Disable bundler cache in fork-facing lint job

kenyonj · kenyonj · commit 49fa48761f5a · 2026-03-30T15:44:59.000-04:00
CodeQL flags cache poisoning risk when pull_request_target checks
out untrusted code with bundler-cache enabled. A malicious fork
could poison the cache via a crafted Gemfile.lock.

Disable caching for the lint job (which runs fork code) and use
a plain bundle install instead. The autocorrect job (same-repo
only) retains bundler-cache.
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -19,7 +19,10 @@ jobs:
       - name: Setup Ruby
         uses: ruby/setup-ruby@v1.299.0
         with:
-          bundler-cache: true
+          bundler-cache: false
+
+      - name: Install dependencies
+        run: bundle install
 
       - name: Run RuboCop
         run: |
