Dependabot PRs fail

[JoeCohen]

Automated Dependabot PRs have been failing for a while with encryption errors. Example: #1427.
The same PRs work fine when I replicate them.
It would be nice if we could fix things so that the automated PRs passed.
This would let us simply merge the automated PRs instead of replicating them.

I Googled the problem with no useful results.
ChatGPT says:

The ActiveSupport::MessageEncryptor::InvalidMessage error can occur in a Rails application when the encrypted message that is being decrypted by the MessageEncryptor is invalid or has been tampered with.
This error can occur when upgrading dependencies using Dependabot if the new version of a dependency changes the way data is encrypted or decrypted, or if it introduces new security requirements.
To resolve this error, you may need to update your Rails application's encryption keys and secrets to match the new requirements. You can generate new encryption keys and secrets using the bin/rails secret command, and then update the corresponding configuration files in your application.
....[blah blahblah]

As of 2024-08-19, we get a different failure message:

You have changed in the Gemfile:
* mo_acts_as_versioned from
`https://github.com/MushroomObserver/acts_as_versioned` to
`https://github.com/MushroomObserver/acts_as_versioned/`

I hope I fixed that #2323, but the fix may not take effect until bundle install changes Gemfile.lock:

You are trying to install in deployment mode after changing
your Gemfile. Run `bundle install` elsewhere and add the
updated Gemfile.lock to version control.

See https://github.com/MushroomObserver/mushroom-observer/actions/runs/10458112849/job/28965873623?pr=2321

[nimmolo]

Thanks Joe - seems like that fixed it?

[JoeCohen]

I don't think so. I replicated (actually superclassed) the Dependabot PR as my own. AFter my PR was merged, Dependabot was smart enough to recognize that it no longer needed to bump rack, so it closed its own PR. But I think we'll see the same issue the next time there's a Dependabot PR. It's not a big problem. And it's probably easier to just keep doing this than to update our encryption and secrets -- which might not work.

…

On Thu, Mar 16, 2023 at 11:59 AM andrew nimmo ***@***.***> wrote: Thanks Joe - seems like that fixed it? — Reply to this email directly, view it on GitHub <#1428 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAALDFA7USZKBQEHQODBP63W4NPIRANCNFSM6AAAAAAV5FK2OE> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[JoeCohen]

Will adding a .github/dependabot.yml file fix the problem?
See https://github.com/rails/rails/pull/50508/files

[nimmolo]

No idea, but it seems like it’s worth a try. If it’s about encryption it probably isn’t finding a master.key, so it sounds like the dependabot.yml needs to have the master.key hardcoded. I just found this, it may help. dependabot/dependabot-core#5464

…

On Jan 5, 2024, at 3:07 PM, Joseph D. Cohen ***@***.***> wrote: Will adding a .github/dependabot.yml file fix the problem? See https://github.com/rails/rails/pull/50508/files <https://github.com/rails/rails/pull/50508/files> — Reply to this email directly, view it on GitHub <#1428 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAO3TP37ST3RQP3OIHERJO3YNCBUFAVCNFSM6AAAAAAV5FK2OGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZZGM3DGOBUGU>. You are receiving this because you commented.

[nimmolo]

Re: previous link. It seems GitHub CI has a page for “Dependabot Secrets” That’s where we probably need to add it.

…

On Jan 5, 2024, at 3:52 PM, nimmo ***@***.***> wrote: No idea, but it seems like it’s worth a try. If it’s about encryption it probably isn’t finding a master.key, so it sounds like the dependabot.yml needs to have the master.key hardcoded. I just found this, it may help. dependabot/dependabot-core#5464 <dependabot/dependabot-core#5464> > On Jan 5, 2024, at 3:07 PM, Joseph D. Cohen ***@***.***> wrote: > > > Will adding a .github/dependabot.yml file fix the problem? > See https://github.com/rails/rails/pull/50508/files <https://github.com/rails/rails/pull/50508/files> > — > Reply to this email directly, view it on GitHub <#1428 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAO3TP37ST3RQP3OIHERJO3YNCBUFAVCNFSM6AAAAAAV5FK2OGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZZGM3DGOBUGU>. > You are receiving this because you commented. >

[nimmolo]

I just added the master key, using the same name as in Secrets/Actions/"Repository Secrets” — RAILS_MASTER_KEY. This may be all we need, but I didn’t read the whole thread. I don’t know if the name matters. The thread author says "I've adapted all my Actions to call dependabot secrets”, presumably instead of Actions secrets?

