From 0085cb35cba7676040d82d6b74793cb68e2f3723 Mon Sep 17 00:00:00 2001 From: Declan McMullen Date: Wed, 10 Jun 2026 13:34:53 +0100 Subject: [PATCH] Route CI gem installs through Socket Firewall registry MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Mirrors rubygems.org through the Socket Firewall registry so CI gem installs are scanned for supply-chain risk before fetch. Auth is injected at runtime via the socket-firewall CircleCI context — no credential committed. Co-Authored-By: Claude Opus 4.8 (1M context) --- .circleci/config.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index 1bd1adc..a0d9e51 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -17,6 +17,17 @@ jobs: - macos-dependencies-{{ checksum "Gemfile.lock" }}-{{ checksum ".circleci/config.yml" }} - macos-dependencies-{{ checksum "Gemfile.lock" }} - macos-dependencies- + - run: + name: Configure Bundler to use Socket Firewall registry + command: | + bundle config set --global mirror.https://rubygems.org https://socket-firewall-registry.corporate.intercom.io/rubygems + bundle config set --global https://socket-firewall-registry.corporate.intercom.io/rubygems "intercom-socket:${SOCKET_REGISTRY_TOKEN}" + - run: + name: Verify Socket Firewall mirror is active + command: | + MIRROR=$(bundle config mirror.https://rubygems.org | grep -o 'https://.*') + echo "Bundler mirror: $MIRROR" + echo "$MIRROR" | grep -q socket-firewall-registry || { echo "FAIL: Socket mirror not configured"; exit 1; } - run: name: install dependencies command: | @@ -35,3 +46,11 @@ jobs: spec/ - store_test_results: path: /tmp/test-results + +workflows: + version: 2 + build: + jobs: + - build: + context: + - socket-firewall