add support of active admin v4

.github/workflows/ci.yml

@@ -9,24 +9,17 @@ permissions:
 
 jobs:
   test:
-    name: Ruby ${{ matrix.ruby }} / Rails ${{ matrix.rails }} / AA ${{ matrix.activeadmin }} / OOIDC ${{ matrix.omniauth_openid_connect }}
+    name: Ruby ${{ matrix.ruby }} / ${{ matrix.gemfile }}
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
         ruby: ['3.2', '3.3', '3.4']
-        rails: ['7.2.0', '8.0.0']
-        activeadmin: ['3.5.0']
-        # 0.6.x → openid_connect 1.x (httpclient, no faraday dep).
-        # 0.7.x / 0.8.x → openid_connect 2.x (faraday 2.x).
-        omniauth_openid_connect: ['0.6.0', '0.7.0', '0.8.0']
-        # AA 3.4.0 is excluded: it pins devise < 5, which is
-        # incompatible with the devise >= 4.9 floor this gem needs.
-        # Support starts at ActiveAdmin 3.5, which lifted that cap.
+        gemfile:
+          - gemfiles/activeadmin_3.5.gemfile
+          - gemfiles/activeadmin_4.0.gemfile
     env:
-      RAILS: ${{ matrix.rails }}
-      AA: ${{ matrix.activeadmin }}
-      OOIDC: ${{ matrix.omniauth_openid_connect }}
+      BUNDLE_GEMFILE: ${{ github.workspace }}/${{ matrix.gemfile }}
     steps:
       - uses: actions/checkout@v4
       - uses: ruby/setup-ruby@v1

.gitignore

@@ -11,11 +11,16 @@
 .DS_Store
 .rspec_status
 /Gemfile.lock
+/gemfiles/*.lock
 /spec/dummy/log/
 /spec/dummy/tmp/
 /spec/dummy/db/*.sqlite3
 /spec/dummy/db/*.sqlite3-journal
 /spec/dummy/storage/
+/spec/dummy_engine/log/
+/spec/dummy_engine/tmp/
+/spec/dummy_isolated/log/
+/spec/dummy_isolated/tmp/
 
 # The dummy app's database.yml is checked in — override a global
 # ignore rule that excludes "database.yml" everywhere by default.

Gemfile

@@ -1,19 +1,11 @@
 # frozen_string_literal: true
 
-source "https://rubygems.org"
-
-gemspec
-
-default_rails_version       = "7.2.0"
-default_activeadmin_version = "3.5.0"
-
-rails_version       = ENV.fetch("RAILS", default_rails_version)
-activeadmin_version = ENV.fetch("AA",    default_activeadmin_version)
-# 0.6.x uses openid_connect 1.x (httpclient, no faraday) — required for
-# host apps still on faraday 1.x. 0.7.x uses openid_connect 2.x (faraday 2.x).
-ooidc_version       = ENV["OOIDC"]
-
-gem "rails",        "~> #{rails_version}"
-gem "activerecord", "~> #{rails_version}"
-gem "activeadmin",  "~> #{activeadmin_version}"
-gem "omniauth_openid_connect", "~> #{ooidc_version}" if ooidc_version
+# Local development and `rake spec:all` (run without BUNDLE_GEMFILE)
+# default to the ActiveAdmin 3.5 stack. CI selects a specific stack via
+# BUNDLE_GEMFILE — see gemfiles/activeadmin_3.5.gemfile (Sprockets/Sassc)
+# and gemfiles/activeadmin_4.0.gemfile (Propshaft/importmap/Tailwind).
+#
+# eval_gemfile keeps a single source of truth: the `gemspec path: ".."`
+# inside the eval'd file resolves relative to gemfiles/, i.e. this repo
+# root, exactly as it does when CI loads the gemfile directly.
+eval_gemfile File.expand_path("gemfiles/activeadmin_3.5.gemfile", __dir__)

activeadmin-oidc.gemspec

@@ -27,7 +27,7 @@ Gem::Specification.new do |spec|
   ]
   spec.require_paths = ["lib"]
 
