 1.170.1 to 1.171.0 (#5243)

Bumps [aws-sdk-s3](https://github.com/aws/aws-sdk-ruby) from 1.170.1 to 1.171.0.
- [Release notes](https://github.com/aws/aws-sdk-ruby/releases)
- [Changelog](https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-s3/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-ruby/commits)

---
updated-dependencies:
- dependency-name: aws-sdk-s3
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 Gemfile      |  2 +-
 Gemfile.lock | 14 +++++++-------
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/Gemfile b/Gemfile
index 691033f4b45..9fda599e5e8 100644
--- a/Gemfile
+++ b/Gemfile
@@ -5,7 +5,7 @@ ruby file: ".ruby-version"
 gem "rails", "~> 7.2.1"
 gem "rails-i18n", "~> 7.0"
 
-gem "aws-sdk-s3", "~> 1.170"
+gem "aws-sdk-s3", "~> 1.171"
 gem "aws-sdk-sqs", "~> 1.88"
 gem "bootsnap", "~> 1.18"
 gem "clearance", "~> 2.9"
diff --git a/Gemfile.lock b/Gemfile.lock
index cbce59b8fea..af71d72ccf2 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -135,8 +135,8 @@ GEM
       zeitwerk
     awrence (1.2.1)
     aws-eventstream (1.3.0)
-    aws-partitions (1.1004.0)
-    aws-sdk-core (3.212.0)
+    aws-partitions (1.1008.0)
+    aws-sdk-core (3.213.0)
       aws-eventstream (~> 1, >= 1.3.0)
       aws-partitions (~> 1, >= 1.992.0)
       aws-sigv4 (~> 1.9)
@@ -144,7 +144,7 @@ GEM
     aws-sdk-kms (1.95.0)
       aws-sdk-core (~> 3, >= 3.210.0)
       aws-sigv4 (~> 1.5)
-    aws-sdk-s3 (1.170.1)
+    aws-sdk-s3 (1.171.0)
       aws-sdk-core (~> 3, >= 3.210.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.5)
@@ -880,7 +880,7 @@ DEPENDENCIES
   avo (~> 3.13)
   avo-advanced (~> 3.14)!
   avo_upgrade (~> 0.1.1)
-  aws-sdk-s3 (~> 1.170)
+  aws-sdk-s3 (~> 1.171)
   aws-sdk-sqs (~> 1.88)
   bcrypt (~> 3.1)
   better_html (~> 2.1)
@@ -1023,10 +1023,10 @@ CHECKSUMS
   avo_upgrade (0.1.1) sha256=8d841083b9956392f5c8fe195f25bec0d139e3646d276f8a59e66b7d2e9ebf30
   awrence (1.2.1) sha256=dd1d214c12a91f449d1ef81d7ee3babc2816944e450752e7522c65521872483e
   aws-eventstream (1.3.0) sha256=f1434cc03ab2248756eb02cfa45e900e59a061d7fbdc4a9fd82a5dd23d796d3f
-  aws-partitions (1.1004.0) sha256=78f0ba04acdcde5edbde6b4c89cbce09ab25df731b2309b8348133351fe94285
-  aws-sdk-core (3.212.0) sha256=ab35e52d533cdd531171a6aadfb483775f412429a03e4850489699e60a8dc8bb
+  aws-partitions (1.1008.0) sha256=6fb5e6b843ea1169480c804fc861a5de7407762097de75cf4734fbcd35466227
+  aws-sdk-core (3.213.0) sha256=6ca685be1d72d61776fdaaddf3c293e45a472ff0dd0b624880e7813d0c82db19
   aws-sdk-kms (1.95.0) sha256=2ae508c642ddc59baa1296229108e9601a2fa00e57cf7a2153c9488f0587fd5e
-  aws-sdk-s3 (1.170.1) sha256=985f43e401cbb67ae6ff704bf8848d16bb72172a7bf492f680c59de36426d4f2
+  aws-sdk-s3 (1.171.0) sha256=94a2210c20f6102d8867937b021ef40683aa351e28912ac9cc6ef20509f85f4f
   aws-sdk-sqs (1.88.0) sha256=3e4e022b9af1796eb87bb368a8bb2001ebcad3b5025d76aa9ba731acea01a2eb
   aws-sigv4 (1.10.1) sha256=8a140753f34de18125686b11e7adaed4ca3db06dfb50a478993bd437f7a203bb
   base64 (0.2.0) sha256=0f25e9b21a02a0cc0cea8ef92b2041035d39350946e8789c562b2d1a3da01507

From a07d05c2ce1a2ffa36bcc119bafd4680f869741b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sat, 16 Nov 2024 23:04:26 +0000
Subject: [PATCH 09/22] Bump codecov/codecov-action from 4.6.0 to 5.0.1 (#5245)

Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.6.0 to 5.0.1.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238...3b1354a6c45db9f1008891f4eafc1a7e94ce1d18)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index e55d6191689..29f6aae442a 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -72,6 +72,6 @@ jobs:
 
       - name: Upload coverage to Codecov
         if: matrix.rubygems.name == 'locked' && (success() || failure())
-        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
+        uses: codecov/codecov-action@3b1354a6c45db9f1008891f4eafc1a7e94ce1d18 # v5.0.1
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

From 8fcd3364404edf54e64e096e4f1fc599fb125e62 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 18 Nov 2024 16:49:14 -0600
Subject: [PATCH 10/22] Bump maintenance_tasks from 2.8.0 to 2.9.0 (#5248)

