Migrate from secrets to credentials

[lomky]

Thanks for creating an issue! Please fill out this form so we can be sure to have all the information we need, and to minimize back and forth.

• What are we trying to do?

Right now we use the (quite old) style secrets file. Let's move over to using the new-style configs/credentials/ files

• What feature or behavior is this required for?

Keeping up with Rails Norms

• How could we solve this issue? (Not knowing is okay!)

After a bit of research, let's follow the per-env key migration route. That best matches our current setup.

This article has a good step by step.

Development & Test

• create a development.key & test.key
• run the rails commands to set up each of their credential files
• remove the secrets file & update the .gitignore
• replace any reference to Rails.application.secrets with Rails.application.credentials
• commit these keys, creds, and code changes to the repo
• confirm the app still runs successfully locally
  • via docker
  • via bare-metal install
  • in test runs

Production

Either @colinxfleming or @lomky should handle this.

• generate the production.key
• run the rails commands to set up its corresponding credential file
• commit only the credential file to the repo
• in Heroku, set RAILS_MASTER_KEY to the production key
• confirm functionality in Sandbox
• release to production

Final cleanup

• delete the old secrets file

• Anything else?

S/o to the work done in #3128 & #3220 for kicking this off!

[colinxfleming]

I think there's a second strategic point here, which is to make a new environment for sandbox that duplicates production, so we can have a different key file. I'll commit to dealing with this shortly.

[colinxfleming]

I'm shocked this is the first time I've done this on this project, but I accidentally pushed straight to main instead of a branch, ha. The commit setting up the ability to use a staging environment is in f70d634 and I'll move our actual staging environment to use that later. Should be a noop more generally.