Thanks for explaining, I understand. My preference in this case is let the user accept that scenario, although I can understand the arguments against it. In my case if bundler cannot install later that's actually fine as the CI will catch that. Since it's a private dependency we can update as appropriate. I suppose the scenario is a bit like optionalDependencies in NPM although not quite the same.
Well that is strange! To briefly explain a bit more, I'm doing this as part of a Docker container build. I thought you were probably right and it had been cached somewhere. Slightly off topic but I cleared out all local Docker volumes, images and containers plus checked any volumes mounted which means I could do an entirely fresh build. The bundler cache is not mounted which means it sits inside the container. I rebuilt from entirely fresh and it works so I'm not sure why yours did not. I went one step further and completely removed the private source from my machine just in case the build had access to it somewhere I haven't spotted, but it still works. I'm using a Gemfile.lock if that makes any difference?
In the logs for the build, I see these logs lines three times each which seems to indicate the mirror config is being acted upon:
No log lines for the private repo.
I also reconfirmed that if I remove the mirror config line from the build, it immediately fails with the standard Authentication is required message.