为什么 Bundler 忽略 GitHub 操作中的 Gemfile.lock?

问题描述 投票:0回答:1

我有一个 GitHub Actions 工作流程,用于审核每个 PR 上的 gem 包。看起来像这样:

name: "Audit"
on:
  push:
    branches: '*'
  pull_request_target:
    branches: '*'
jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install Ruby (without caching)
        uses: ruby/setup-ruby@v1
      - name: Install dependencies
        run: bundle install
      - name: Security audit dependencies
        run: bundle exec bundler-audit --update

当存在安全漏洞时,Dependabot 会打开 PR 进行更新

gemfile.lock
。在本例中,webrick 从 1.8.1 升级到 1.8.2,因此整个 PR 是一个字符的更改。工作流程运行,但由于某种原因安装了 1.8.1 版本而不是 1.8.2,因此 PR 没有通过审核。

GitHub 操作日志:

...
2024-10-01T00:59:28.9591865Z ##[group]Run ruby/setup-ruby@v1
2024-10-01T00:59:28.9592377Z with:
2024-10-01T00:59:28.9592743Z   ruby-version: default
2024-10-01T00:59:28.9593254Z   bundler-cache: false
2024-10-01T00:59:28.9593628Z ##[endgroup]
2024-10-01T00:59:29.0760513Z Using 3.3.5 as input from file .ruby-version
2024-10-01T00:59:29.0787126Z ##[group]Modifying PATH
2024-10-01T00:59:29.0790131Z Entries added to PATH to use selected Ruby:
2024-10-01T00:59:29.0791152Z   /opt/hostedtoolcache/Ruby/3.3.5/x64/bin
2024-10-01T00:59:29.0792773Z ##[endgroup]
2024-10-01T00:59:29.0819903Z ##[group]Downloading Ruby
2024-10-01T00:59:29.0823359Z https://github.com/ruby/ruby-builder/releases/download/toolcache/ruby-3.3.5-ubuntu-22.04.tar.gz
2024-10-01T00:59:29.6224697Z Took   0.54 seconds
2024-10-01T00:59:29.6228148Z ##[endgroup]
2024-10-01T00:59:29.6229478Z ##[group]Extracting  Ruby
2024-10-01T00:59:29.6243719Z [command]/usr/bin/tar -xz -C /opt/hostedtoolcache/Ruby/3.3.5 -f /home/runner/work/_temp/26406ff3-3dd5-485b-9e35-758e6922680e
2024-10-01T00:59:30.2435419Z Took   0.62 seconds
2024-10-01T00:59:30.2444231Z ##[endgroup]
2024-10-01T00:59:30.2479289Z ##[group]Print Ruby version
2024-10-01T00:59:30.2481883Z [command]/opt/hostedtoolcache/Ruby/3.3.5/x64/bin/ruby --version
2024-10-01T00:59:30.2634323Z ruby 3.3.5 (2024-09-03 revision ef084cc8f4) [x86_64-linux]
2024-10-01T00:59:30.2636732Z Took   0.02 seconds
2024-10-01T00:59:30.2638954Z ##[endgroup]
2024-10-01T00:59:30.2641174Z ##[group]Installing Bundler
2024-10-01T00:59:30.2652619Z Using Bundler 2.5.20 from Gemfile.lock BUNDLED WITH 2.5.20
2024-10-01T00:59:30.2655556Z [command]/opt/hostedtoolcache/Ruby/3.3.5/x64/bin/gem install bundler -v 2.5.20
2024-10-01T00:59:30.7286995Z Successfully installed bundler-2.5.20
2024-10-01T00:59:30.7292217Z 1 gem installed
2024-10-01T00:59:30.7302106Z Took   0.47 seconds
2024-10-01T00:59:30.7305197Z ##[endgroup]
2024-10-01T00:59:30.7482152Z ##[group]Run bundle install
2024-10-01T00:59:30.7482666Z [36;1mbundle install[0m
2024-10-01T00:59:30.7513415Z shell: /usr/bin/bash -e {0}
2024-10-01T00:59:30.7513950Z ##[endgroup]
2024-10-01T00:59:34.1456667Z Fetching gem metadata from https://rubygems.org/........
2024-10-01T00:59:34.1584587Z Fetching rake 13.2.1
2024-10-01T00:59:34.2019389Z Installing rake 13.2.1
...
2024-10-01T00:59:57.5448072Z Fetching webrick 1.8.1
2024-10-01T00:59:57.5532276Z Installing webrick 1.8.1
...
2024-10-01T01:02:01.7173419Z Fetching devise 4.9.4
2024-10-01T01:02:01.7306074Z Installing devise 4.9.4
2024-10-01T01:02:01.7559926Z Bundle complete! 52 Gemfile dependencies, 187 gems now installed.
2024-10-01T01:02:01.7568098Z Use `bundle info [gemname]` to see where a bundled gem is installed.
2024-10-01T01:02:01.7569309Z Post-install message from devise:
2024-10-01T01:02:01.7569732Z 
