Use SECRET_KEY_BASE_DUMMY feature as placeholder during asset compilation ()

This commit is contained in:
Matt Jankowski 2024-06-10 16:08:04 -04:00 committed by GitHub
parent 9cc4040308
commit 0e1110c947
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 12 additions and 11 deletions
.github/workflows
Dockerfile
config

View file

@ -28,11 +28,7 @@ jobs:
env: env:
RAILS_ENV: ${{ matrix.mode }} RAILS_ENV: ${{ matrix.mode }}
BUNDLE_WITH: ${{ matrix.mode }} BUNDLE_WITH: ${{ matrix.mode }}
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: precompile_placeholder SECRET_KEY_BASE_DUMMY: 1
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: precompile_placeholder
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: precompile_placeholder
OTP_SECRET: precompile_placeholder
SECRET_KEY_BASE: precompile_placeholder
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4

View file

@ -212,11 +212,7 @@ ARG TARGETPLATFORM
RUN \ RUN \
# Use Ruby on Rails to create Mastodon assets # Use Ruby on Rails to create Mastodon assets
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=precompile_placeholder \ SECRET_KEY_BASE_DUMMY=1 \
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=precompile_placeholder \
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=precompile_placeholder \
OTP_SECRET=precompile_placeholder \
SECRET_KEY_BASE=precompile_placeholder \
bundle exec rails assets:precompile; \ bundle exec rails assets:precompile; \
# Cleanup temporary files # Cleanup temporary files
rm -fr /opt/mastodon/tmp; rm -fr /opt/mastodon/tmp;

View file

@ -156,7 +156,11 @@ Rails.application.configure do
} }
# TODO: Remove once devise-two-factor data migration complete # TODO: Remove once devise-two-factor data migration complete
config.x.otp_secret = ENV.fetch('OTP_SECRET') config.x.otp_secret = if ENV['SECRET_KEY_BASE_DUMMY']
SecureRandom.hex(64)
else
ENV.fetch('OTP_SECRET')
end
# Enable DNS rebinding protection and other `Host` header attacks. # Enable DNS rebinding protection and other `Host` header attacks.
# config.hosts = [ # config.hosts = [

View file

@ -5,6 +5,11 @@
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
).each do |key| ).each do |key|
if ENV['SECRET_KEY_BASE_DUMMY']
# Use placeholder value during production env asset compilation
ENV[key] = SecureRandom.hex(64)
end
value = ENV.fetch(key) do value = ENV.fetch(key) do
abort <<~MESSAGE abort <<~MESSAGE