-  spec.add_dependency "activeadmin",            ">= 3.5", "< 4"
+  spec.add_dependency "activeadmin",            ">= 3.5", "< 5"
   # Devise 5.0 wraps `Devise.mappings` with `reload_routes_unless_loaded`
   # (heartcombo/devise#5728) so OmniAuth's failure handler works under
   # Rails 8 lazy route loading without an engine-side workaround.
@@ -46,8 +46,11 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "webmock",      ">= 3.19"
   spec.add_development_dependency "jwt",          ">= 2.7"
   spec.add_development_dependency "sqlite3",      ">= 1.7"
-  spec.add_development_dependency "sprockets-rails", ">= 3.4"
-  spec.add_development_dependency "sassc-rails",     ">= 2.1"
+  # The asset pipeline gems live in the per-version gemfiles under
+  # gemfiles/ rather than here: ActiveAdmin 3.5 needs Sprockets + Sassc,
+  # while ActiveAdmin 4.0 needs Propshaft + importmap + cssbundling +
+  # Tailwind. Keeping them out of the gemspec lets each gemfile install
+  # exactly one asset stack instead of both.
   spec.add_development_dependency "rake",         ">= 13.0"
   spec.add_development_dependency "rubocop",      ">= 1.60"
   spec.add_development_dependency "rubocop-rails", ">= 2.20"

app/views/active_admin/devise/sessions/new.html.erb

@@ -1,7 +1,24 @@
-<div id="login">
-  <h2><%= active_admin_application.site_title(self) %></h2>
+<% if ActiveAdmin::Oidc.aa_v4? %>
+  <div class="p-6 sm:p-8 space-y-4 md:space-y-6 w-full sm:max-w-md bg-white sm:rounded-md shadow dark:border dark:bg-gray-800/50 dark:border-gray-800">
+    <h2 class="text-xl font-bold text-gray-900 md:text-2xl dark:text-white flex gap-2 items-center">
+      <%= site_title %> <%= set_page_title t('active_admin.devise.login.title') %>
+    </h2>
 
-  <%= form_tag omniauth_authorize_path(resource_name, :oidc), method: :post, data: { turbo: false } do %>
-    <%= submit_tag ActiveAdmin::Oidc.config.login_button_label %>
-  <% end %>
-</div>
+    <%= button_to ActiveAdmin::Oidc.config.login_button_label,
+                  "/admin/auth/oidc",
+                  method: :post,
+                  class: "activeadmin-oidc-login-button w-full",
+                  form_class: 'formtastic',
+                  data: { turbo: false } %>
+  </div>
+<% else %>
+  <div id="login">
+    <h2><%= active_admin_application.site_title(self) %></h2>
+
+    <%= button_to ActiveAdmin::Oidc.config.login_button_label,
+                  "/admin/auth/oidc",
+                  method: :post,
+                  class: "activeadmin-oidc-login-button",
+                  data: { turbo: false } %>
+  </div>
+<% end %>

gemfiles/activeadmin_3.5.gemfile

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+gemspec path: ".."
+
+# ActiveAdmin 3.5 line: classic Sprockets + Sassc asset pipeline.
+gem "activeadmin", "~> 3.5.0"
+gem "rails",       "~> 7.2.0"
+
+# openid_connect 1.x line (httpclient-based, no faraday dep). Pinning the
+# 0.6.x series here keeps CI exercising the pre-faraday strategy path.
+gem "omniauth_openid_connect", "~> 0.6.0"
+
+gem "sprockets-rails", ">= 3.4"
+gem "sassc-rails",     ">= 2.1"

