[pull] master from ruby:master

.github/workflows/check_sast.yml

@@ -92,14 +92,15 @@ jobs:
           output: sarif-results
 
       - name: filter-sarif
-        uses: advanced-security/filter-sarif@2da736ff05ef065cb2894ac6892e47b5eac2c3c0 # v1.1.0.1.1
+        uses: advanced-security/filter-sarif@2da736ff05ef065cb2894ac6892e47b5eac2c3c0 # v1.1
         with:
           patterns: |
             +**/*.rb
             -lib/uri/mailto.rb:rb/overly-large-range
             -lib/uri/rfc3986_parser.rb:rb/overly-large-range
             -lib/bundler/vendor/uri/lib/uri/mailto.rb:rb/overly-large-range
             -lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb:rb/overly-large-range
+            -spec/ruby/core/regexp/timeout_spec.rb:rb/redos
             -test/ruby/test_io.rb:rb/non-constant-kernel-open
             -test/open-uri/test_open-uri.rb:rb/non-constant-kernel-open
             -test/open-uri/test_ssl.rb:rb/non-constant-kernel-open
@@ -115,7 +116,7 @@ jobs:
         continue-on-error: true
 
       - name: filter-sarif
-        uses: advanced-security/filter-sarif@2da736ff05ef065cb2894ac6892e47b5eac2c3c0 # v1.1.0.1.1
+        uses: advanced-security/filter-sarif@2da736ff05ef065cb2894ac6892e47b5eac2c3c0 # v1.1
         with:
           patterns: |
             +**/*.c

.github/workflows/tarball-macos.yml

@@ -12,6 +12,14 @@ on:
         required: false
         type: boolean
         default: false
+    secrets:
+      SIMPLER_ALERTS_URL:
+        required: false
+      SNAPSHOT_SLACK_WEBHOOK_URL:
+        required: false
+
+permissions:
+  contents: read
 
 jobs:
   macos:

.github/workflows/tarball-non-development.yml

@@ -3,6 +3,9 @@ name: tarball-non-development (reusable)
 on:
   workflow_call: {}
 
+permissions:
+  contents: read
+
 jobs:
   non_development:
     strategy:

.github/workflows/tarball-test.yml

@@ -50,6 +50,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1 # actions/checkout fetches all heads/tags unless > 0
+          persist-credentials: false
       # tool/make-snapshot derives the branch name from HEAD and looks up
       # the upstream during ChangeLog generation. Detached checkouts
       # (pull_request, merge_group) lack a local branch with tracking, so
@@ -73,7 +74,9 @@ jobs:
     with:
       archname: snapshot-${{ needs.tarball.outputs.branch }}
       notify-release-channel: ${{ github.event_name == 'workflow_dispatch' && inputs.notify-release-channel || false }}
-    secrets: inherit
+    secrets:
+      SIMPLER_ALERTS_URL: ${{ secrets.SIMPLER_ALERTS_URL }}
+      SNAPSHOT_SLACK_WEBHOOK_URL: ${{ secrets.SNAPSHOT_SLACK_WEBHOOK_URL }}
 
   macos:
     needs: tarball
@@ -82,7 +85,9 @@ jobs:
     with:
       archname: snapshot-${{ needs.tarball.outputs.branch }}
       notify-release-channel: ${{ github.event_name == 'workflow_dispatch' && inputs.notify-release-channel || false }}
-    secrets: inherit
+    secrets:
+      SIMPLER_ALERTS_URL: ${{ secrets.SIMPLER_ALERTS_URL }}
+      SNAPSHOT_SLACK_WEBHOOK_URL: ${{ secrets.SNAPSHOT_SLACK_WEBHOOK_URL }}
 
   windows:
     needs: tarball
@@ -91,9 +96,10 @@ jobs:
     with:
       archname: snapshot-${{ needs.tarball.outputs.branch }}
       notify-release-channel: ${{ github.event_name == 'workflow_dispatch' && inputs.notify-release-channel || false }}
-    secrets: inherit
+    secrets:
+      SIMPLER_ALERTS_URL: ${{ secrets.SIMPLER_ALERTS_URL }}
+      SNAPSHOT_SLACK_WEBHOOK_URL: ${{ secrets.SNAPSHOT_SLACK_WEBHOOK_URL }}
 
   non_development:
     needs: tarball
     uses: ./.github/workflows/tarball-non-development.yml
-    secrets: inherit