…

On Jan 5, 2024, at 4:06 PM, nimmo ***@***.***> wrote: Re: previous link. It seems GitHub CI has a page for “Dependabot Secrets” That’s where we probably need to add it. <185335811-18c9534c-b46b-402c-8b38-0aca9025302c.png> > On Jan 5, 2024, at 3:52 PM, nimmo ***@***.*** ***@***.***>> wrote: > > No idea, but it seems like it’s worth a try. > If it’s about encryption it probably isn’t finding a master.key, so it sounds like the dependabot.yml needs to have the master.key hardcoded. > > I just found this, it may help. > dependabot/dependabot-core#5464 <dependabot/dependabot-core#5464> > >> On Jan 5, 2024, at 3:07 PM, Joseph D. Cohen ***@***.*** ***@***.***>> wrote: >> >> >> Will adding a .github/dependabot.yml file fix the problem? >> See https://github.com/rails/rails/pull/50508/files <https://github.com/rails/rails/pull/50508/files> >> — >> Reply to this email directly, view it on GitHub <#1428 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAO3TP37ST3RQP3OIHERJO3YNCBUFAVCNFSM6AAAAAAV5FK2OGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZZGM3DGOBUGU>. >> You are receiving this because you commented. >> >

[nimmolo]

To be clear, I added the key to Secrets/Dependabot/“Repository Secrets” More on the pros and cons of doing this: web-platform-tests/wpt.fyi#2928 https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

…

On Jan 5, 2024, at 4:12 PM, nimmo ***@***.***> wrote: I just added the master key, using the same name as in Secrets/Actions/"Repository Secrets” — RAILS_MASTER_KEY. This may be all we need, but I didn’t read the whole thread. I don’t know if the name matters. The thread author says "I've adapted all my Actions to call dependabot secrets”, presumably instead of Actions secrets? > On Jan 5, 2024, at 4:06 PM, nimmo ***@***.*** ***@***.***>> wrote: > > Re: previous link. It seems GitHub CI has a page for “Dependabot Secrets” > > That’s where we probably need to add it. > > <185335811-18c9534c-b46b-402c-8b38-0aca9025302c.png> > >> On Jan 5, 2024, at 3:52 PM, nimmo ***@***.*** ***@***.***>> wrote: >> >> No idea, but it seems like it’s worth a try. >> If it’s about encryption it probably isn’t finding a master.key, so it sounds like the dependabot.yml needs to have the master.key hardcoded. >> >> I just found this, it may help. >> dependabot/dependabot-core#5464 <dependabot/dependabot-core#5464> >> >>> On Jan 5, 2024, at 3:07 PM, Joseph D. Cohen ***@***.*** ***@***.***>> wrote: >>> >>> >>> Will adding a .github/dependabot.yml file fix the problem? >>> See https://github.com/rails/rails/pull/50508/files <https://github.com/rails/rails/pull/50508/files> >>> — >>> Reply to this email directly, view it on GitHub <#1428 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAO3TP37ST3RQP3OIHERJO3YNCBUFAVCNFSM6AAAAAAV5FK2OGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZZGM3DGOBUGU>. >>> You are receiving this because you commented. >>> >> >

[JoeCohen]

Closing this. Dependabot PR #2330 passed in CI.
It appears that the combination of #2323 + a later Gemfile.lock update enables Dependabot PRs to pass CI.