Search code examples
ruby-on-railsgithub-actionsbundler

Why is Bundler ignoring Gemfile.lock in GitHub actions?

I have a GitHub Actions workflow for auditing my gem bundle on every PR. It looks like this:

name: "Audit"
on:
  push:
    branches: '*'
  pull_request_target:
    branches: '*'
jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install Ruby (without caching)
        uses: ruby/setup-ruby@v1
      - name: Install dependencies
        run: bundle install
      - name: Security audit dependencies
        run: bundle exec bundler-audit --update

When there is a security vulnerability, Dependabot opens a PR to update gemfile.lock. In this instance it's bumping webrick from 1.8.1 to 1.8.2, so the entire PR is a one character change. The workflow runs, but for some reason installs version 1.8.1 rather than 1.8.2, so the PR does not pass the audit.

GitHub action log:

...
2024-10-01T00:59:28.9591865Z ##[group]Run ruby/setup-ruby@v1
2024-10-01T00:59:28.9592377Z with:
2024-10-01T00:59:28.9592743Z   ruby-version: default
2024-10-01T00:59:28.9593254Z   bundler-cache: false
2024-10-01T00:59:28.9593628Z ##[endgroup]
2024-10-01T00:59:29.0760513Z Using 3.3.5 as input from file .ruby-version
2024-10-01T00:59:29.0787126Z ##[group]Modifying PATH
2024-10-01T00:59:29.0790131Z Entries added to PATH to use selected Ruby:
2024-10-01T00:59:29.0791152Z   /opt/hostedtoolcache/Ruby/3.3.5/x64/bin
2024-10-01T00:59:29.0792773Z ##[endgroup]
2024-10-01T00:59:29.0819903Z ##[group]Downloading Ruby
2024-10-01T00:59:29.0823359Z https://github.com/ruby/ruby-builder/releases/download/toolcache/ruby-3.3.5-ubuntu-22.04.tar.gz
2024-10-01T00:59:29.6224697Z Took   0.54 seconds
2024-10-01T00:59:29.6228148Z ##[endgroup]
2024-10-01T00:59:29.6229478Z ##[group]Extracting  Ruby
2024-10-01T00:59:29.6243719Z [command]/usr/bin/tar -xz -C /opt/hostedtoolcache/Ruby/3.3.5 -f /home/runner/work/_temp/26406ff3-3dd5-485b-9e35-758e6922680e
2024-10-01T00:59:30.2435419Z Took   0.62 seconds
2024-10-01T00:59:30.2444231Z ##[endgroup]
2024-10-01T00:59:30.2479289Z ##[group]Print Ruby version
2024-10-01T00:59:30.2481883Z [command]/opt/hostedtoolcache/Ruby/3.3.5/x64/bin/ruby --version
2024-10-01T00:59:30.2634323Z ruby 3.3.5 (2024-09-03 revision ef084cc8f4) [x86_64-linux]
2024-10-01T00:59:30.2636732Z Took   0.02 seconds
2024-10-01T00:59:30.2638954Z ##[endgroup]
2024-10-01T00:59:30.2641174Z ##[group]Installing Bundler
2024-10-01T00:59:30.2652619Z Using Bundler 2.5.20 from Gemfile.lock BUNDLED WITH 2.5.20
2024-10-01T00:59:30.2655556Z [command]/opt/hostedtoolcache/Ruby/3.3.5/x64/bin/gem install bundler -v 2.5.20
2024-10-01T00:59:30.7286995Z Successfully installed bundler-2.5.20
2024-10-01T00:59:30.7292217Z 1 gem installed
2024-10-01T00:59:30.7302106Z Took   0.47 seconds
2024-10-01T00:59:30.7305197Z ##[endgroup]
2024-10-01T00:59:30.7482152Z ##[group]Run bundle install
2024-10-01T00:59:30.7482666Z [36;1mbundle install[0m
2024-10-01T00:59:30.7513415Z shell: /usr/bin/bash -e {0}
2024-10-01T00:59:30.7513950Z ##[endgroup]
2024-10-01T00:59:34.1456667Z Fetching gem metadata from https://rubygems.org/........
2024-10-01T00:59:34.1584587Z Fetching rake 13.2.1
2024-10-01T00:59:34.2019389Z Installing rake 13.2.1
...
2024-10-01T00:59:57.5448072Z Fetching webrick 1.8.1
2024-10-01T00:59:57.5532276Z Installing webrick 1.8.1
...
2024-10-01T01:02:01.7173419Z Fetching devise 4.9.4
2024-10-01T01:02:01.7306074Z Installing devise 4.9.4
2024-10-01T01:02:01.7559926Z Bundle complete! 52 Gemfile dependencies, 187 gems now installed.
2024-10-01T01:02:01.7568098Z Use `bundle info [gemname]` to see where a bundled gem is installed.
2024-10-01T01:02:01.7569309Z Post-install message from devise:
2024-10-01T01:02:01.7569732Z 
