Conversation
awilfox
requested review from
anarchivist,
danschmidt5189,
davezuckerman,
jason-raitz and
yzhoubk
danschmidt5189
left a comment
danschmidt5189
left a comment
There was a problem hiding this comment.
A few minor questions but definitely not blockers.
|
|
||
| # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies. | ||
| # config.force_ssl = true | ||
| config.force_ssl = true |
There was a problem hiding this comment.
Do you know how this behaves behind a proxy that terminates SSL? X-Forwarded-Proto would be https, but the actual connection to the proxy is http.
There was a problem hiding this comment.
AVPlayer and Lost-and-Found both have config.force_ssl enabled, so it should be fine here AFAIK.
docker-compose.ci.yml
Outdated
| - selenium | ||
| volumes: !override | ||
| - artifacts:/opt/app/artifacts | ||
| - /tmp/secret_key_base:/run/secrets/SECRET_KEY_BASE |
There was a problem hiding this comment.
This works. Alternatively you might consider using an actual Docker secret (with file: /tmp/... in the top-level definition).
danschmidt5189
requested review from
Copilot
and removed request for
anarchivist,
davezuckerman,
jason-raitz and
yzhoubk
There was a problem hiding this comment.
Pull request overview
Updates the application to Rails 7.2, aligning configuration defaults and dependency versions while addressing deprecations (notably Rails.application.secrets removal and Ruby 3.4 warnings).
Changes:
- Upgrade Rails from 7.1 to 7.2 (and update Gemfile/Gemfile.lock accordingly, including adding
mutex_m). - Update environment and framework configuration defaults (e.g.,
load_defaults 7.2, SSL enforcement in production, test/development config tweaks). - Adjust CI and tooling scripts (GitHub Actions build workflow, docker-compose CI overrides, simplified binstubs).
Reviewed changes
Copilot reviewed 11 out of 15 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| public/robots.txt | Updates documentation URL to HTTPS. |
| docker-compose.ci.yml | Adds a CI mount intended to provide SECRET_KEY_BASE. |
| config/puma.rb | Replaces Puma config comments and adds pidfile support. |
| config/environments/test.rb | Enables deprecation logging to stderr; comment updates. |
| config/environments/production.rb | Enables force_ssl and adds Rails 7.2 production defaults. |
| config/environments/development.rb | Comment/style tweaks; adds Action Mailer template caching setting. |
| config/boot.rb | Removes explicit require 'logger'. |
| config/application.rb | Switches load_defaults to 7.2 and adds autoload_lib ignore list. |
| bin/rubocop | Replaces Bundler-generated binstub with a simplified wrapper and forces explicit config path. |
| bin/brakeman | Replaces Bundler-generated binstub with a simplified wrapper and adds --ensure-latest. |
| app/models/efees_invoice.rb | Migrates from Rails.application.secrets to Rails.application.secret_key_base. |
| Gemfile.lock | Locks Rails 7.2.3 and related dependency updates (including mutex_m). |
| Gemfile | Bumps Rails requirement to 7.2.3 and adds mutex_m. |
| .idea/altmedia.iml | Updates IDE module metadata for new gem versions. |
| .github/workflows/build.yml | Generates a secret key base file during CI stack setup. |
Files not reviewed (1)
- .idea/altmedia.iml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
config/puma.rb
Outdated
| # Specifies the `environment` that Puma will run in. | ||
| # The ideal number of threads per worker depends both on how much time the | ||
| # application spends waiting for IO operations and on how much you wish to | ||
| # to prioritize throughput over latency. |
There was a problem hiding this comment.
Typo in comment: duplicated word “to” in “how much you wish to to prioritize…”.
| # to prioritize throughput over latency. | |
| # prioritize throughput over latency. |
There was a problem hiding this comment.
This was part of the Rails default config; I'll fix it, but it's not my typo.
config/puma.rb
Outdated
| # The default is set to 3 threads as it's deemed a decent compromise between | ||
| # throughput and latency for the average Rails application. | ||
| # | ||
| # preload_app! | ||
| # Any libraries that use a connection pool or another resource pool should | ||
| # be configured to provide at least as many connections as the number of | ||
| # threads. This includes Active Record's `pool` parameter in `database.yml`. | ||
| threads_count = ENV.fetch('RAILS_MAX_THREADS', 5) | ||
| threads threads_count, threads_count |
There was a problem hiding this comment.
The comment says “The default is set to 3 threads” but ENV.fetch('RAILS_MAX_THREADS', 5) defaults to 5. Update the comment or the default value so they match to avoid misleading operators tuning concurrency.
There was a problem hiding this comment.
Fair enough; I kept the thread count we already used for Framework and didn't notice the comment.
docker-compose.ci.yml
Outdated
| volumes: !override | ||
| - artifacts:/opt/app/artifacts | ||
| - /tmp/secret_key_base:/run/secrets/SECRET_KEY_BASE |
There was a problem hiding this comment.
Mounting /tmp/secret_key_base at /run/secrets/SECRET_KEY_BASE won’t affect Rails unless something reads that file and sets ENV["SECRET_KEY_BASE"] (no such logic exists in this repo). If the intent is to satisfy Rails 7.2’s secret_key_base requirement in CI, pass SECRET_KEY_BASE as an environment variable to the container (and/or add boot-time code to read /run/secrets/SECRET_KEY_BASE).
There was a problem hiding this comment.
Wrong -- the berkeley_library-docker gem automatically loads secrets from /run/secrets into ENV when the application boots.
.github/workflows/build.yml
Outdated
|
|
||
| - name: Setup the stack | ||
| run: | | ||
| docker run "${DOCKER_APP_IMAGE}" rails secret > /tmp/secret_key_base |
There was a problem hiding this comment.
docker run "${DOCKER_APP_IMAGE}" rails secret should use --rm to avoid leaving stopped containers on the runner. Also, the generated secret is written to /tmp/secret_key_base but isn’t exported as SECRET_KEY_BASE for the compose services (mounting the file alone won’t be used by Rails unless you explicitly read it).
| docker run "${DOCKER_APP_IMAGE}" rails secret > /tmp/secret_key_base | |
| SECRET_KEY_BASE="$(docker run --rm "${DOCKER_APP_IMAGE}" rails secret)" | |
| export SECRET_KEY_BASE | |
| printf '%s' "${SECRET_KEY_BASE}" > /tmp/secret_key_base |
There was a problem hiding this comment.
--rm is fair, but not going to set an env var in favour of the secrets testing.
* `Rails.application.secrets` is removed; the `secret_key_base` accessor in `Rails.application` has been present since 6.x, so just use that. * Minor configuration updates for 7.2 defaults. * Add `mutex_m` to avoid deprecation warnings for Ruby 3.4. Ref: AP-270
awilfox
force-pushed
the
awilfox/AP-270-rails-7-2
branch
from
e66223e to
0decf6b
Compare
|
v2: Addressed feedback. |
2 participants
Rails.application.secretsis removed; thesecret_key_baseaccessor inRails.applicationhas been present since 6.x, so just use that.Minor configuration updates for 7.2 defaults.
Add
mutex_mto avoid deprecation warnings for Ruby 3.4.Ref: AP-270
This includes the
SECRET_KEY_BASEsetting inbuild.ymlthat @danschmidt5189 suggested in Slack, so cc'ing him.Only other thing of note is that Rails 7.2 enforces HTTPS (HSTS / redirects) in prod, but this shouldn't be an issue since AFAIK all Library endpoints are HTTPS anyway.