Set BUNDLE_FROZEN to true
What does this MR do and why?
See https://github.com/rubygems/rubygems.org/security/advisories/GHSA-hccv-rwq6-vh79:
Using Bundler in --frozen or --deployment mode in CI and during deploys, as the Bundler team has always recommended, will guarantee that your application does not silently switch to versions created using this exploit.
To make the pipeline pass we had to remove cp Gemfile.lock jh/
. This was breaking our as-if-jh
jobs, because it was making bundler compare the canonical Gemfile.lock
with the JiHu jh/Gemfile
version. Since JiHu uses more gems than GitLab canonical repo, the build would fail. We had this cp
for legacy reasons. Right now JiHu doesn't need this anymore. For the full context, please read this very long thread.
Related : #361825 (closed)
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.