2024-10-01T01:02:01.7570472Z [DEVISE] Please review the [changelog] and [upgrade guide] for more info on Hotwire / Turbo integration.
2024-10-01T01:02:01.7571638Z 
2024-10-01T01:02:01.7572177Z   [changelog] https://github.com/heartcombo/devise/blob/main/CHANGELOG.md
2024-10-01T01:02:01.7573902Z   [upgrade guide] https://github.com/heartcombo/devise/wiki/How-To:-Upgrade-to-Devise-4.9.0-%5BHotwire-Turbo-integration%5D
2024-10-01T01:02:01.7575328Z   Post-install message from rubyzip:
2024-10-01T01:02:01.7576095Z RubyZip 3.0 is coming!
2024-10-01T01:02:01.7576581Z **********************
2024-10-01T01:02:01.7576909Z 
2024-10-01T01:02:01.7577325Z The public API of some Rubyzip classes has been modernized to use named
2024-10-01T01:02:01.7578410Z parameters for optional arguments. Please check your usage of the
2024-10-01T01:02:01.7579143Z following classes:
2024-10-01T01:02:01.7601797Z   * `Zip::File`
2024-10-01T01:02:01.7602484Z   * `Zip::Entry`
2024-10-01T01:02:01.7603013Z   * `Zip::InputStream`
2024-10-01T01:02:01.7603540Z   * `Zip::OutputStream`
2024-10-01T01:02:01.7603920Z 
2024-10-01T01:02:01.7604394Z Please ensure that your Gemfiles and .gemspecs are suitably restrictive
2024-10-01T01:02:01.7605490Z to avoid an unexpected breakage when 3.0 is released (e.g. ~> 2.3.0).
2024-10-01T01:02:01.7606548Z See https://github.com/rubyzip/rubyzip for details. The Changelog also
2024-10-01T01:02:01.7607868Z lists other enhancements and bugfixes that have been implemented since
2024-10-01T01:02:01.7608746Z version 2.3.0.
2024-10-01T01:02:01.7609371Z 1 installed gem you directly depend on is looking for funding.
2024-10-01T01:02:01.7610269Z   Run `bundle fund` for details
2024-10-01T01:02:01.8222119Z ##[group]Run bundle exec bundler-audit --update
2024-10-01T01:02:01.8222718Z [36;1mbundle exec bundler-audit --update[0m
2024-10-01T01:02:01.8246474Z shell: /usr/bin/bash -e {0}
2024-10-01T01:02:01.8246866Z ##[endgroup]
2024-10-01T01:02:02.1940480Z Download ruby-advisory-db ...
2024-10-01T01:02:02.1953805Z Cloning into '/home/runner/.local/share/ruby-advisory-db'...
2024-10-01T01:02:02.6284013Z ruby-advisory-db:
2024-10-01T01:02:02.6286968Z   advisories:  932 advisories
2024-10-01T01:02:02.6311507Z   last updated:    2024-09-29 11:09:13 -0700
2024-10-01T01:02:02.7036255Z   commit:  7efe0d95aabfa937dcc858d5c70197cbb35bc0b3
2024-10-01T01:02:02.7037478Z Name: webrick
2024-10-01T01:02:02.7039622Z Version: 1.8.1
2024-10-01T01:02:02.7040736Z CVE: CVE-2024-47220
2024-10-01T01:02:02.7041849Z GHSA: GHSA-6f62-3596-g6w7
2024-10-01T01:02:02.7042838Z Criticality: High
2024-10-01T01:02:02.7046597Z URL: https://github.com/advisories/GHSA-6f62-3596-g6w7
2024-10-01T01:02:02.7047632Z Title: HTTP Request Smuggling in ruby webrick
2024-10-01T01:02:02.7048521Z Solution: upgrade to '>= 1.8.2'
2024-10-01T01:02:02.7048972Z 
2024-10-01T01:02:02.7049177Z Vulnerabilities found!
2024-10-01T01:02:02.7104243Z ##[error]Process completed with exit code 1.

Why does this happen? Why is Bundler not using the new lockfile when installing?

Solution

  • The problem here is that Dependabot has updated the webrick gem to version 1.8.2, but your GitHub Actions workflow installs the older version (1.8.1). This is probably occurring because Gemfile.lock updates from Dependabot are not included in your workflow, which only examines the PR branch.

    The workflow will use the content from the pull request itself, including the updated Gemfile.lock, if pull_request is used instead of pull_request_target.

    pull_request:
    branches: '*'

    To utilize the precise lock file, update the bundle install: Make sure that bundle install honors the Gemfile.lock modifications.

    - name: Install dependencies
  run: bundle install --jobs 4 --retry 2