---
 Gemfile      |  2 +-
 Gemfile.lock | 18 +++++++++---------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/Gemfile b/Gemfile
index 9fda599e5e8..9bbc41b9b04 100644
--- a/Gemfile
+++ b/Gemfile
@@ -52,7 +52,7 @@ gem "unpwn", "~> 1.0"
 gem "webauthn", "~> 3.1"
 gem "browser", "~> 6.1"
 gem "bcrypt", "~> 3.1"
-gem "maintenance_tasks", "~> 2.8"
+gem "maintenance_tasks", "~> 2.9"
 gem "strong_migrations", "~> 2.1"
 gem "phlex-rails", "~> 1.2"
 gem "discard", "~> 1.4"
diff --git a/Gemfile.lock b/Gemfile.lock
index af71d72ccf2..80221527724 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -354,7 +354,7 @@ GEM
       rdoc (>= 4.0.0)
       reline (>= 0.4.2)
     jmespath (1.6.2)
-    job-iteration (1.5.1)
+    job-iteration (1.7.0)
       activejob (>= 5.2)
     json (2.8.2)
     json-jwt (1.16.7)
@@ -440,13 +440,13 @@ GEM
       net-imap
       net-pop
       net-smtp
-    maintenance_tasks (2.8.0)
-      actionpack (>= 6.0)
-      activejob (>= 6.0)
-      activerecord (>= 6.0)
+    maintenance_tasks (2.9.0)
+      actionpack (>= 6.1)
+      activejob (>= 6.1)
+      activerecord (>= 6.1)
       csv
       job-iteration (>= 1.3.6)
-      railties (>= 6.0)
+      railties (>= 6.1)
       zeitwerk (>= 2.6.2)
     marcel (1.0.4)
     matrix (0.4.2)
@@ -922,7 +922,7 @@ DEPENDENCIES
   local_time (~> 3.0)
   lookbook (~> 2.3)
   mail (~> 2.8)
-  maintenance_tasks (~> 2.8)
+  maintenance_tasks (~> 2.9)
   memory_profiler (~> 1.1)
   minitest (~> 5.25)
   minitest-gcstats (~> 1.3)
@@ -1119,7 +1119,7 @@ CHECKSUMS
   io-console (0.7.2) sha256=f0dccff252f877a4f60d04a4dc6b442b185ebffb4b320ab69212a92b48a7a221
   irb (1.14.1) sha256=5975003b58d36efaf492380baa982ceedf5aed36967a4d5b40996bc5c66e80f8
   jmespath (1.6.2) sha256=238d774a58723d6c090494c8879b5e9918c19485f7e840f2c1c7532cf84ebcb1
-  job-iteration (1.5.1) sha256=1428ad5b308adbaae8776c16b7792a846eb1ad7f4ab3c6e0f9668dd2ab1179e5
+  job-iteration (1.7.0) sha256=7e9db935ce021280a030414995047f370b458597405b316a0bf59ecc9c9cad5d
   json (2.8.2) sha256=dd4fa6c9c81daecf72b86ea36e56ed8955fdbb4d4dc379c93d313a59344486cf
   json-jwt (1.16.7) sha256=ccabff4c6d1a14276b23178e8bebe513ef236399b72a0b886d7ed94800d172a5
   jwt (2.7.1) sha256=07357cd2f180739b2f8184eda969e252d850ac996ed0a23f616e8ff0a90ae19b
@@ -1148,7 +1148,7 @@ CHECKSUMS
   loofah (2.23.1) sha256=d0a07422cb3b69272e124afa914ef6d517e30d5496b7f1c1fc5b95481f13f75e
   lookbook (2.3.4) sha256=16484c9eb514ac0c23c4b59cfd5a52697141d35056e3a9c2a22b314c1b887605
   mail (2.8.1) sha256=ec3b9fadcf2b3755c78785cb17bc9a0ca9ee9857108a64b6f5cfc9c0b5bfc9ad
-  maintenance_tasks (2.8.0) sha256=7ee8aa37ab39c6c3a5f4637878c1a343cc296596742248112458b922968d4a16
+  maintenance_tasks (2.9.0) sha256=7146aa49f66c17b83c8a8d097ed503260c857fa698f3038a6cffbb36df1257c5
   marcel (1.0.4) sha256=0d5649feb64b8f19f3d3468b96c680bae9746335d02194270287868a661516a4
   matrix (0.4.2) sha256=71083ccbd67a14a43bfa78d3e4dc0f4b503b9cc18e5b4b1d686dc0f9ef7c4cc0
   memory_profiler (1.1.0) sha256=79a17df7980a140c83c469785905409d3027ca614c42c086089d128b805aa8f8

From dd89efd65599dc798ae50367d3c52034646a1563 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 19 Nov 2024 00:21:05 +0000
Subject: [PATCH 11/22] Bump codecov/codecov-action from 5.0.1 to 5.0.2 (#5247)

---
 .github/workflows/test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 29f6aae442a..ca35a8dce93 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -72,6 +72,6 @@ jobs:
 
       - name: Upload coverage to Codecov
         if: matrix.rubygems.name == 'locked' && (success() || failure())
-        uses: codecov/codecov-action@3b1354a6c45db9f1008891f4eafc1a7e94ce1d18 # v5.0.1
+        uses: codecov/codecov-action@5c47607acb93fed5485fdbf7232e8a31425f672a # v5.0.2
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

From bf11fa18e65fe2d29a0de9d700d7963a47c82222 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 19 Nov 2024 03:52:37 +0000
Subject: [PATCH 12/22] Bump webauthn from 3.1.0 to 3.2.2 (#5238)

Bumps [webauthn](https://github.com/cedarcode/webauthn-ruby) from 3.1.0 to 3.2.2.
- [Changelog](https://github.com/cedarcode/webauthn-ruby/blob/master/CHANGELOG.md)
- [Commits](https://github.com/cedarcode/webauthn-ruby/compare/v3.1.0...v3.2.2)

---
updated-dependencies:
- dependency-name: webauthn
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 Gemfile      |  2 +-
 Gemfile.lock | 22 ++++++++++------------
 2 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/Gemfile b/Gemfile
index 9bbc41b9b04..be27925f105 100644
--- a/Gemfile
+++ b/Gemfile
@@ -49,7 +49,7 @@ gem "rack-attack", "~> 6.6"
 gem "rqrcode", "~> 2.1"
 gem "rotp", "~> 6.2"
 gem "unpwn", "~> 1.0"
-gem "webauthn", "~> 3.1"
+gem "webauthn", "~> 3.2"
 gem "browser", "~> 6.1"
 gem "bcrypt", "~> 3.1"
 gem "maintenance_tasks", "~> 2.9"
diff --git a/Gemfile.lock b/Gemfile.lock
index 80221527724..a0b45b66977 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -133,7 +133,6 @@ GEM
     avo_upgrade (0.1.1)
       rails (>= 6.0.0)
       zeitwerk
-    awrence (1.2.1)
     aws-eventstream (1.3.0)
     aws-partitions (1.1008.0)
     aws-sdk-core (3.213.0)
@@ -202,7 +201,7 @@ GEM
     compact_index (0.15.0)
     concurrent-ruby (1.3.4)
     connection_pool (2.4.1)
-    cose (1.3.0)
+    cose (1.3.1)
       cbor (~> 0.5.9)
       openssl-signature_algorithm (~> 1.0)
     crack (1.0.0)
@@ -364,7 +363,8 @@ GEM
       bindata
       faraday (~> 2.0)
       faraday-follow_redirects
-    jwt (2.7.1)
+    jwt (2.9.3)
+      base64
     kaminari (1.2.2)
       activesupport (>= 4.1.0)
       kaminari-actionview (= 1.2.2)
@@ -808,7 +808,7 @@ GEM
       activesupport
       pg (~> 1.2)
     toxiproxy (2.0.2)
-    tpm-key_attestation (0.12.0)
+    tpm-key_attestation (0.12.1)
       bindata (~> 2.4)
       openssl (> 2.0)
       openssl-signature_algorithm (~> 1.0)
@@ -836,9 +836,8 @@ GEM
       activesupport (>= 5.2.0, < 8.0)
       concurrent-ruby (~> 1.0)
       method_source (~> 1.0)
-    webauthn (3.1.0)
+    webauthn (3.2.2)
       android_key_attestation (~> 0.3.0)
-      awrence (~> 1.1)
       bindata (~> 2.4)
       cbor (~> 0.5.9)
       cose (~> 1.1)
@@ -988,7 +987,7 @@ DEPENDENCIES
   user_agent_parser (~> 2.18)
   validates_formatting_of (~> 0.9)
   view_component (~> 3.14.0)
-  webauthn (~> 3.1)
+  webauthn (~> 3.2)
   webmock (~> 3.24)
   xml-simple (~> 1.1)
 