.github/workflows/tarball-ubuntu.yml

@@ -12,6 +12,14 @@ on:
         required: false
         type: boolean
         default: false
+    secrets:
+      SIMPLER_ALERTS_URL:
+        required: false
+      SNAPSHOT_SLACK_WEBHOOK_URL:
+        required: false
+
+permissions:
+  contents: read
 
 jobs:
   ubuntu:

.github/workflows/tarball-windows.yml

@@ -12,6 +12,14 @@ on:
         required: false
         type: boolean
         default: false
+    secrets:
+      SIMPLER_ALERTS_URL:
+        required: false
+      SNAPSHOT_SLACK_WEBHOOK_URL:
+        required: false
+
+permissions:
+  contents: read
 
 jobs:
   windows:

.github/zizmor.yml

@@ -13,6 +13,7 @@ rules:
   misfeature:
     ignore:
       - mingw.yml
+      - tarball-windows.yml
       - windows.yml
   unpinned-images:
     ignore:

ext/date/date_core.c

@@ -27,7 +27,7 @@ static VALUE eDateError;
 static VALUE half_days_in_day, day_in_nanoseconds;
 static double positive_inf, negative_inf;
 
-// used by deconstruct_keys
+/* used by deconstruct_keys */
 static VALUE sym_year, sym_month, sym_day, sym_yday, sym_wday;
 static VALUE sym_hour, sym_min, sym_sec, sym_sec_fraction, sym_zone;
 
@@ -4528,6 +4528,7 @@ date_s__strptime_internal(int argc, VALUE *argv, VALUE klass,
     rb_scan_args(argc, argv, "11", &vstr, &vfmt);
 
     StringValue(vstr);
+    if (argc > 1) StringValue(vfmt);
     if (!rb_enc_str_asciicompat_p(vstr))
 	rb_raise(rb_eArgError,
 		 "string should have ASCII compatible encoding");
@@ -4538,7 +4539,6 @@ date_s__strptime_internal(int argc, VALUE *argv, VALUE klass,
 	flen = strlen(default_fmt);
     }
     else {
-	StringValue(vfmt);
 	if (!rb_enc_str_asciicompat_p(vfmt))
 	    rb_raise(rb_eArgError,
 		     "format should have ASCII compatible encoding");

ext/date/date_strptime.c

@@ -661,16 +661,16 @@ date__strptime(const char *str, size_t slen,
 
     si = date__strptime_internal(str, slen, fmt, flen, hash);
 
+    if (fail_p())
+	return Qnil;
+
     if (slen > si) {
 	VALUE s;
 
 	s = rb_usascii_str_new(&str[si], slen - si);
 	set_hash("leftover", s);
     }
 
-    if (fail_p())
-	return Qnil;
-
     cent = del_hash("_cent");
     if (!NIL_P(cent)) {
 	VALUE year;

ext/json/generator/generator.c

@@ -1581,7 +1581,7 @@ static VALUE cState_max_nesting(VALUE self)
 
 static long long_config(VALUE num)
 {
-    return RTEST(num) ? FIX2LONG(num) : 0;
+    return RTEST(num) ? NUM2LONG(num) : 0;
 }
 
 // depth must never be negative; reject early with a clear error.

