Ruby support

[cretz]

What was changed

• Added sdkbuild/ruby.go — BuildRubyProgram implementing the Program interface, with support for versioned gem installs and local SDK path builds
• Added cmd/run_ruby.go — BuildRubyProgram (version resolution from Gemfile) and RunRubyExternal (CLI arg construction)
• Modified cmd/run.go and cmd/prepare.go — added rb/ruby lang support to normalization, expansion, and dispatch
• Added Ruby harness (harness/ruby/) — harness gem with Feature struct, register_feature, and runner.rb entry point (JSONL summary over TCP)
• Added .rubocop.yml targeting Ruby 4.0
• Added two feature files: activity/basic_no_workflow_timeout/feature.rb and signal/basic/feature.rb
• Added dockerfiles/rb.Dockerfile — multi-stage build with BUNDLE_APP_CONFIG override to keep vendored gems in the prepared dir
• Added features-tests-rb service to dockerfiles/docker-compose.yml
• Added CI workflows: .github/workflows/ruby.yaml (reusable), plus build-ruby, feature-tests-ruby, and build-rb-docker-images jobs in ci.yaml and
  all-docker-images.yaml
• Moved all ${{ github.event.inputs.* }} references in CI to env: blocks (fixes semgrep shell injection findings)
• Updated README.md with Ruby prerequisites and usage

Checklist

1. Closes Support Ruby in this features repo #585

[semgrep-managed-scans]

Semgrep found 1 run-shell-injection finding:

• .github/workflows/ci.yaml
  • L67-116 - Triage

Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

[Sushisource]

LGTM. I can't remember now what the issue was that we thought would've been caught by having Ruby features, but, if the basic tests added here wouldn't cover it, would be good to add.

[cretz]

if the basic tests added here wouldn't cover it, would be good to add.

It would be caught, it was basically that you couldn't even poll against newer server released to cloud (but didn't have stable OSS tag yet) due to added worker deployment checks. But this does make clear we need to update https://github.com/temporalio/temporal/blob/main/.github/workflows/features-integration.yml.