From 3d2717270e6a61fb2b040f6e75c4f7047fce7e0e Mon Sep 17 00:00:00 2001
From: Matt <matthv@gmail.com>
Date: Fri, 6 Feb 2026 12:06:03 +0100
Subject: [PATCH 1/2] fix(ci): use BUNDLE_PATH to avoid insecure install path
 with Ruby 4.0

Bundler 4.0 (shipped with Ruby 4.0) has stricter security checks on
gem installation paths. GitHub Actions runners have world-writable gem
directories which trigger InsecureInstallPathError (exit code 38).

Setting BUNDLE_PATH at the job level redirects all gem installs to a
temp directory with proper permissions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/build.yml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 739809f7a..01e393d0c 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -15,6 +15,8 @@ jobs:
   lint:
     name: Lint
     runs-on: ubuntu-latest
+    env:
+      BUNDLE_PATH: ${{ runner.temp }}/bundle
     strategy:
       matrix:
         ruby-version: ["3.4", "4.0"]
@@ -39,9 +41,7 @@ jobs:
           ruby-version: ${{ matrix.ruby-version }}
 
       - name: Install dependencies on main repo
-        run: |
-          gem install bundler
-          bundle install
+        run: bundle install
 
       - name: Install dependencies on packages
         run: cd packages/${{ matrix.packages }} && bundle install && cd -
@@ -53,6 +53,8 @@ jobs:
     name: Test
     runs-on: ubuntu-latest
     needs: [lint]
+    env:
+      BUNDLE_PATH: ${{ runner.temp }}/bundle
     strategy:
       matrix:
         ruby-version: ["3.4", "4.0"]
@@ -79,9 +81,7 @@ jobs:
           ruby-version: ${{ matrix.ruby-version }}
 
       - name: Install dependencies on main repo
-        run: |
-          gem install bundler
-          bundle install
+        run: bundle install
 
       - name: Wait for MongoDB
         if: ${{ matrix.packages == 'forest_admin_datasource_mongoid' }}

From 461e33a8f7bebe01dddd5e21d44c066aa81d7aee Mon Sep 17 00:00:00 2001
From: Matt <matthv@gmail.com>
Date: Fri, 6 Feb 2026 12:09:33 +0100
Subject: [PATCH 2/2] fix(ci): use /tmp/bundle instead of runner.temp

runner context is not available at job-level env, only within steps.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/build.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 01e393d0c..d971ed472 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -16,7 +16,7 @@ jobs:
     name: Lint
     runs-on: ubuntu-latest
     env:
-      BUNDLE_PATH: ${{ runner.temp }}/bundle
+      BUNDLE_PATH: /tmp/bundle
     strategy:
       matrix:
         ruby-version: ["3.4", "4.0"]
@@ -54,7 +54,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [lint]
     env:
-      BUNDLE_PATH: ${{ runner.temp }}/bundle
+      BUNDLE_PATH: /tmp/bundle
     strategy:
       matrix:
         ruby-version: ["3.4", "4.0"]