Auto-skip dependency installation for production_platform repos

[DudeRandom21]

Summary

• When a repo has production_platform configured in its shipit.yml and all explicitly configured deploy/rollback/task steps match a known-safe command allowlist (production-platform-next, kubernetes-deploy, kubernetes-restart), skip dependency installation automatically
• Logs a warning when deps are skipped so it's visible in deploy output and Rails logs
• Explicit dependencies.override config is always respected — this only affects auto-discovery

Refs Shopify/continuous-deployment#2454

Motivation

Repos deploying via production-platform-next don't need local Ruby/Node dependencies installed on the shipit worker — the app runs in pre-built Docker containers. But shipit's auto-discovery detects Gemfile/package.json and runs bundle install anyway. When the worker's Ruby version doesn't match the repo's required version, the install fails and blocks deploys entirely, preventing Ruby version upgrades.

Design decisions

• Allowlist approach: Only skip when ALL steps match known-safe commands. Unknown commands fall through to normal dependency installation.
• Explicit config only: We only inspect deploy.override, deploy.pre/post, rollback.override, rollback.pre/post, and tasks from config. Auto-discovered steps (e.g., from KubernetesDiscovery) are not inspected — if no overrides exist, we conservatively install deps.
• Empty steps guard: If no explicit steps are configured at all, we don't skip (avoids [].all? vacuous truth).

Future consideration: extending to auto-discovered steps

Currently this only triggers for repos with production_platform config AND explicit step overrides. There's an opportunity to also skip deps for repos that rely on auto-discovered steps from KubernetesDiscovery (which produces kubernetes-deploy and kubernetes-restart commands — both already on the safe allowlist). This would cover repos with a kubernetes config key but no production_platform key.

More broadly, several auto-discovery modules are for non-Ruby platforms (PyPI/Python, npm/yarn for package publishing, Lerna) — repos that trigger these are unlikely to have meaningful Ruby dependencies to install in the first place. Since the motivation for this change is unblocking Ruby version upgrades (where bundle install fails due to gem incompatibilities with the new version), these non-Ruby stacks are lower priority — they're unlikely to hit the version mismatch problem even without this change. That said, skipping unnecessary installs for them would still be a correctness improvement worth considering in a follow-up.

Test plan

• production_platform + safe steps → deps skipped
• production_platform + unsafe deploy steps → deps NOT skipped
• production_platform + unsafe task steps → deps NOT skipped
• production_platform + unsafe deploy.pre → deps NOT skipped
• production_platform + unsafe rollback → deps NOT skipped
• production_platform absent → normal behavior
• Explicit dependencies.override → respected regardless
• Pre/post dependency steps preserved when core install skipped
• kubernetes-deploy prefix → skipped
• Unknown command → falls through to discovery
• No overrides configured at all → conservative, does not skip
• Full test suite passes (1243 tests, 0 failures)

🤖 Generated with Claude Code