Use SECRET_KEY_BASE_DUMMY
feature as placeholder during asset compilation (#30505)
This commit is contained in:
parent
9cc4040308
commit
0e1110c947
4 changed files with 12 additions and 11 deletions
6
.github/workflows/test-ruby.yml
vendored
6
.github/workflows/test-ruby.yml
vendored
|
@ -28,11 +28,7 @@ jobs:
|
||||||
env:
|
env:
|
||||||
RAILS_ENV: ${{ matrix.mode }}
|
RAILS_ENV: ${{ matrix.mode }}
|
||||||
BUNDLE_WITH: ${{ matrix.mode }}
|
BUNDLE_WITH: ${{ matrix.mode }}
|
||||||
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: precompile_placeholder
|
SECRET_KEY_BASE_DUMMY: 1
|
||||||
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: precompile_placeholder
|
|
||||||
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: precompile_placeholder
|
|
||||||
OTP_SECRET: precompile_placeholder
|
|
||||||
SECRET_KEY_BASE: precompile_placeholder
|
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
|
|
|
@ -212,11 +212,7 @@ ARG TARGETPLATFORM
|
||||||
|
|
||||||
RUN \
|
RUN \
|
||||||
# Use Ruby on Rails to create Mastodon assets
|
# Use Ruby on Rails to create Mastodon assets
|
||||||
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=precompile_placeholder \
|
SECRET_KEY_BASE_DUMMY=1 \
|
||||||
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=precompile_placeholder \
|
|
||||||
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=precompile_placeholder \
|
|
||||||
OTP_SECRET=precompile_placeholder \
|
|
||||||
SECRET_KEY_BASE=precompile_placeholder \
|
|
||||||
bundle exec rails assets:precompile; \
|
bundle exec rails assets:precompile; \
|
||||||
# Cleanup temporary files
|
# Cleanup temporary files
|
||||||
rm -fr /opt/mastodon/tmp;
|
rm -fr /opt/mastodon/tmp;
|
||||||
|
|
|
@ -156,7 +156,11 @@ Rails.application.configure do
|
||||||
}
|
}
|
||||||
|
|
||||||
# TODO: Remove once devise-two-factor data migration complete
|
# TODO: Remove once devise-two-factor data migration complete
|
||||||
config.x.otp_secret = ENV.fetch('OTP_SECRET')
|
config.x.otp_secret = if ENV['SECRET_KEY_BASE_DUMMY']
|
||||||
|
SecureRandom.hex(64)
|
||||||
|
else
|
||||||
|
ENV.fetch('OTP_SECRET')
|
||||||
|
end
|
||||||
|
|
||||||
# Enable DNS rebinding protection and other `Host` header attacks.
|
# Enable DNS rebinding protection and other `Host` header attacks.
|
||||||
# config.hosts = [
|
# config.hosts = [
|
||||||
|
|
|
@ -5,6 +5,11 @@
|
||||||
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
|
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
|
||||||
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
|
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
|
||||||
).each do |key|
|
).each do |key|
|
||||||
|
if ENV['SECRET_KEY_BASE_DUMMY']
|
||||||
|
# Use placeholder value during production env asset compilation
|
||||||
|
ENV[key] = SecureRandom.hex(64)
|
||||||
|
end
|
||||||
|
|
||||||
value = ENV.fetch(key) do
|
value = ENV.fetch(key) do
|
||||||
abort <<~MESSAGE
|
abort <<~MESSAGE
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue