Exclude dev and test deps from docker images

.buildkite/scripts/run_ci_step.sh

@@ -8,6 +8,10 @@ JAVA_VERSION="$(cat .java-version)"
 export RUBY_VERSION
 export JAVA_VERSION
 
+# The Docker image excludes dev/test gems for a leaner production build.
+# CI needs them, so clear the 'without' config before installing.
+bundle config unset without
+
 case $1 in
   lint)
     echo "---- running linter"

Dockerfile

@@ -14,6 +14,9 @@ RUN groupadd -g 451 crawlergroup && \
 USER crawleruser
 COPY --chown=crawleruser:crawlergroup --chmod=775 . /home/app
 WORKDIR /home/app
+# Exclude development and test gems from the production image to reduce
+# image size and CVE surface area (e.g. rack, rspec, rubocop, pry, etc.)
+RUN bundle config set --local without 'development test'
 RUN make clean install
 
 # Clean up build dependencies

Dockerfile.wolfi

@@ -48,6 +48,9 @@ WORKDIR /home/app
 # skip jenv/rbenv setup
 ENV IS_DOCKER=1
 
+# Exclude development and test gems from the production image to reduce
+# image size and CVE surface area (e.g. rack, rspec, rubocop, pry, etc.)
+RUN bundle config set --local without 'development test'
 RUN make clean install
 # add more directories and files not to be copied to the runtime image from /home/app
 RUN rm -rf .git .github .idea .devcontainer .buildkite