@@ -1021,7 +1020,6 @@ CHECKSUMS
   avo-menu (3.14.0) sha256=f07243d2a52921d28718d7d9bdddb11eaebdc0dd5b07deed7a7fb767550be554
   avo-pro (3.14.0) sha256=0a20743f5c5e685a9088c9b753bc8419a68aac57f7fa2966485e9ceb61a82c5f
   avo_upgrade (0.1.1) sha256=8d841083b9956392f5c8fe195f25bec0d139e3646d276f8a59e66b7d2e9ebf30
-  awrence (1.2.1) sha256=dd1d214c12a91f449d1ef81d7ee3babc2816944e450752e7522c65521872483e
   aws-eventstream (1.3.0) sha256=f1434cc03ab2248756eb02cfa45e900e59a061d7fbdc4a9fd82a5dd23d796d3f
   aws-partitions (1.1008.0) sha256=6fb5e6b843ea1169480c804fc861a5de7407762097de75cf4734fbcd35466227
   aws-sdk-core (3.213.0) sha256=6ca685be1d72d61776fdaaddf3c293e45a472ff0dd0b624880e7813d0c82db19
@@ -1053,7 +1051,7 @@ CHECKSUMS
   compact_index (0.15.0) sha256=5c6c404afca8928a7d9f4dde9524f6e1610db17e675330803055db282da84a8b
   concurrent-ruby (1.3.4) sha256=d4aa926339b0a86b5b5054a0a8c580163e6f5dcbdfd0f4bb916b1a2570731c32
   connection_pool (2.4.1) sha256=0f40cf997091f1f04ff66da67eabd61a9fe0d4928b9a3645228532512fab62f4
-  cose (1.3.0) sha256=63247c66a5bc76e53926756574fe3724cc0a88707e358c90532ae2a320e98601
+  cose (1.3.1) sha256=d5d4dbcd6b035d513edc4e1ab9bc10e9ce13b4011c96e3d1b8fe5e6413fd6de5
   crack (1.0.0) sha256=c83aefdb428cdc7b66c7f287e488c796f055c0839e6e545fec2c7047743c4a49
   crass (1.0.6) sha256=dc516022a56e7b3b156099abc81b6d2b08ea1ed12676ac7a5657617f012bd45d
   css_parser (1.19.1) sha256=1940dce01e3b9be18d6880e6d65162d984cc04ff28998cf4759beb999275209e
@@ -1122,7 +1120,7 @@ CHECKSUMS
   job-iteration (1.7.0) sha256=7e9db935ce021280a030414995047f370b458597405b316a0bf59ecc9c9cad5d
   json (2.8.2) sha256=dd4fa6c9c81daecf72b86ea36e56ed8955fdbb4d4dc379c93d313a59344486cf
   json-jwt (1.16.7) sha256=ccabff4c6d1a14276b23178e8bebe513ef236399b72a0b886d7ed94800d172a5
-  jwt (2.7.1) sha256=07357cd2f180739b2f8184eda969e252d850ac996ed0a23f616e8ff0a90ae19b
+  jwt (2.9.3) sha256=55fd07ccdd64c622d36859748f2290fb9c119ce30b482867504e9f12654d6a65
   kaminari (1.2.2) sha256=c4076ff9adccc6109408333f87b5c4abbda5e39dc464bd4c66d06d9f73442a3e
   kaminari-actionview (1.2.2) sha256=1330f6fc8b59a4a4ef6a549ff8a224797289ebf7a3a503e8c1652535287cc909
   kaminari-activerecord (1.2.2) sha256=0dd3a67bab356a356f36b3b7236bcb81cef313095365befe8e98057dd2472430
@@ -1300,7 +1298,7 @@ CHECKSUMS
   timeout (0.4.2) sha256=8aca2d5ff98eb2f7a501c03f8c3622065932cc58bc58f725cd50a09e63b4cc19
   timescaledb (0.3.0) sha256=9ce2b39417d30544054cb609fbd84e18e304c7b7952a793846b8f4489551a28f
   toxiproxy (2.0.2) sha256=2e3b53604fb921d40da3db8f78a52b3133fcae33e93d440725335b15974e440a
-  tpm-key_attestation (0.12.0) sha256=e133d80cf24fef0e7a7dfad00fd6aeff01fc79875fbfc66cd8537bbd622b1e6d
+  tpm-key_attestation (0.12.1) sha256=3c1315bed06ba3563aee98ff69c270d9b45b586a43ac2da250b23cad3c3caca3
   turbo-rails (2.0.11) sha256=fc47674736372780abd2a4dc0d84bef242f5ca156a457cd7fa6308291e397fcf
   turbo_power (0.6.2) sha256=c9080d0d1bb79deed67bee2a7654dd38f9c903b57ad52b98d19d000958fde2cc
   tzinfo (2.0.6) sha256=8daf828cc77bcf7d63b0e3bdb6caa47e2272dcfaf4fbfe46f8c3a9df087a829b
@@ -1313,7 +1311,7 @@ CHECKSUMS
   validates_formatting_of (0.9.0) sha256=139590a4b87596dbfb04d93e897bd2e6d30fb849d04fab0343e71ed2ca856e7e
   version_gem (1.1.1) sha256=3c2da6ded29045ddcc0387e152dc634e1f0c490b7128dce0697ccc1cf0915b6c
   view_component (3.14.0) sha256=96816de1c40d276d9fac49316ee4d196de90b1ce6eb39373b887c639749e630c
-  webauthn (3.1.0) sha256=e545fcf17d8a6b821161a37c1c4bc8c3d2ead0ff6ff3b098f57f417e731790b7
+  webauthn (3.2.2) sha256=46e70b234963c85bbf8ea8febc9a3cbf04569e34a73a570d86f68556f3f36a38
   webfinger (2.1.3) sha256=567a52bde77fb38ca6b67e55db755f988766ec4651c1d24916a65aa70540695c
   webmock (3.24.0) sha256=be01357f6fc773606337ca79f3ba332b7d52cbe5c27587671abc0572dbec7122
   websocket (1.2.11) sha256=b7e7a74e2410b5e85c25858b26b3322f29161e300935f70a0e0d3c35e0462737

From a8986a78c5f9bbd9324dfc68a11637dc90798138 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 19 Nov 2024 14:56:29 +0000
Subject: [PATCH 13/22] Bump aws-sdk-sqs from 1.88.0 to 1.89.0

Bumps [aws-sdk-sqs](https://github.com/aws/aws-sdk-ruby) from 1.88.0 to 1.89.0.
- [Release notes](https://github.com/aws/aws-sdk-ruby/releases)
- [Changelog](https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-sqs/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-ruby/commits)

---
updated-dependencies:
- dependency-name: aws-sdk-sqs
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 Gemfile      |  2 +-
 Gemfile.lock | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/Gemfile b/Gemfile
index be27925f105..8aeb4b1ac32 100644
--- a/Gemfile
+++ b/Gemfile
@@ -6,7 +6,7 @@ gem "rails", "~> 7.2.1"
 gem "rails-i18n", "~> 7.0"
 
