Skip git source exclusion when lockfile cannot backfill

The git source exclusion in `find_source_requirements` introduced by
#9234 relies on `locked_requirements` to backfill the gap
for sources used only by --without groups. Without a Gemfile.lock —
e.g. an initial `BUNDLE_ONLY=ci bundle install` where a default-group
gem from a git source is shifted into the "excluded" set — that
fallback is absent, and the source's indirect dependencies fall
through to the default rubygems source, causing resolution to fail.

Gate the exclusion on `nothing_changed?` so it only applies when the
lockfile is guaranteed to cover the excluded sources.

Fix #9536

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: yahonda

bundler/lib/bundler/definition.rb

@@ -1210,16 +1210,20 @@ def excluded_git_sources
     def find_source_requirements
       preload_git_sources
 
+      # Only safe to exclude when locked_requirements (merged below) backfills the gap.
+      nothing_changed = nothing_changed?
+      excluded = nothing_changed ? excluded_git_sources : []
+
       # Record the specs available in each gem's source, so that those
       # specs will be available later when the resolver knows where to
       # look for that gemspec (or its dependencies)
       source_requirements = if precompute_source_requirements_for_indirect_dependencies?
-        all_requirements = source_map.all_requirements(excluded_git_sources)
+        all_requirements = source_map.all_requirements(excluded)
         { default: default_source }.merge(all_requirements)
       else
-        { default: Source::RubygemsAggregate.new(sources, source_map, excluded_git_sources) }.merge(source_map.direct_requirements)
+        { default: Source::RubygemsAggregate.new(sources, source_map, excluded) }.merge(source_map.direct_requirements)
       end
-      source_requirements.merge!(source_map.locked_requirements) if nothing_changed?
+      source_requirements.merge!(source_map.locked_requirements) if nothing_changed
       metadata_dependencies.each do |dep|
         source_requirements[dep.name] = sources.metadata_source
       end

spec/install/git_spec.rb

@@ -317,5 +317,53 @@
       expect(the_bundle).to include_gems("production_gem 1.0")
       expect(the_bundle).not_to include_gems("development_gem 1.0")
     end
+
+    it "resolves indirect dependencies from a git source not in the requested groups" do
+      build_lib "activesupport", "1.0", path: lib_path("rails/activesupport")
+      build_git "activerecord", "1.0", path: lib_path("rails") do |s|
+        s.add_dependency "activesupport", "= 1.0"
+      end
+
+      gemfile <<-G
+        source "https://gem.repo1"
+
+        gem "activerecord", :git => "#{lib_path("rails")}"
+
+        group :ci do
+          gem "myrack"
+        end
+      G
+
+      bundle_config "only ci"
+      bundle :install
+
+      expect(the_bundle).to include_gems("myrack 1.0.0")
+      expect(the_bundle).not_to include_gems("activerecord 1.0")
+    end
+
+    it "resolves indirect dependencies from a git source not in the requested groups (without compact_index dependency API)" do
+      build_lib "activesupport", "1.0", path: lib_path("rails/activesupport")
+      build_git "activerecord", "1.0", path: lib_path("rails") do |s|
+        s.add_dependency "activesupport", "= 1.0"
+      end
+
+      gemfile <<-G
+        source "https://gem.repo1"
+
+        gem "activerecord", :git => "#{lib_path("rails")}"
+
+        group :ci do
+          gem "myrack"
+        end
+      G
+
+      # Force the RubygemsAggregate code path in find_source_requirements by
+      # making the dependency API unavailable.
+      bundle_config "only ci"
+      bundle :install, artifice: "endpoint_api_forbidden"
+
+      expect(the_bundle).to include_gems("myrack 1.0.0")
+      expect(the_bundle).not_to include_gems("activerecord 1.0")
+    end
   end
 end