Skip to content
  • Jonathan Hefner's avatar
    772c4627
    Save encrypted config even if YAML is invalid · 772c4627
    Jonathan Hefner authored 
    In #30893, the `credentials:edit` command was changed to prevent saving
invalid YAML:

  ```yaml
  # some_invalid_yaml.yml
  secret_key_base: ...
  - new_key: new value
  ```

  ```console
  $ EDITOR='cp some_invalid_yaml.yml' bin/rails credentials:edit
  ruby-3.1.2/lib/ruby/3.1.0/psych.rb:455:in `parse': (<unknown>): did not find expected key while parsing a block mapping at line 3 column 1 (Psych::SyntaxError)

  $ bin/rails credentials:show
  secret_key_base: ...
  ```

However, throwing away user input is not ideal.  Such behavior can be
particularly troublesome when copying secrets from ephemeral sources.

This commit changes the `credentials:edit` command to always save user
input, and display a helpful warning when saving invalid YAML:

  ```console
  $ EDITOR='cp some_invalid_yaml.yml' bin/rails credentials:edit
  File encrypted and saved.
  WARNING: Invalid YAML in '/path/to/app/config/credentials.yml.enc'.

    (/path/to/app/config/credentials.yml.enc): did not find expected key while parsing a block mapping at line 3 column 1

  Your application will not be able to load 'config/credentials.yml.enc' until the error has been fixed.

  $ bin/rails credentials:show
  # some_invalid_yaml.yml
  secret_key_base: ...
  - new_key: new value
  ```

This commit also applies the same fix to the `encrypted:edit` command.
    772c4627
    Save encrypted config even if YAML is invalid
    Jonathan Hefner authored 
    In #30893, the `credentials:edit` command was changed to prevent saving
invalid YAML:

  ```yaml
  # some_invalid_yaml.yml
  secret_key_base: ...
  - new_key: new value
  ```

  ```console
  $ EDITOR='cp some_invalid_yaml.yml' bin/rails credentials:edit
  ruby-3.1.2/lib/ruby/3.1.0/psych.rb:455:in `parse': (<unknown>): did not find expected key while parsing a block mapping at line 3 column 1 (Psych::SyntaxError)

  $ bin/rails credentials:show
  secret_key_base: ...
  ```

However, throwing away user input is not ideal.  Such behavior can be
particularly troublesome when copying secrets from ephemeral sources.

This commit changes the `credentials:edit` command to always save user
input, and display a helpful warning when saving invalid YAML:

  ```console
  $ EDITOR='cp some_invalid_yaml.yml' bin/rails credentials:edit
  File encrypted and saved.
  WARNING: Invalid YAML in '/path/to/app/config/credentials.yml.enc'.

    (/path/to/app/config/credentials.yml.enc): did not find expected key while parsing a block mapping at line 3 column 1

  Your application will not be able to load 'config/credentials.yml.enc' until the error has been fixed.

  $ bin/rails credentials:show
  # some_invalid_yaml.yml
  secret_key_base: ...
  - new_key: new value
  ```

This commit also applies the same fix to the `encrypted:edit` command.