 gem "aws-sdk-s3", "~> 1.171"
-gem "aws-sdk-sqs", "~> 1.88"
+gem "aws-sdk-sqs", "~> 1.89"
 gem "bootsnap", "~> 1.18"
 gem "clearance", "~> 2.9"
 gem "dalli", "~> 3.2"
diff --git a/Gemfile.lock b/Gemfile.lock
index a0b45b66977..65874d1faf2 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -134,7 +134,7 @@ GEM
       rails (>= 6.0.0)
       zeitwerk
     aws-eventstream (1.3.0)
-    aws-partitions (1.1008.0)
+    aws-partitions (1.1009.0)
     aws-sdk-core (3.213.0)
       aws-eventstream (~> 1, >= 1.3.0)
       aws-partitions (~> 1, >= 1.992.0)
@@ -147,7 +147,7 @@ GEM
       aws-sdk-core (~> 3, >= 3.210.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.5)
-    aws-sdk-sqs (1.88.0)
+    aws-sdk-sqs (1.89.0)
       aws-sdk-core (~> 3, >= 3.210.0)
       aws-sigv4 (~> 1.5)
     aws-sigv4 (1.10.1)
@@ -880,7 +880,7 @@ DEPENDENCIES
   avo-advanced (~> 3.14)!
   avo_upgrade (~> 0.1.1)
   aws-sdk-s3 (~> 1.171)
-  aws-sdk-sqs (~> 1.88)
+  aws-sdk-sqs (~> 1.89)
   bcrypt (~> 3.1)
   better_html (~> 2.1)
   bootsnap (~> 1.18)
@@ -1021,11 +1021,11 @@ CHECKSUMS
   avo-pro (3.14.0) sha256=0a20743f5c5e685a9088c9b753bc8419a68aac57f7fa2966485e9ceb61a82c5f
   avo_upgrade (0.1.1) sha256=8d841083b9956392f5c8fe195f25bec0d139e3646d276f8a59e66b7d2e9ebf30
   aws-eventstream (1.3.0) sha256=f1434cc03ab2248756eb02cfa45e900e59a061d7fbdc4a9fd82a5dd23d796d3f
-  aws-partitions (1.1008.0) sha256=6fb5e6b843ea1169480c804fc861a5de7407762097de75cf4734fbcd35466227
+  aws-partitions (1.1009.0) sha256=668e5ad6b7fd0eff01e9f38c88e443268eabe0e26d1d5fe407b8d0bfe949bd89
   aws-sdk-core (3.213.0) sha256=6ca685be1d72d61776fdaaddf3c293e45a472ff0dd0b624880e7813d0c82db19
   aws-sdk-kms (1.95.0) sha256=2ae508c642ddc59baa1296229108e9601a2fa00e57cf7a2153c9488f0587fd5e
   aws-sdk-s3 (1.171.0) sha256=94a2210c20f6102d8867937b021ef40683aa351e28912ac9cc6ef20509f85f4f
-  aws-sdk-sqs (1.88.0) sha256=3e4e022b9af1796eb87bb368a8bb2001ebcad3b5025d76aa9ba731acea01a2eb
+  aws-sdk-sqs (1.89.0) sha256=1db1e8a1dcf1a83a6328fe12a034fe89e1c7a73c6305b8cad089656e3a5389ba
   aws-sigv4 (1.10.1) sha256=8a140753f34de18125686b11e7adaed4ca3db06dfb50a478993bd437f7a203bb
   base64 (0.2.0) sha256=0f25e9b21a02a0cc0cea8ef92b2041035d39350946e8789c562b2d1a3da01507
   bcrypt (3.1.20) sha256=8410f8c7b3ed54a3c00cd2456bf13917d695117f033218e2483b2e40b0784099

From e9b6b222acd9a038ddfa033bdcf8b12bdc9be709 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 19 Nov 2024 14:58:34 +0000
Subject: [PATCH 14/22] Bump rdoc from 6.7.0 to 6.8.1

Bumps [rdoc](https://github.com/ruby/rdoc) from 6.7.0 to 6.8.1.
- [Release notes](https://github.com/ruby/rdoc/releases)
- [Changelog](https://github.com/ruby/rdoc/blob/master/History.rdoc)
- [Commits](https://github.com/ruby/rdoc/compare/v6.7.0...v6.8.1)

---
updated-dependencies:
- dependency-name: rdoc
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 Gemfile      | 2 +-
 Gemfile.lock | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Gemfile b/Gemfile
index be27925f105..12ed84363e2 100644
--- a/Gemfile
+++ b/Gemfile
@@ -34,7 +34,7 @@ gem "rack", "~> 3.1"
 gem "rackup", "~> 2.2"
 gem "rack-sanitizer", "~> 2.0"
 gem "rbtrace", "~> 0.5.1"
-gem "rdoc", "~> 6.7"
+gem "rdoc", "~> 6.8"
 gem "roadie-rails", "~> 3.3"
 gem "ruby-magic", "~> 0.6"
 gem "shoryuken", "~> 6.2", require: false
diff --git a/Gemfile.lock b/Gemfile.lock
index a0b45b66977..61b02b780b7 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -673,7 +673,7 @@ GEM
       ffi (>= 1.0.6)
       msgpack (>= 0.4.3)
       optimist (>= 3.0.0)
-    rdoc (6.7.0)
+    rdoc (6.8.1)
       psych (>= 4.0.0)
     redcarpet (3.6.0)
     regexp_parser (2.9.2)
@@ -958,7 +958,7 @@ DEPENDENCIES
   rails-i18n (~> 7.0)
   rails_semantic_logger (~> 4.17)
   rbtrace (~> 0.5.1)
-  rdoc (~> 6.7)
+  rdoc (~> 6.8)
   roadie-rails (~> 3.3)
   rotp (~> 6.2)
   rqrcode (~> 2.1)
@@ -1237,7 +1237,7 @@ CHECKSUMS
   rb-fsevent (0.11.2) sha256=43900b972e7301d6570f64b850a5aa67833ee7d87b458ee92805d56b7318aefe
   rb-inotify (0.10.1) sha256=050062d4f31d307cca52c3f6a7f4b946df8de25fc4bd373e1a5142e41034a7ca
   rbtrace (0.5.1) sha256=e8cba64d462bfb8ba102d7be2ecaacc789247d52ac587d8003549d909cb9c5dc
-  rdoc (6.7.0) sha256=b17d5f0f57b0853d7b880d4360a32c7caf8dbb81f8503a36426df809e617f379
+  rdoc (6.8.1) sha256=0128002d1bfc4892bdd780940841e4ca41275f63781fd832d11bc8ba4461462c
   redcarpet (3.6.0) sha256=8ad1889c0355ff4c47174af14edd06d62f45a326da1da6e8a121d59bdcd2e9e9
   regexp_parser (2.9.2) sha256=5a27e767ad634f8a4b544520d5cd28a0db7aa1198a5d7c9d7e11d7b3d9066446
   reline (0.5.11) sha256=868d5f4dbfd9caafa70182f7f6fa258b70baee4e565d7cd9e70b4d5b11a7cb65

From 802f0f8352424f1f1dac7b31835e72b218da2f78 Mon Sep 17 00:00:00 2001
From: Kingsley Chijioke <dev@kingsleychijioke.me>
Date: Tue, 19 Nov 2024 17:19:30 +0100
Subject: [PATCH 15/22] Unconfirmed email profile should return 404 (#5143)

