Makefile: Run bundle install in frozen mode
Recently security concerns popped up about gems that might get compromised and get replaced with malicious content.
To mitigate this, the Bundler team recommends1 using bundler in --frozen or --deployment mode in CI and during deploys.
We address this by setting the BUNDLE_FROZEN=true environment variable
when bundle install
is executed by our Makefile. This is in local
development and in CI.
For omnibus deployments the fix is applied in omnibus-gitlab@4b18021f (Merge branch 'bundle-frozen' into 'master', 2022-05-24). The CNG changes are being made in gitlab-org/build/CNG!1053 (merged).
Issue: #4225 (closed)