bootboot forces bundler to contact gem repos?

[jdelStrother]

We package gems to vendor/cache, and check them into our git repository. On deploying to servers, bundle install can normally just use that cache rather than contacting a gem repository. Some of our gems are in a private repository, and the servers don't have credentials for downloading gems directly from them - they can just rely on offline installs from vendor/cache.

It seems like if bootboot is present in the Gemfile, bundle install always tries to re-resolve the lockfile & contacts all gem sources (which then fails due to not having the credentials for our private gem repo).

Here's a tiny sample Gemfile:

source "https://rubygems.org"
gem "thor"

$ bundle config set --local cache_all true; bundle config set --local path vendor/bundle; bundle config set --local cache_path vendor/cache

$ bundle package
Fetching gem metadata from https://rubygems.org/.
Using bundler 2.4.6
Fetching thor 1.2.1
Installing thor 1.2.1
Bundle complete! 1 Gemfile dependency, 2 gems now installed.
Bundled gems are installed into `./vendor/bundle`
Updating files in vendor/cache
  * thor-1.2.1.gem

$ bundle install --local --verbose
Running `bundle install --local --verbose` with bundler 2.4.6
Found no changes, using resolution from the lockfile
Using bundler 2.4.6
0:  bundler (2.4.6) from /Users/jon/.gem/ruby/3.1.0/gems/bundler-2.4.6/lib/bundler/source
Using thor 1.2.1
0:  thor (1.2.1) from /Users/jon/Developer/bootboot-test/vendor/bundle/ruby/3.1.0/specifications/thor-1.2.1.gemspec
Updating files in vendor/cache
Bundle complete! 1 Gemfile dependency, 2 gems now installed.
Bundled gems are installed into `./vendor/bundle`

The last bundle install mimics what would happen on a deploy, and doesn't make any connection to the internet.

---

Now if we add bootboot to the Gemfile:

source "https://rubygems.org"
plugin "bootboot", "~> 0.2.1"
gem "thor"
Plugin.send(:load_plugin, 'bootboot') if Plugin.installed?('bootboot')

bash-5.1$ bundle config set --local cache_all true; bundle config set --local path vendor/bundle; bundle config set --local cache_path vendor/cache

bash-5.1$ bundle package
Fetching gem metadata from https://rubygems.org/.
Resolving dependencies...
Using bootboot 0.2.2
Using bundler 2.4.6
Installed plugin bootboot
Fetching gem metadata from https://rubygems.org/.
Using bundler 2.4.6
Fetching thor 1.2.1
Installing thor 1.2.1
Bundle complete! 1 Gemfile dependency, 2 gems now installed.
Bundled gems are installed into `./vendor/bundle`
Updating files in vendor/cache
  * thor-1.2.1.gem

bash-5.1$ bundle install --local --verbose
Running `bundle install --local --verbose` with bundler 2.4.6
Found changes from the lockfile, re-resolving dependencies because bundler is unlocking HTTP GET https://index.rubygems.org/versions
HTTP 304 Not Modified https://index.rubygems.org/versions
Fetching gem metadata from https://rubygems.org/
Looking up gems ["bootboot"]
Resolving dependencies...
Using bootboot 0.2.2
Using bundler 2.4.6
Found no changes, using resolution from the lockfile
Using bundler 2.4.6
0:  bundler (2.4.6) from /Users/jon/.gem/ruby/3.1.0/gems/bundler-2.4.6/lib/bundler/source
Using thor 1.2.1
0:  thor (1.2.1) from /Users/jon/Developer/bootboot-test/vendor/bundle/ruby/3.1.0/specifications/thor-1.2.1.gemspec
Updating files in vendor/cache
Bundle complete! 1 Gemfile dependency, 2 gems now installed.
Bundled gems are installed into `./vendor/bundle`

It always reports "Found changes from the lockfile" and tries to contact all gem sources listed in the Gemfile. That's not so bad here where it only needs to contact rubygems.org, but doesn't work so well for us where we're trying to avoid having our private gem repo credentials on the servers.

Is this expected behaviour? Any workarounds I might try, short of just adding our gem credentials to our deployment servers?

[dorner]

Any update here? We're getting hit with the same issue.

EDIT: Actually, scratch that - it fails even installing the plugin.

EDIT EDIT: My bad - on verbose mode it shows the same error.