---
 app/controllers/profiles_controller.rb      |  3 ++-
 app/models/user.rb                          |  1 +
 test/functional/profiles_controller_test.rb | 13 +++++++++++++
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/app/controllers/profiles_controller.rb b/app/controllers/profiles_controller.rb
index 1adbf233817..e2f466fba3d 100644
--- a/app/controllers/profiles_controller.rb
+++ b/app/controllers/profiles_controller.rb
@@ -8,7 +8,8 @@ class ProfilesController < ApplicationController
   before_action :disable_cache, only: :edit
 
   def show
-    @user = User.find_by_slug!(params[:id])
+    @user = User.confirmed.find_by_slug!(params[:id])
+    return render_not_found unless @user
     @rubygems = @user.rubygems_downloaded.includes(%i[latest_version gem_download]).strict_loading
   end
 
diff --git a/app/models/user.rb b/app/models/user.rb
index 8b25cd75531..3741b4c7003 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -27,6 +27,7 @@ class User < ApplicationRecord
   scope :not_deleted, -> { kept }
   scope :deleted, -> { with_discarded.discarded }
   scope :with_deleted, -> { with_discarded }
+  scope :confirmed, -> { where(email_confirmed: true) }
 
   has_many :ownerships, -> { confirmed }, dependent: :destroy, inverse_of: :user
 
diff --git a/test/functional/profiles_controller_test.rb b/test/functional/profiles_controller_test.rb
index 1cfbb165ec8..0cb3ab5a29d 100644
--- a/test/functional/profiles_controller_test.rb
+++ b/test/functional/profiles_controller_test.rb
@@ -12,6 +12,19 @@ class ProfilesControllerTest < ActionController::TestCase
     end
   end
 
+  context "for a user whose email is not confirmed" do
+    setup do
+      @user = create(:user)
+      @user.update(email_confirmed: false)
+    end
+
+    should "render not found page" do
+      get :show, params: { id: @user.handle }
+
+      assert_response :not_found
+    end
+  end
+
   context "when not logged in" do
     setup { @user = create(:user) }
 

From 8996a6cc0f900b4af335d605d5bf787e4849a4fa Mon Sep 17 00:00:00 2001
From: Samuel Giddins <segiddins@segiddins.me>
Date: Tue, 19 Nov 2024 11:58:12 -0800
Subject: [PATCH 16/22] Add more filters to api_key/version to help measure
 trusted publishing & attestation adoption (#5256)

Signed-off-by: Samuel Giddins <segiddins@segiddins.me>
---
 app/avo/resources/api_key.rb |  2 ++
 app/avo/resources/version.rb |  5 +++++
 app/models/api_key.rb        |  3 +++
 app/models/version.rb        | 16 ++++++++++++++++
 4 files changed, 26 insertions(+)

diff --git a/app/avo/resources/api_key.rb b/app/avo/resources/api_key.rb
index c3c2251565e..4e47a01baf2 100644
--- a/app/avo/resources/api_key.rb
+++ b/app/avo/resources/api_key.rb
@@ -3,9 +3,11 @@ class Avo::Resources::ApiKey < Avo::BaseResource
   self.includes = []
 
   class ExpiredFilter < Avo::Filters::ScopeBooleanFilter; end
+  class TrustedPublisherFilter < Avo::Filters::ScopeBooleanFilter; end
 
   def filters
     filter ExpiredFilter, arguments: { default: { expired: false, unexpired: true } }
+    filter TrustedPublisherFilter, arguments: { default: { trusted_publisher: true, not_trusted_publisher: true } }
   end
 
   def fields
diff --git a/app/avo/resources/version.rb b/app/avo/resources/version.rb
index 4e3e14de176..80c46c18658 100644
--- a/app/avo/resources/version.rb
+++ b/app/avo/resources/version.rb
@@ -13,9 +13,13 @@ def actions
   end
 
   class IndexedFilter < Avo::Filters::ScopeBooleanFilter; end
+  class TrustedPublisherFilter < Avo::Filters::ScopeBooleanFilter; end
+  class AttestationFilter < Avo::Filters::ScopeBooleanFilter; end
 
   def filters
     filter IndexedFilter, arguments: { default: { indexed: true, yanked: true } }
+    filter TrustedPublisherFilter, arguments: { default: { pushed_with_trusted_publishing: true, pushed_without_trusted_publishing: true } }
+    filter AttestationFilter, arguments: { default: { with_attestations: true, without_attestations: true } }
   end
 
   def fields # rubocop:disable Metrics
@@ -74,6 +78,7 @@ def fields # rubocop:disable Metrics
       field :dependencies, as: :has_many
       field :gem_download, as: :has_one, name: "Downloads"
       field :deletion, as: :has_one
+      field :attestations, as: :has_many
     end
   end
 end
diff --git a/app/models/api_key.rb b/app/models/api_key.rb
index 924bf5fc3f2..efc228ced38 100644
--- a/app/models/api_key.rb
+++ b/app/models/api_key.rb
@@ -38,6 +38,9 @@ class ScopeError < RuntimeError; end
   scope :oidc, -> { joins(:oidc_id_token) }
   scope :not_oidc, -> { where.missing(:oidc_id_token) }
 
+  scope :trusted_publisher, -> { where("owner_type like ?", "OIDC::TrustedPublisher::%") }
+  scope :not_trusted_publisher, -> { where("owner_type not like ?", "OIDC::TrustedPublisher::%") }
+
   def self.expire_all!
     transaction do
       unexpired.find_each.all?(&:expire!)
diff --git a/app/models/version.rb b/app/models/version.rb
index f3aa3e75413..7dee3eb7fe4 100644
--- a/app/models/version.rb
+++ b/app/models/version.rb
@@ -197,6 +197,22 @@ def self.created_between(start_time, end_time)
     where(created_at: start_time..end_time).order(:created_at, :id)
   end
 
+  def self.pushed_with_trusted_publishing
+    joins(:pusher_api_key).merge(ApiKey.trusted_publisher)
+  end
+
+  def self.pushed_without_trusted_publishing
+    left_joins(:pusher_api_key).merge(ApiKey.not_trusted_publisher.or(where(pusher_api_key: nil).only(:where)))
+  end
+
+  def self.with_attestations
+    where.associated(:attestations)
+  end
+
+  def self.without_attestations
+    where.missing(:attestations)
+  end
+
   def platformed?
     platform != "ruby"
   end

From 9ae051d413ace2aa39ad52e5632303d48d36ad50 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 20 Nov 2024 00:27:15 +0000
Subject: [PATCH 17/22] Bump aws-sdk-s3 from 1.171.0 to 1.172.0

Bumps [aws-sdk-s3](https://github.com/aws/aws-sdk-ruby) from 1.171.0 to 1.172.0.
- [Release notes](https://github.com/aws/aws-sdk-ruby/releases)
- [Changelog](https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-s3/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-ruby/commits)

---
updated-dependencies:
- dependency-name: aws-sdk-s3
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 Gemfile      |  2 +-
 Gemfile.lock | 14 +++++++-------
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/Gemfile b/Gemfile
index d5393364661..6344b7cf76a 100644
--- a/Gemfile
+++ b/Gemfile
@@ -5,7 +5,7 @@ ruby file: ".ruby-version"
 gem "rails", "~> 7.2.1"
 gem "rails-i18n", "~> 7.0"
 
