Suppress deprecation warning about use of Rails secrets

Rails 7.1 deprecates the use of Rails.application.secrets in favour of `Rails.application.credentials`. The credentials system introduces the burden of master encryption key administration at no benefit to us, because we manage our production secrets using environment variables instead of committing them to Git. This commit loads the existing secret values and merges them into the credentials object. This approach was copied from commit 8937b172be530a5d91bd999f4538e5a722dcab19 on the GOV.UK account-api project.
alphagov · Feb 26, 2024 · 8871346 · 8871346
1 parent 0f7f97a
commit 8871346
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/config/application.rb b/config/application.rb
@@ -25,8 +25,16 @@ class Application < Rails::Application
 
     config.active_record.belongs_to_required_by_default = false
 
-    config.active_record.encryption.key_derivation_salt = Rails.application.secrets.active_record_encryption[:key_derivation_salt]
-    config.active_record.encryption.primary_key = Rails.application.secrets.active_record_encryption[:primary_key]
+    # Rails 7 has begun to deprecate Rails.application.credentials in favour
+    # of Rails.application.credentials, but that adds the burden of master key
+    # administration without giving us any benefit (because our production
+    # secrets are handled as env vars, not committed to our repo. Here we
+    # loads the config/secrets.YML values into Rails.application.credentials,
+    # retaining the existing behaviour while dropping deprecated references.
+    Rails.application.credentials.merge!(Rails.application.config_for(:secrets))
+
+    config.active_record.encryption.key_derivation_salt = Rails.application.credentials.dig(:active_record_encryption, :key_derivation_salt)
+    config.active_record.encryption.primary_key = Rails.application.credentials.dig(:active_record_encryption, :primary_key)
 
     # Please, add to the `ignore` list any other `lib` subdirectories that do
     # not contain `.rb` files, or that should not be reloaded or eager loaded.
@@ -38,7 +46,7 @@ class Application < Rails::Application
     # -- all .rb files in that directory are automatically loaded after loading
 
     config.action_mailer.notify_settings = {
-      api_key: Rails.application.secrets.notify_api_key || "fake-test-api-key",
+      api_key: Rails.application.credentials.notify_api_key || "fake-test-api-key",
     }
 
     # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.