Makefile: Run bundle install in frozen mode (!4613) · Merge requests · GitLab.org / gitaly

Toon Claes requested to merge toon-freeze-i-ma-bundler into master Jun 10, 2022

Recently security concerns popped up about gems that might get compromised and get replaced with malicious content.

To mitigate this, the Bundler team recommends1 using bundler in --frozen or --deployment mode in CI and during deploys.

We address this by setting the BUNDLE_FROZEN=true environment variable when bundle install is executed by our Makefile. This is in local development and in CI.

For omnibus deployments the fix is applied in omnibus-gitlab@4b18021f (Merge branch 'bundle-frozen' into 'master', 2022-05-24). The CNG changes are being made in gitlab-org/build/CNG!1053 (merged).

Issue: #4225 (closed)

Makefile: Run bundle install in frozen mode

Merge request reports