-gem "aws-sdk-s3", "~> 1.171"
+gem "aws-sdk-s3", "~> 1.172"
 gem "aws-sdk-sqs", "~> 1.89"
 gem "bootsnap", "~> 1.18"
 gem "clearance", "~> 2.9"
diff --git a/Gemfile.lock b/Gemfile.lock
index 4d32247e405..851b53b3fe1 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -134,16 +134,16 @@ GEM
       rails (>= 6.0.0)
       zeitwerk
     aws-eventstream (1.3.0)
-    aws-partitions (1.1009.0)
+    aws-partitions (1.1010.0)
     aws-sdk-core (3.213.0)
       aws-eventstream (~> 1, >= 1.3.0)
       aws-partitions (~> 1, >= 1.992.0)
       aws-sigv4 (~> 1.9)
       jmespath (~> 1, >= 1.6.1)
-    aws-sdk-kms (1.95.0)
+    aws-sdk-kms (1.96.0)
       aws-sdk-core (~> 3, >= 3.210.0)
       aws-sigv4 (~> 1.5)
-    aws-sdk-s3 (1.171.0)
+    aws-sdk-s3 (1.172.0)
       aws-sdk-core (~> 3, >= 3.210.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.5)
@@ -879,7 +879,7 @@ DEPENDENCIES
   avo (~> 3.13)
   avo-advanced (~> 3.14)!
   avo_upgrade (~> 0.1.1)
-  aws-sdk-s3 (~> 1.171)
+  aws-sdk-s3 (~> 1.172)
   aws-sdk-sqs (~> 1.89)
   bcrypt (~> 3.1)
   better_html (~> 2.1)
@@ -1021,10 +1021,10 @@ CHECKSUMS
   avo-pro (3.14.0) sha256=0a20743f5c5e685a9088c9b753bc8419a68aac57f7fa2966485e9ceb61a82c5f
   avo_upgrade (0.1.1) sha256=8d841083b9956392f5c8fe195f25bec0d139e3646d276f8a59e66b7d2e9ebf30
   aws-eventstream (1.3.0) sha256=f1434cc03ab2248756eb02cfa45e900e59a061d7fbdc4a9fd82a5dd23d796d3f
-  aws-partitions (1.1009.0) sha256=668e5ad6b7fd0eff01e9f38c88e443268eabe0e26d1d5fe407b8d0bfe949bd89
+  aws-partitions (1.1010.0) sha256=68bb673ab3275f0a41cd62d4550d2238053841f3f99498aa809bae66bcf3a6a0
   aws-sdk-core (3.213.0) sha256=6ca685be1d72d61776fdaaddf3c293e45a472ff0dd0b624880e7813d0c82db19
-  aws-sdk-kms (1.95.0) sha256=2ae508c642ddc59baa1296229108e9601a2fa00e57cf7a2153c9488f0587fd5e
-  aws-sdk-s3 (1.171.0) sha256=94a2210c20f6102d8867937b021ef40683aa351e28912ac9cc6ef20509f85f4f
+  aws-sdk-kms (1.96.0) sha256=b1818e140b4d1b3cbe154e6b2df1d157f8c65aa297d488f69b5745995a6ba375
+  aws-sdk-s3 (1.172.0) sha256=a2ac83d570c573b240b694d72c9e83e2c233a75fcd5f1a73e1d6d348b8219243
   aws-sdk-sqs (1.89.0) sha256=1db1e8a1dcf1a83a6328fe12a034fe89e1c7a73c6305b8cad089656e3a5389ba
   aws-sigv4 (1.10.1) sha256=8a140753f34de18125686b11e7adaed4ca3db06dfb50a478993bd437f7a203bb
   base64 (0.2.0) sha256=0f25e9b21a02a0cc0cea8ef92b2041035d39350946e8789c562b2d1a3da01507

From 13412bfd4676c98cd1fbf0da6cea75b24eed42cc Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 20 Nov 2024 00:29:33 +0000
Subject: [PATCH 18/22] Bump sigstore from 0.1.1 to 0.2.1

Bumps [sigstore](https://github.com/sigstore/sigstore-ruby) from 0.1.1 to 0.2.1.
- [Release notes](https://github.com/sigstore/sigstore-ruby/releases)
- [Commits](https://github.com/sigstore/sigstore-ruby/compare/v0.1.1...v0.2.1)

---
updated-dependencies:
- dependency-name: sigstore
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 Gemfile      | 2 +-
 Gemfile.lock | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Gemfile b/Gemfile
index d5393364661..ac44f2d00b7 100644
--- a/Gemfile
+++ b/Gemfile
@@ -60,7 +60,7 @@ gem "user_agent_parser", "~> 2.18"
 gem "pghero", "~> 3.6"
 gem "faraday-multipart", "~> 1.0"
 gem "timescaledb", "~> 0.3"
-gem "sigstore", "~> 0.1.1"
+gem "sigstore", "~> 0.2.1"
 
 # Admin dashboard
 gem "avo", "~> 3.13"
diff --git a/Gemfile.lock b/Gemfile.lock
index 4d32247e405..f907c197c0d 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -765,7 +765,7 @@ GEM
     shoulda-context (3.0.0.rc1)
     shoulda-matchers (6.4.0)
       activesupport (>= 5.2.0)
-    sigstore (0.1.1)
+    sigstore (0.2.1)
       net-http
       protobug_sigstore_protos (~> 0.1.0)
       uri
@@ -974,7 +974,7 @@ DEPENDENCIES
   shoryuken (~> 6.2)
   shoulda-context (~> 3.0.0.rc1)
   shoulda-matchers (~> 6.4)
-  sigstore (~> 0.1.1)
+  sigstore (~> 0.2.1)
   simplecov (~> 0.22)
   simplecov-cobertura (~> 2.1)
   statsd-instrument (~> 3.9)
@@ -1276,7 +1276,7 @@ CHECKSUMS
   shoryuken (6.2.1) sha256=95ddc0a717624a54e799d25a0a05100cb5a0c3728a96211935c214faaf16b3b6
   shoulda-context (3.0.0.rc1) sha256=6e0d9d52ab798c13bc2b490c8537d4bf30cfd318a1ea839c39a66d1d293c6a1a
   shoulda-matchers (6.4.0) sha256=9055bb7f4bb342125fb860809798855c630e05ef5e75837b3168b8e6ee1608b0
-  sigstore (0.1.1) sha256=0c2c3c5d175b204252eeb1507bfb79e330009188d160525d2871b5272f958897
+  sigstore (0.2.1) sha256=58031c34c7899dd6aac43c54d0ab1a5282a551804013d4b7cb6930a32cbc8775
   simplecov (0.22.0) sha256=fe2622c7834ff23b98066bb0a854284b2729a569ac659f82621fc22ef36213a5
   simplecov-cobertura (2.1.0) sha256=2c6532e34df2e38a379d72cef9a05c3b16c64ce90566beebc6887801c4ad3f02
   simplecov-html (0.12.3) sha256=4b1aad33259ffba8b29c6876c12db70e5750cb9df829486e4c6e5da4fa0aa07b

From fdebde8d2190a602ca87668b7dba481b9a385d9b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 19 Nov 2024 16:53:41 -0800
Subject: [PATCH 19/22] Bump avo-advanced from 3.14.0 to 3.14.1 (#5252)

Bumps avo-advanced from 3.14.0 to 3.14.1.