2024-10-01T01:02:01.7570472Z [DEVISE] Please review the [changelog] and [upgrade guide] for more info on Hotwire / Turbo integration.
2024-10-01T01:02:01.7571638Z 
2024-10-01T01:02:01.7572177Z   [changelog] https://github.com/heartcombo/devise/blob/main/CHANGELOG.md
2024-10-01T01:02:01.7573902Z   [upgrade guide] https://github.com/heartcombo/devise/wiki/How-To:-Upgrade-to-Devise-4.9.0-%5BHotwire-Turbo-integration%5D
2024-10-01T01:02:01.7575328Z   Post-install message from rubyzip:
2024-10-01T01:02:01.7576095Z RubyZip 3.0 is coming!
2024-10-01T01:02:01.7576581Z **********************
2024-10-01T01:02:01.7576909Z 
2024-10-01T01:02:01.7577325Z The public API of some Rubyzip classes has been modernized to use named
2024-10-01T01:02:01.7578410Z parameters for optional arguments. Please check your usage of the
2024-10-01T01:02:01.7579143Z following classes:
2024-10-01T01:02:01.7601797Z   * `Zip::File`
2024-10-01T01:02:01.7602484Z   * `Zip::Entry`
2024-10-01T01:02:01.7603013Z   * `Zip::InputStream`
2024-10-01T01:02:01.7603540Z   * `Zip::OutputStream`
2024-10-01T01:02:01.7603920Z 
2024-10-01T01:02:01.7604394Z Please ensure that your Gemfiles and .gemspecs are suitably restrictive
2024-10-01T01:02:01.7605490Z to avoid an unexpected breakage when 3.0 is released (e.g. ~> 2.3.0).
2024-10-01T01:02:01.7606548Z See https://github.com/rubyzip/rubyzip for details. The Changelog also
2024-10-01T01:02:01.7607868Z lists other enhancements and bugfixes that have been implemented since
2024-10-01T01:02:01.7608746Z version 2.3.0.
2024-10-01T01:02:01.7609371Z 1 installed gem you directly depend on is looking for funding.
2024-10-01T01:02:01.7610269Z   Run `bundle fund` for details
2024-10-01T01:02:01.8222119Z ##[group]Run bundle exec bundler-audit --update
2024-10-01T01:02:01.8222718Z [36;1mbundle exec bundler-audit --update[0m
2024-10-01T01:02:01.8246474Z shell: /usr/bin/bash -e {0}
2024-10-01T01:02:01.8246866Z ##[endgroup]
2024-10-01T01:02:02.1940480Z Download ruby-advisory-db ...
2024-10-01T01:02:02.1953805Z Cloning into '/home/runner/.local/share/ruby-advisory-db'...
2024-10-01T01:02:02.6284013Z ruby-advisory-db:
2024-10-01T01:02:02.6286968Z   advisories:  932 advisories
2024-10-01T01:02:02.6311507Z   last updated:    2024-09-29 11:09:13 -0700
2024-10-01T01:02:02.7036255Z   commit:  7efe0d95aabfa937dcc858d5c70197cbb35bc0b3
2024-10-01T01:02:02.7037478Z Name: webrick
2024-10-01T01:02:02.7039622Z Version: 1.8.1
2024-10-01T01:02:02.7040736Z CVE: CVE-2024-47220
2024-10-01T01:02:02.7041849Z GHSA: GHSA-6f62-3596-g6w7
2024-10-01T01:02:02.7042838Z Criticality: High
2024-10-01T01:02:02.7046597Z URL: https://github.com/advisories/GHSA-6f62-3596-g6w7
2024-10-01T01:02:02.7047632Z Title: HTTP Request Smuggling in ruby webrick
2024-10-01T01:02:02.7048521Z Solution: upgrade to '>= 1.8.2'
2024-10-01T01:02:02.7048972Z 
2024-10-01T01:02:02.7049177Z Vulnerabilities found!
2024-10-01T01:02:02.7104243Z ##[error]Process completed with exit code 1.

为什么会出现这种情况?为什么 Bundler 在安装时不使用新的锁定文件?

ruby-on-rails github-actions bundler
1个回答
0
投票

这里的问题是 Dependabot 已将 

webrick
gem 更新到版本 1.8.2,但您的 GitHub Actions 工作流程安装了旧版本 (1.8.1)。发生这种情况可能是因为来自 Dependabot 的
Gemfile.lock
更新未包含在您的工作流程中,该工作流程仅检查 PR 分支。

如果使用 

pull_request
而不是 
pull_request_target
,工作流程将使用拉取请求本身的内容,包括更新的 Gemfile.lock。

pull_request:
    branches: '*'

要使用精确锁定文件,请更新 

bundle install
:确保 
bundle install
遵循 
Gemfile.lock
修改。

- name: Install dependencies
  run: bundle install --jobs 4 --retry 2
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.