diff --git a/.github/workflows/test-ruby.yml b/.github/workflows/test-ruby.yml index 5f2297381a7..8f05dcab3ec 100644 --- a/.github/workflows/test-ruby.yml +++ b/.github/workflows/test-ruby.yml @@ -28,11 +28,7 @@ jobs: env: RAILS_ENV: ${{ matrix.mode }} BUNDLE_WITH: ${{ matrix.mode }} - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: precompile_placeholder - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: precompile_placeholder - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: precompile_placeholder - OTP_SECRET: precompile_placeholder - SECRET_KEY_BASE: precompile_placeholder + SECRET_KEY_BASE_DUMMY: 1 steps: - uses: actions/checkout@v4 diff --git a/Dockerfile b/Dockerfile index cb5b8720592..2dc7602b2d2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -212,11 +212,7 @@ ARG TARGETPLATFORM RUN \ # Use Ruby on Rails to create Mastodon assets - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=precompile_placeholder \ - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=precompile_placeholder \ - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=precompile_placeholder \ - OTP_SECRET=precompile_placeholder \ - SECRET_KEY_BASE=precompile_placeholder \ + SECRET_KEY_BASE_DUMMY=1 \ bundle exec rails assets:precompile; \ # Cleanup temporary files rm -fr /opt/mastodon/tmp; diff --git a/config/environments/production.rb b/config/environments/production.rb index a39843e9562..6686a23d60d 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -156,7 +156,11 @@ Rails.application.configure do } # TODO: Remove once devise-two-factor data migration complete - config.x.otp_secret = ENV.fetch('OTP_SECRET') + config.x.otp_secret = if ENV['SECRET_KEY_BASE_DUMMY'] + SecureRandom.hex(64) + else + ENV.fetch('OTP_SECRET') + end # Enable DNS rebinding protection and other `Host` header attacks. # config.hosts = [ diff --git a/config/initializers/active_record_encryption.rb b/config/initializers/active_record_encryption.rb index 900f3c68f0d..a83ca807657 100644 --- a/config/initializers/active_record_encryption.rb +++ b/config/initializers/active_record_encryption.rb @@ -5,6 +5,11 @@ ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY ).each do |key| + if ENV['SECRET_KEY_BASE_DUMMY'] + # Use placeholder value during production env asset compilation + ENV[key] = SecureRandom.hex(64) + end + value = ENV.fetch(key) do abort <<~MESSAGE