---
updated-dependencies:
- dependency-name: avo-advanced
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 Gemfile.lock | 42 +++++++++++++++++++++---------------------
 1 file changed, 21 insertions(+), 21 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index d9e30cd0afe..a8806df9a82 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,29 +1,29 @@
 GEM
   remote: https://packager.dev/avo-hq/
   specs:
-    avo-advanced (3.14.0)
-      avo (= 3.14.0)
-      avo-dynamic_filters (= 3.14.0)
-      avo-pro (= 3.14.0)
+    avo-advanced (3.14.1)
+      avo (= 3.14.1)
+      avo-dynamic_filters (= 3.14.1)
+      avo-pro (= 3.14.1)
       zeitwerk (>= 2.6.12)
-    avo-dashboards (3.14.0)
-      avo (= 3.14.0)
+    avo-dashboards (3.14.1)
+      avo (= 3.14.1)
       turbo-rails
       view_component (>= 3.7.0)
       zeitwerk (>= 2.6.12)
-    avo-dynamic_filters (3.14.0)
-      avo (= 3.14.0)
+    avo-dynamic_filters (3.14.1)
+      avo (= 3.14.1)
       ransack (>= 4.2.0)
       view_component (>= 3.7.0)
       zeitwerk (>= 2.6.12)
-    avo-menu (3.14.0)
-      avo (= 3.14.0)
+    avo-menu (3.14.1)
+      avo (= 3.14.1)
       docile
       zeitwerk (>= 2.6.12)
-    avo-pro (3.14.0)
-      avo (= 3.14.0)
-      avo-dashboards (= 3.14.0)
-      avo-menu (= 3.14.0)
+    avo-pro (3.14.1)
+      avo (= 3.14.1)
+      avo-dashboards (= 3.14.1)
+      avo-menu (= 3.14.1)
       zeitwerk (>= 2.6.12)
 
 GEM
@@ -115,7 +115,7 @@ GEM
       ffi-compiler (~> 1.0)
     ast (2.4.2)
     attr_required (1.0.2)
-    avo (3.14.0)
+    avo (3.14.1)
       actionview (>= 6.1)
       active_link_to
       activerecord (>= 6.1)
@@ -1013,12 +1013,12 @@ CHECKSUMS
   argon2 (2.3.0) sha256=980ef65172bf512ad37b6cbb0d61eef40b6dccab6a7db4e70557527e1dce9557
   ast (2.4.2) sha256=1e280232e6a33754cde542bc5ef85520b74db2aac73ec14acef453784447cc12
   attr_required (1.0.2) sha256=f0ebfc56b35e874f4d0ae799066dbc1f81efefe2364ca3803dc9ea6a4de6cb99
-  avo (3.14.0) sha256=ae8744b3bde7c9b3d41869e58214abf288d7ef6f230420746f012df083f1c0be
-  avo-advanced (3.14.0) sha256=9b4a450819e7ea4aa2b25ff07d4e6f0bd36bcb6c99e86469a2fd1be733b9fe17
-  avo-dashboards (3.14.0) sha256=5b2c30fee710fdfec6d47d940d5018cb1afcd2020720e5ef436001dc2ee6387b
-  avo-dynamic_filters (3.14.0) sha256=05fd9e5846ad247310fbffed61b40be310d9334646e8d59afe6c724faff5b28e
-  avo-menu (3.14.0) sha256=f07243d2a52921d28718d7d9bdddb11eaebdc0dd5b07deed7a7fb767550be554
-  avo-pro (3.14.0) sha256=0a20743f5c5e685a9088c9b753bc8419a68aac57f7fa2966485e9ceb61a82c5f
+  avo (3.14.1) sha256=7fbf904afe5409064b8f03c7a14befe83184116e1ed789fb74a750090c39b15a
+  avo-advanced (3.14.1) sha256=5f9b18d20e7076731b736afe52bf04da2852c972f0aedeeb9b8323d9bf385ca3
+  avo-dashboards (3.14.1) sha256=7c880e028138bc72082e0fec543a7af13d0ccf4580c8b58ce49b093379eef846
+  avo-dynamic_filters (3.14.1) sha256=3fa32a404e99c9a0e97c973a6ddfd298bcb33dc2accb4d897064285043f5a84c
+  avo-menu (3.14.1) sha256=5b1ac111feabff7d0b3c718a8d67bd92bf3a822ef8e9af54014a91b6fa2bf4be
+  avo-pro (3.14.1) sha256=84e5474f9f311dc846a85ac3cfec02e04f187a54e91574686310eafaa21c503f
   avo_upgrade (0.1.1) sha256=8d841083b9956392f5c8fe195f25bec0d139e3646d276f8a59e66b7d2e9ebf30
   aws-eventstream (1.3.0) sha256=f1434cc03ab2248756eb02cfa45e900e59a061d7fbdc4a9fd82a5dd23d796d3f
   aws-partitions (1.1010.0) sha256=68bb673ab3275f0a41cd62d4550d2238053841f3f99498aa809bae66bcf3a6a0

From 53ec71ec6dc2be8c5519beeb8cf3701dad6fe5f3 Mon Sep 17 00:00:00 2001
From: Jacklyn Ma <29336370+jacklynhma@users.noreply.github.com>
Date: Wed, 20 Nov 2024 15:18:16 -0500
Subject: [PATCH 20/22] prevent submission of profile edit if password is not
 included (#5250)

---
 app/views/profiles/edit.html.erb |  2 +-
 test/system/profile_test.rb      | 38 ++++++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 test/system/profile_test.rb

diff --git a/app/views/profiles/edit.html.erb b/app/views/profiles/edit.html.erb
index d56e7bdf80b..9328c5ba61d 100644
--- a/app/views/profiles/edit.html.erb
+++ b/app/views/profiles/edit.html.erb
@@ -66,7 +66,7 @@
     <p class='form__field__instructions'>
       <%= t('.enter_password') %>
     </p>
-    <%= form.password_field :password, autocomplete: 'current-password', class: 'form__input' %>
+    <%= form.password_field :password, autocomplete: 'current-password', class: 'form__input', required: true %>
   </div>
 
 
diff --git a/test/system/profile_test.rb b/test/system/profile_test.rb
new file mode 100644
index 00000000000..5afb8195384
--- /dev/null
+++ b/test/system/profile_test.rb
@@ -0,0 +1,38 @@
+require "application_system_test_case"
+require "test_helper"
+
+class ProfileTest < ApplicationSystemTestCase
+  setup do
+    @user = create(:user, email: "nick@example.com", password: PasswordHelpers::SECURE_TEST_PASSWORD, handle: "nick1", mail_fails: 1)
+  end
+
+  def sign_in
+    visit sign_in_path
+    fill_in "Email or Username", with: @user.reload.email
+    fill_in "Password", with: @user.password
+    click_button "Sign in"
+  end
+
+  test "adding X(formerly Twitter) username without filling in your password" do
+    twitter_username = "nick1twitter"
+
+    sign_in
+    visit profile_path("nick1")
+
+    click_link "Edit Profile"
+    fill_in "user_twitter_username", with: twitter_username
+
+    assert_equal twitter_username, page.find_by_id("user_twitter_username").value
+
+    click_button "Update"
+
+    # Verify that the newly added Twitter username is still on the form so that the user does not need to re-enter it
+    assert_equal twitter_username, page.find_by_id("user_twitter_username").value
+
+    fill_in "Password", with: PasswordHelpers::SECURE_TEST_PASSWORD
+    click_button "Update"
+
+    assert page.has_content? "Your profile was updated."
+    assert_equal twitter_username, page.find_by_id("user_twitter_username").value
+  end
+end

From 6267f710bf810f1ed5fa2915a6c02e988ce31300 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 20 Nov 2024 12:36:10 -0800
Subject: [PATCH 21/22] Bump codecov/codecov-action from 5.0.2 to 5.0.4 (#5259)

Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5.0.2 to 5.0.4.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/5c47607acb93fed5485fdbf7232e8a31425f672a...985343d70564a82044c1b7fcb84c2fa05405c1a2)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index ca35a8dce93..9111fbfef27 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -72,6 +72,6 @@ jobs:
 
