`Bundler::GemfileNotFound` thrown during `::Dependabot::Bundler::FileFetcher::fetch_path_gemspec_paths` if not run from the folder that contains the `Gemfile`.
Skenvy opened this issue · 2 comments
Code improvement description
Loosely following the File fetchers README, querying the fetcher.files
when the fetcher_class
is Dependabot::Bundler::FileFetcher
, when run on a fetcher_class.new(...)
and Dependabot::Source.new(...)
that specify a repo_contents_path
and directory
in which to run the fetch_files
, that is not the directory from which the command / script is being run, regardless of the Gemfile
that the Gemfile.lock
was created from being present in the targeted repo_contents_path
and directory
, absent other workarounds, then ::Dependabot::Bundler::FileFetcher::fetch_path_gemspec_paths will throw a Bundler::GemfileNotFound
.
Not considered a bug because it does not impact the dependabot service, but it is an error being thrown when not idealogically necessary i.e. the error is thrown when running fetch_files
on a source directory that does contain the valid Gemfile
, because at the moment, without other workarounds, it is searching for a Gemfile
at the location the script is run from.
Possible hacky workarounds involve a blank Gemfile
where the script that uses fetch_files
is run from, or alternatively, setting ENV["BUNDLE_GEMFILE"]
to some non-empty value, whether actually being set to the relative path to the Gemfile
or not.
More details exist in this repo, specifically this workflow that demonstrates the steps and conditions to reproduce the error, and the ENV["BUNDLE_GEMFILE"]
workaround.
One possible fix might require a change to the Bundler
gem to allow dependabot to pass the FileFetcher
's repo_contents_path
and the Source
's directory
up to ::Bundler::LockfileParser::initialize such that it can set the custom_path
in ::Bundler::app_cache according to the repo_contents_path
and directory
, but I'm not sure how minimal such a change would be to add in the Bundler
gem.
The underlying cause in the bundler gem has been patched rubygems/rubygems#6671 so this can be fixed in dependabot by pinning the minimum version of bundler whenever their next release is.
Yay! I'll make sure to update our Bundler version once the upstream change is released