gemfiles/activeadmin_4.0.gemfile

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+gemspec path: ".."
+
+# ActiveAdmin 4.0 line (currently shipping as 4.0.0.beta*). AA 4 replaces
+# the Sprockets/Sassc pipeline with Propshaft + importmap + cssbundling +
+# Tailwind, so the asset gems differ entirely from the 3.5 gemfile.
+gem "activeadmin", ">= 4.0.0.beta", "< 5"
+gem "rails",       "~> 8.0.0"
+
+# openid_connect 2.x line (faraday 2.x).
+gem "omniauth_openid_connect", "~> 0.8.0"
+
+gem "propshaft"
+gem "importmap-rails"
+gem "cssbundling-rails"
+gem "tailwindcss-rails", "~> 4.0"

lib/activeadmin-oidc.rb

@@ -3,6 +3,7 @@
 require "logger"
 require "active_support/core_ext/object/blank"
 require "activeadmin/oidc/version"
+require "active_admin/version"
 
 # `omniauth-rails_csrf_protection` registers a Railtie that replaces
 # OmniAuth 2.x's Rack-level authenticity check with Rails' own forgery
@@ -53,6 +54,15 @@ def reset!
         @logger = nil
       end
 
+      # True when the installed ActiveAdmin is the 4.x line (including the
+      # 4.0.0 prereleases). AA 4 ships a Tailwind-based admin layout, so
+      # the login view override must emit Tailwind markup instead of the
+      # legacy `#login` structure AA 3.x expects. Mirrors the version probe
+      # ActiveAdmin plugins use (e.g. activeadmin_table_footer's styles.rb).
+      def aa_v4?
+        ::Gem::Version.new(::ActiveAdmin::VERSION) >= ::Gem::Version.new("4.0.0.beta1")
+      end
+
       private
 
       def default_logger

lib/generators/active_admin/oidc/install/install_generator.rb

@@ -2,6 +2,7 @@
 
 require "rails/generators/base"
 require "rails/generators/active_record"
+require "active_admin/version"
 
 module ActiveAdmin
   module Oidc
@@ -74,8 +75,13 @@ def create_migration_file
         end
 
         def create_view_override
-          copy_file "sessions_new.html.erb",
-                    "app/views/active_admin/devise/sessions/new.html.erb"
+          if aa_v4?
+            copy_file "sessions_new_v4.html.erb",
+                      "app/views/active_admin/devise/sessions/new.html.erb"
+          else
+            copy_file "sessions_new.html.erb",
+                      "app/views/active_admin/devise/sessions/new.html.erb"
+          end
         end
 
         # Non-blocking: the generator completed successfully, but the
@@ -142,6 +148,15 @@ def raw_info_column_type
           adapter = (ActiveRecord::Base.connection_db_config.adapter rescue "sqlite3").to_s
           adapter.start_with?("postgres") ? ":jsonb" : ":text"
         end
+
+        # True when the installed ActiveAdmin is the 4.x line (including the
+        # 4.0.0 prereleases). AA 4 ships a Tailwind-based admin layout, so
+        # the login view override must emit Tailwind markup instead of the
+        # legacy `#login` structure AA 3.x expects. Mirrors the version probe
+        # ActiveAdmin plugins use (e.g. activeadmin_table_footer's styles.rb).
+        def aa_v4?
+          ::Gem::Version.new(::ActiveAdmin::VERSION) >= ::Gem::Version.new("4.0.0.beta1")
+        end
       end
     end
   end

lib/generators/active_admin/oidc/install/templates/sessions_new_v4.html.erb

@@ -0,0 +1,12 @@
+<div class="p-6 sm:p-8 space-y-4 md:space-y-6 w-full sm:max-w-md bg-white sm:rounded-md shadow dark:border dark:bg-gray-800/50 dark:border-gray-800">
+  <h2 class="text-xl font-bold text-gray-900 md:text-2xl dark:text-white flex gap-2 items-center">
+    <%%= site_title %> <%%= set_page_title t('active_admin.devise.login.title') %>
+  </h2>
+
+  <%%= button_to ActiveAdmin::Oidc.config.login_button_label,
+       "/admin/auth/oidc",
+       method: :post,
+       class: "activeadmin-oidc-login-button w-full",
+       form_class: 'formtastic',
+       data: { turbo: false } %>
+</div>