file.c

@@ -4479,31 +4479,43 @@ rb_file_s_expand_path(int argc, const VALUE *argv)
 }
 
 /*
+ *  :markup: markdown
+ *
  *  call-seq:
- *     File.expand_path(file_name [, dir_string] )  ->  abs_file_name
+ *    File.expand_path(path, dirpath = '.') -> absolute_path
  *
- *  Converts a pathname to an absolute pathname. Relative paths are
- *  referenced from the current working directory of the process unless
- *  +dir_string+ is given, in which case it will be used as the
- *  starting point. The given pathname may start with a
- *  ``<code>~</code>'', which expands to the process owner's home
- *  directory (the environment variable +HOME+ must be set
- *  correctly). ``<code>~</code><i>user</i>'' expands to the named
- *  user's home directory.
+ *  Returns the string absolute path for the given `path`.
  *
- *     File.expand_path("~oracle/bin")           #=> "/home/oracle/bin"
+ *  Evaluates a relative path with respect to the directory given by `dirpath`:
  *
- *  A simple example of using +dir_string+ is as follows.
- *     File.expand_path("ruby", "/usr/bin")      #=> "/usr/bin/ruby"
+ *  ```ruby
+ *  Dir.chdir('/snap')
+ *  # Default dirpath.
+ *  File.expand_path('README')                  # => "/snap/README"
+ *  File.expand_path('bin')                     # => "/snap/bin"
+ *  File.expand_path('bin/../var')              # => "/snap/var"  # Cleaned.
+ *  # Other dirpath.
+ *  File.expand_path('../zip', '/usr/bin/ruby') # => "/usr/bin/zip"
+ *  Dir.chdir('/usr/bin')
+ *  File.expand_path('../../snap', __FILE__)    # => "/usr/snap"
+ *  ```
  *
- *  A more complex example which also resolves parent directory is as follows.
- *  Suppose we are in bin/mygem and want the absolute path of lib/mygem.rb.
+ *  Evaluates an absolute path without respect to `dirpath`:
  *
- *     File.expand_path("../../lib/mygem.rb", __FILE__)
- *     #=> ".../path/to/project/lib/mygem.rb"
+ *  ```ruby
+ *  File.expand_path('/snap')           # => "/snap"
+ *  File.expand_path('/snap', 'nosuch') # => "/snap"
+ *  File.expand_path('/snap/../snap')   # => "/snap"  # Cleaned.
+ *  ```
+ *
+ *  More examples:
+ *
+ *  ```
+ *  Dir.chdir('/usr/bin')
+ *  File.expand_path('../../snap', __FILE__) # => "/usr/snap"
+ *  File.expand_path('../../snap')           # => "/snap"
+ *  ```
  *
- *  So first it resolves the parent of __FILE__, that is bin/, then go to the
- *  parent, the root of the project and appends +lib/mygem.rb+.
  */
 
 static VALUE
@@ -5318,28 +5330,42 @@ ruby_enc_find_extname(const char *name, long *len, rb_encoding *enc)
 }
 
 /*
+ *  :markup: markdown
+ *
  *  call-seq:
- *     File.extname(path)  ->  string
+ *     File.extname(path) -> extension
+ *
+ *  Returns the filename extension --
+ *  usually the portion of the string `path`
+ *  beginning from the last period:
+ *
+ *  ```ruby
+ *  File.extname('t.rb')         # => ".rb"
+ *  File.extname('foo.bar.t.rb') # => ".rb"
+ *  File.extname('foo/bar/t.rb') # => ".rb"
+ *  File.extname('nosuch.txt')   # => ".txt"  # Path need not exist.
+ *  ```
+ *
+ *  Returns the entire string when there is no period:
  *
- *  Returns the extension (the portion of file name in +path+
- *  starting from the last period).
+ *  ```ruby
+ *  Pathname('foo').extname # => ""
+ *  ```
  *
- *  If +path+ is a dotfile, or starts with a period, then the starting
- *  dot is not dealt with the start of the extension.
+ *  Returns an empty string when the only period is the first character:
  *
- *  An empty string will also be returned when the period is the last character
- *  in +path+.
+ *  ```ruby
+ *  File.extname('.irbrc') # => ""
+ *  ```
  *
- *  On Windows, trailing dots are truncated.
+ *  Returns an empty string or `'.'` when `path` ends with a period:
  *
- *     File.extname("test.rb")         #=> ".rb"
- *     File.extname("a/b/d/test.rb")   #=> ".rb"
- *     File.extname(".a/b/d/test.rb")  #=> ".rb"
- *     File.extname("foo.")            #=> "" on Windows
- *     File.extname("foo.")            #=> "." on non-Windows
- *     File.extname("test")            #=> ""
- *     File.extname(".profile")        #=> ""
- *     File.extname(".profile.sh")     #=> ".sh"
+ *  ```
+ *  File.extname('foo.') # => ""      # On Windows.
+ *  File.extname('foo.') # => "."     # Elsewhere.
+ *  File.extname('foo....') # => ""   # On Windows.
+ *  File.extname('foo....') # => "."  # Elsewhere.
+ *  ```
  *
  */
 

include/ruby/internal/fl_type.h

@@ -205,11 +205,11 @@ ruby_fl_type {
     RUBY_FL_PROMOTED    = (1<<5),
 
     /**
-     * This flag meaning is type dependent, currently only used by T_DATA.
+     * This flag is no longer in use
      *
      * @internal
      */
-    RUBY_FL_USERPRIV0    = (1<<6),
+    RUBY_FL_UNUSED6      = (1<<6),
 
     /**
      * This flag has  something to do with finalisers.  A  ruby object can have