This avoids can avoid UID/EUID related issues with Ruby scripts passed
over `stdin` clashing with Ruby security features.
It's also just a bit nicer to have Ruby scripts in files instead.
While we're here:
- refactor some shared logic into a new `setup-gem-home-bundle-gemfile`
function in `ruby.sh`
- do some general cleanup of `lock.sh`
- prioritise `flock` over `python` in `lock.sh`
This caused formulae with uses from macos bounds to not load correctly
because they tried to modify a frozen hash. It wasn't obvious from
the tests because I didn't replicate the real world JSON parsing
conditions closely enough. I also had to modify `Cachable#clear_cache`
so that it can clear frozen hashes.
Error:
```
Error: can't modify frozen Hash: {"since"=>"catalina"}
Warning: Removed Sorbet lines from backtrace!
Rerun with `--verbose` to see the original backtrace
/usr/local/Homebrew/Library/Homebrew/extend/hash/keys.rb:123:in `delete'
/usr/local/Homebrew/Library/Homebrew/extend/hash/keys.rb:123:in `block in _deep_transform_keys_in_object!'
/usr/local/Homebrew/Library/Homebrew/extend/hash/keys.rb:122:in `each'
/usr/local/Homebrew/Library/Homebrew/extend/hash/keys.rb:122:in `_deep_transform_keys_in_object!'
/usr/local/Homebrew/Library/Homebrew/extend/hash/keys.rb:48:in `deep_transform_keys!'
/usr/local/Homebrew/Library/Homebrew/formulary.rb:230:in `block (2 levels) in load_formula_from_api'
/usr/local/Homebrew/Library/Homebrew/formulary.rb:218:in `each'
/usr/local/Homebrew/Library/Homebrew/formulary.rb:218:in `block in load_formula_from_api'
/usr/local/Homebrew/Library/Homebrew/formulary.rb:304:in `instance_exec'
/usr/local/Homebrew/Library/Homebrew/formulary.rb:304:in `block (2 levels) in load_formula_from_api'
/usr/local/Homebrew/Library/Homebrew/formula.rb:3664:in `instance_eval'
/usr/local/Homebrew/Library/Homebrew/formula.rb:3664:in `stable'
/usr/local/Homebrew/Library/Homebrew/formulary.rb:293:in `block in load_formula_from_api'
/usr/local/Homebrew/Library/Homebrew/formulary.rb:283:in `initialize'
/usr/local/Homebrew/Library/Homebrew/formulary.rb:283:in `new'
/usr/local/Homebrew/Library/Homebrew/formulary.rb:283:in `load_formula_from_api'
/usr/local/Homebrew/Library/Homebrew/formulary.rb:962:in `load_from_api'
/usr/local/Homebrew/Library/Homebrew/formulary.rb:955:in `klass'
/usr/local/Homebrew/Library/Homebrew/formulary.rb:569:in `get_formula'
/usr/local/Homebrew/Library/Homebrew/formulary.rb:1009:in `factory'
/usr/local/Homebrew/Library/Homebrew/dependency.rb:41:in `to_formula'
/usr/local/Homebrew/Library/Homebrew/utils/autoremove.rb:46:in `block (2 levels) in formulae_with_no_formula_dependents'
/usr/local/Homebrew/Library/Homebrew/utils/autoremove.rb:45:in `each'
/usr/local/Homebrew/Library/Homebrew/utils/autoremove.rb:45:in `block in formulae_with_no_formula_dependents'
/usr/local/Homebrew/Library/Homebrew/utils/autoremove.rb:39:in `each'
/usr/local/Homebrew/Library/Homebrew/utils/autoremove.rb:39:in `formulae_with_no_formula_dependents'
/usr/local/Homebrew/Library/Homebrew/utils/autoremove.rb:59:in `unused_formulae_with_no_formula_dependents'
/usr/local/Homebrew/Library/Homebrew/utils/autoremove.rb:16:in `removable_formulae'
/usr/local/Homebrew/Library/Homebrew/cleanup.rb:693:in `autoremove'
/usr/local/Homebrew/Library/Homebrew/cleanup.rb:291:in `clean!'
/usr/local/Homebrew/Library/Homebrew/cmd/cleanup.rb:52:in `run'
/usr/local/Homebrew/Library/Homebrew/brew.rb:92:in `<main>'
```
- rename #dependencies_list to #internal_dependencies_hash
- the initial implementation returned an array but now it doesn't
- simplify usage of #tap in #internal_dependencies_hash
- remove safe navigation operator usages in #internal_dependencies_hash
- better document why implicit dependencies are not included in the API JSON
- add new test fixture formula to better test generation of uses from
macos bounds with the new internal json format
Some backfilled bottle signatures were signed from a branch, and others
from main, so the signing workflow is slightly different which causes
some bottles to incorrectly fail when checking their attestation (apr
for example). The simplest way to solve this is just removing the
backfill repo `cert-identity` check and just rely on the repository and
attestation date falling before our cutoff. This shouldn't meaningfully
affect security because if somehow someone could generate false backfill
attestations from a different workflow (the only case this protects
against), we will still catch it because the attestation would have been
generated after our cutoff date.
