Use SECRET_KEY_BASE_DUMMY feature as placeholder during asset compilation (#30505)

.github/workflows/test-ruby.yml

@@ -28,11 +28,7 @@ jobs:
     env:
       RAILS_ENV: ${{ matrix.mode }}
       BUNDLE_WITH: ${{ matrix.mode }}
-      ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: precompile_placeholder
+      SECRET_KEY_BASE_DUMMY: 1
-      ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: precompile_placeholder
-      ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: precompile_placeholder
-      OTP_SECRET: precompile_placeholder
-      SECRET_KEY_BASE: precompile_placeholder
 
     steps:
       - uses: actions/checkout@v4

Dockerfile

@@ -212,11 +212,7 @@ ARG TARGETPLATFORM
 
 RUN \
 # Use Ruby on Rails to create Mastodon assets
-  ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=precompile_placeholder \
+  SECRET_KEY_BASE_DUMMY=1 \
-  ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=precompile_placeholder \
-  ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=precompile_placeholder \
-  OTP_SECRET=precompile_placeholder \
-  SECRET_KEY_BASE=precompile_placeholder \
   bundle exec rails assets:precompile; \
 # Cleanup temporary files
   rm -fr /opt/mastodon/tmp;

config/environments/production.rb

@@ -156,7 +156,11 @@ Rails.application.configure do
   }
 
   # TODO: Remove once devise-two-factor data migration complete
-  config.x.otp_secret = ENV.fetch('OTP_SECRET')
+  config.x.otp_secret = if ENV['SECRET_KEY_BASE_DUMMY']
+                          SecureRandom.hex(64)
+                        else
+                          ENV.fetch('OTP_SECRET')
+                        end
 
   # Enable DNS rebinding protection and other `Host` header attacks.
   # config.hosts = [

config/initializers/active_record_encryption.rb

@@ -5,6 +5,11 @@
   ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
   ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
 ).each do |key|
+  if ENV['SECRET_KEY_BASE_DUMMY']
+    # Use placeholder value during production env asset compilation
+    ENV[key] = SecureRandom.hex(64)
+  end
+
   value = ENV.fetch(key) do
     abort <<~MESSAGE