`Bundler::GemfileNotFound` thrown during `::Dependabot::Bundler::FileFetcher::fetch_path_gemspec_paths` if not run from the folder that contains the `Gemfile`.
Skenvy opened this issue · 2 comments
Code improvement description
Loosely following the File fetchers README, querying the fetcher.files when the fetcher_class is Dependabot::Bundler::FileFetcher, when run on a fetcher_class.new(...) and Dependabot::Source.new(...) that specify a repo_contents_path and directory in which to run the fetch_files, that is not the directory from which the command / script is being run, regardless of the Gemfile that the Gemfile.lock was created from being present in the targeted repo_contents_path and directory, absent other workarounds, then ::Dependabot::Bundler::FileFetcher::fetch_path_gemspec_paths will throw a Bundler::GemfileNotFound.
Not considered a bug because it does not impact the dependabot service, but it is an error being thrown when not idealogically necessary i.e. the error is thrown when running fetch_files on a source directory that does contain the valid Gemfile, because at the moment, without other workarounds, it is searching for a Gemfile at the location the script is run from.
Possible hacky workarounds involve a blank Gemfile where the script that uses fetch_files is run from, or alternatively, setting ENV["BUNDLE_GEMFILE"] to some non-empty value, whether actually being set to the relative path to the Gemfile or not.
More details exist in this repo, specifically this workflow that demonstrates the steps and conditions to reproduce the error, and the ENV["BUNDLE_GEMFILE"] workaround.
One possible fix might require a change to the Bundler gem to allow dependabot to pass the FileFetcher's repo_contents_path and the Source's directory up to ::Bundler::LockfileParser::initialize such that it can set the custom_path in ::Bundler::app_cache according to the repo_contents_path and directory, but I'm not sure how minimal such a change would be to add in the Bundler gem.
The underlying cause in the bundler gem has been patched rubygems/rubygems#6671 so this can be fixed in dependabot by pinning the minimum version of bundler whenever their next release is.
Yay! I'll make sure to update our Bundler version once the upstream change is released