Modify ruby CI template to use bundler deployment mode to disallow any changes to Gemfile.lock
This is a corrective action of sirt-2266.
More background
See https://github.com/rubygems/rubygems.org/security/advisories/GHSA-hccv-rwq6-vh79:
Using Bundler in --frozen or --deployment mode in CI and during deploys, as the Bundler team has always recommended, will guarantee that your application does not silently switch to versions created using this exploit.
Note that the deployment
option installs gems to vendor
, which we may not want. So frozen
will usually be the smaller change.
Note that:
[DEPRECATED] The
--frozen
flag is deprecated because it relies on being remembered across bundler invocations, which bundler will no longer do in future versions. Instead please usebundle config set --local frozen 'true'
, and stop using this flag
Edited by Gabriel Mazetto