       - name: Upload coverage to Codecov
         if: matrix.rubygems.name == 'locked' && (success() || failure())
-        uses: codecov/codecov-action@5c47607acb93fed5485fdbf7232e8a31425f672a # v5.0.2
+        uses: codecov/codecov-action@985343d70564a82044c1b7fcb84c2fa05405c1a2 # v5.0.4
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

From 7aaff9c96c392e1e79d50835e7a878e8099b7576 Mon Sep 17 00:00:00 2001
From: Martin Emde <martinemde@users.noreply.github.com>
Date: Wed, 20 Nov 2024 13:25:23 -0800
Subject: [PATCH 22/22] Increase coverage in policy tests (#5261)

* Remove unused stubs from ApplicationPolicy
* Fix membership policy tests
* Remove unused RubygemPolicy predicates, update tests
* Remove unused resolve not implemented, rely instead on NoMethodError
* Add NilClassPolicy tests
---
 app/policies/api/application_policy.rb     |  4 ---
 app/policies/api/nil_class_policy.rb       |  2 +-
 app/policies/application_policy.rb         | 36 ----------------------
 app/policies/rubygem_policy.rb             | 12 --------
 test/policies/api/nil_class_policy_test.rb | 21 +++++++++++++
 test/policies/membership_policy_test.rb    | 18 +++++------
 test/policies/rubygem_policy_test.rb       |  8 +++++
 7 files changed, 38 insertions(+), 63 deletions(-)
 create mode 100644 test/policies/api/nil_class_policy_test.rb

diff --git a/app/policies/api/application_policy.rb b/app/policies/api/application_policy.rb
index 3d7d9b7f873..15b57a4bb8e 100644
--- a/app/policies/api/application_policy.rb
+++ b/app/policies/api/application_policy.rb
@@ -7,10 +7,6 @@ def initialize(api_key, scope)
       @scope = scope
     end
 
-    def resolve
-      raise NotImplementedError, "You must define #resolve in #{self.class}"
-    end
-
     private
 
     attr_reader :api_key, :scope
diff --git a/app/policies/api/nil_class_policy.rb b/app/policies/api/nil_class_policy.rb
index 820bb9d6e89..f9718480442 100644
--- a/app/policies/api/nil_class_policy.rb
+++ b/app/policies/api/nil_class_policy.rb
@@ -6,6 +6,6 @@ def resolve
   end
 
   def destroy?
-    false
+    deny t(:forbidden)
   end
 end
diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb
index 45051f2f443..d7bf716f226 100644
--- a/app/policies/application_policy.rb
+++ b/app/policies/application_policy.rb
@@ -9,10 +9,6 @@ def initialize(user, scope)
       @scope = scope
     end
 
-    def resolve
-      raise NotImplementedError, "You must define #resolve in #{self.class}"
-    end
-
     private
 
     attr_reader :user, :scope
@@ -26,38 +22,6 @@ def initialize(user, record)
     @error = nil
   end
 
-  def index?
-    false
-  end
-
-  def show?
-    false
-  end
-
-  def create?
-    false
-  end
-
-  def new?
-    create?
-  end
-
-  def update?
-    false
-  end
-
-  def edit?
-    update?
-  end
-
-  def destroy?
-    false
-  end
-
-  def search?
-    index?
-  end
-
   private
 
   delegate :t, to: I18n
diff --git a/app/policies/rubygem_policy.rb b/app/policies/rubygem_policy.rb
index 41d761d014c..8c23df1c0d0 100644
--- a/app/policies/rubygem_policy.rb
+++ b/app/policies/rubygem_policy.rb
@@ -8,22 +8,10 @@ class Scope < ApplicationPolicy::Scope
   alias rubygem record
   delegate :organization, to: :rubygem
 
-  def show?
-    true
-  end
-
   def create?
     user.present?
   end
 
-  def update?
-    false
-  end
-
-  def destroy?
-    false
-  end
-
   def configure_oidc?
     rubygem_owned_by_with_role?(user, minimum_required_role: :owner, minimum_required_org_role: :admin)
   end
diff --git a/test/policies/api/nil_class_policy_test.rb b/test/policies/api/nil_class_policy_test.rb
new file mode 100644
index 00000000000..3472f8c9147
--- /dev/null
+++ b/test/policies/api/nil_class_policy_test.rb
@@ -0,0 +1,21 @@
+require "test_helper"
+
+class Api::NilClassPolicyTest < ApiPolicyTestCase
+  def policy!(api_key)
+    Pundit.policy!(api_key, [:api, nil])
+  end
+
+  context "::Scope.resolve" do
+    should "raise" do
+      assert_raises Pundit::NotDefinedError do
+        Api::NilClassPolicy::Scope.new(nil, nil).resolve
+      end
+    end
+  end
+
+  context "#destroy?" do
+    should "not be authorized" do
+      refute_authorized policy!(nil), :destroy?, "Forbidden"
+    end
+  end
+end
diff --git a/test/policies/membership_policy_test.rb b/test/policies/membership_policy_test.rb
index cc3e3465a3c..39a383f707e 100644
--- a/test/policies/membership_policy_test.rb
+++ b/test/policies/membership_policy_test.rb
@@ -96,26 +96,24 @@ def policy!(user, record = Membership)
     context "removing owner" do
       should "be authorized for org owners only" do
         membership = create(:membership, :owner, organization: @organization)
-        membership.role = :admin
 
-        assert_authorized policy!(@owner, membership), :update?
+        assert_authorized policy!(@owner, membership), :destroy?
 
-        refute_authorized policy!(@admin, membership), :update?
-        refute_authorized policy!(@maintainer, membership), :update?
-        refute_authorized policy!(@guest, membership), :update?
+        refute_authorized policy!(@admin, membership), :destroy?
+        refute_authorized policy!(@maintainer, membership), :destroy?
+        refute_authorized policy!(@guest, membership), :destroy?
       end
     end
 
     context "removing admin" do
       should "be authorized for org admins and owners" do
         membership = create(:membership, :admin, organization: @organization)
-        membership.role = :maintainer
 
-        assert_authorized policy!(@owner, membership), :update?
-        assert_authorized policy!(@admin, membership), :update?
+        assert_authorized policy!(@owner, membership), :destroy?
+        assert_authorized policy!(@admin, membership), :destroy?
 
-        refute_authorized policy!(@maintainer, membership), :update?
-        refute_authorized policy!(@guest, membership), :update?
+        refute_authorized policy!(@maintainer, membership), :destroy?
+        refute_authorized policy!(@guest, membership), :destroy?
       end
     end
   end
diff --git a/test/policies/rubygem_policy_test.rb b/test/policies/rubygem_policy_test.rb
index 4979fa27697..505dc93a4fd 100644
--- a/test/policies/rubygem_policy_test.rb
+++ b/test/policies/rubygem_policy_test.rb
@@ -33,6 +33,14 @@ def org_policy!(user)
     Pundit.policy!(user, @org_rubygem)
   end
 
+  context "#create?" do
+    should "allow users" do
+      assert_authorized policy!(@owner), :create?
+      assert_authorized policy!(@user), :create?
+      refute_authorized policy!(nil), :create?
+    end
+  end
+
   context "#configure_oidc?" do
     should "only allow the owner" do
       assert_authorized policy!(@owner), :configure_oidc?