Another round of CI fixing

* A few specs depending on environment variables
* CI prod setup smoketest can't decode the encrypted data - fall back to
  environment variables in this case

Author: dutow

.github/workflows/prod-boot.yml

@@ -18,6 +18,12 @@ jobs:
           cp deploy/.env.example deploy/.env
           # Override secrets/SSL for CI boot
           ruby -e "require 'securerandom'; puts \"SECRET_KEY_BASE=#{SecureRandom.hex(64)}\"" >> deploy/.env
+          # AR encryption keys — production.rb normally loads these from
+          # credentials, but CI has no RAILS_MASTER_KEY. Inject random values
+          # via env so db:prepare can boot.
+          ruby -e "require 'securerandom'; puts \"RAILS_AR_ENCRYPTION_PRIMARY_KEY=#{SecureRandom.alphanumeric(32)}\"" >> deploy/.env
+          ruby -e "require 'securerandom'; puts \"RAILS_AR_ENCRYPTION_DETERMINISTIC_KEY=#{SecureRandom.alphanumeric(32)}\"" >> deploy/.env
+          ruby -e "require 'securerandom'; puts \"RAILS_AR_ENCRYPTION_SALT=#{SecureRandom.alphanumeric(32)}\"" >> deploy/.env
           echo "FORCE_SSL=false" >> deploy/.env
           echo "APP_HOST=localhost" >> deploy/.env
           # Copy Postgres config template and shrink memory settings

config/environments/production.rb

@@ -98,6 +98,20 @@
   # Only use :id for inspections in production.
   config.active_record.attributes_for_inspect = [ :id ]
 
+  # Active Record encryption keys. Default to credentials (decrypted with
+  # RAILS_MASTER_KEY); allow RAILS_AR_ENCRYPTION_* env overrides so a smoke-test
+  # boot (e.g. prod-boot CI) can run without baking a master key into the image.
+  ar_enc_env = {
+    primary_key:         ENV["RAILS_AR_ENCRYPTION_PRIMARY_KEY"],
+    deterministic_key:   ENV["RAILS_AR_ENCRYPTION_DETERMINISTIC_KEY"],
+    key_derivation_salt: ENV["RAILS_AR_ENCRYPTION_SALT"]
+  }
+  if ar_enc_env.values.all?(&:present?)
+    config.active_record.encryption.primary_key            = ar_enc_env[:primary_key]
+    config.active_record.encryption.deterministic_key      = ar_enc_env[:deterministic_key]
+    config.active_record.encryption.key_derivation_salt    = ar_enc_env[:key_derivation_salt]
+  end
+
   # Enable DNS rebinding protection and other `Host` header attacks.
   # config.hosts = [
   #   "example.com",     # Allow requests from example.com

deploy/.env.example

@@ -20,6 +20,14 @@ SECRET_KEY_BASE=change-me
 # leaving the previous values present so existing rows stay decryptable.
 RAILS_MASTER_KEY=change-me
 
+# Optional ENV override for Active Record encryption keys. If all three are set,
+# production.rb uses them instead of credentials — handy for smoke-test boots
+# (e.g. prod-boot CI) where a master key is not available. Leave unset in real
+# deployments so credentials remain the single source of truth.
+# RAILS_AR_ENCRYPTION_PRIMARY_KEY=
+# RAILS_AR_ENCRYPTION_DETERMINISTIC_KEY=
+# RAILS_AR_ENCRYPTION_SALT=
+
 # Database (used by DATABASE_URL below)
 POSTGRES_USER=hackorum
 POSTGRES_PASSWORD=hackorum

spec/services/oauth/token_refresher_spec.rb

@@ -1,6 +1,11 @@
 require 'rails_helper'
 
 RSpec.describe OAuth::TokenRefresher do
+  before do
+    ENV['GOOGLE_CLIENT_ID']     ||= 'test-client-id'
+    ENV['GOOGLE_CLIENT_SECRET'] ||= 'test-client-secret'
+  end
+
   let(:identity) {
     create(:identity, refresh_token: 'r1', access_token: nil,
                       access_token_expires_at: nil)