Add bundle-audit to CI for Gemfile.lock CVE gating

.github/workflows/ci.yml

@@ -33,3 +33,18 @@ jobs:
 
       - name: Run tests and lint
         run: bundle exec rake
+
+  audit:
+    name: bundle-audit
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.4'
+          bundler-cache: true
+
+      - name: Run bundle-audit
+        run: bundle exec bundle-audit check --update

CHANGELOG.md

@@ -8,6 +8,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 
 ### Added
+- **`bundle-audit` in CI** (`.github/workflows/ci.yml`). New `audit`
+  job runs `bundle exec bundle-audit check --update` on every push
+  and PR, gating merges on known CVEs in `Gemfile.lock`. Advisory
+  DB is refreshed on each run from `rubysec/ruby-advisory-db`. Also
+  available locally as `bundle exec rake audit`.
 - **Dependabot config** (`.github/dependabot.yml`). Weekly bump PRs
   for Bundler and GitHub Actions, with `open-pull-requests-limit: 3`
   per ecosystem. `versioning-strategy: lockfile-only` on bundler, so

Gemfile

@@ -5,10 +5,11 @@ source 'https://rubygems.org'
 gemspec
 
 group :development do
-  gem 'rake',      '>= 13.2'
-  gem 'rspec',     '>= 3.13'
+  gem 'bundler-audit', '>= 0.9'
+  gem 'rake',          '>= 13.2'
+  gem 'rspec',         '>= 3.13'
   gem 'rubocop',       '>= 1.60'
   gem 'rubocop-rake',  '>= 0.6'
   gem 'rubocop-rspec', '>= 2.27'
-  gem 'simplecov', '>= 0.22'
+  gem 'simplecov',     '>= 0.22'
 end

Rakefile

@@ -12,3 +12,8 @@ task default: %i[spec rubocop]
 
 desc 'Alias for spec'
 task test: :spec
+
+desc 'Check Gemfile.lock against the ruby-advisory-db for known CVEs'
+task :audit do
+  sh 'bundle exec bundle-audit check --update'
+end