update to kamal 2

.env.example

@@ -11,8 +11,6 @@ APP_VERSION=dev
 # secrets
 
 KAMAL_REGISTRY_PASSWORD=redacted
-RAILS_MASTER_KEY=redacted
-POSTGRES_PASSWORD=redacted
 
 # pdf generation binary
 WKHTMLTOPDF_PATH=/usr/local/bin/wkhtmltopdf

.github/dependabot.yml

@@ -0,0 +1,12 @@
+version: 2
+updates:
+- package-ecosystem: bundler
+  directory: "/"
+  schedule:
+    interval: daily
+  open-pull-requests-limit: 10
+- package-ecosystem: github-actions
+  directory: "/"
+  schedule:
+    interval: daily
+  open-pull-requests-limit: 10

.github/workflows/ci.yml

@@ -27,7 +27,7 @@ jobs:
       - name: Install Ruby and gems
         uses: ruby/setup-ruby@v1
         with:
-          ruby-version: 3.3.5
+          ruby-version: .ruby-version
           bundler-cache: true
       - name: Set up database schema
         run: bin/rails db:schema:load
@@ -42,16 +42,18 @@ jobs:
       - name: Install Ruby and gems
         uses: ruby/setup-ruby@v1
         with:
-          ruby-version: 3.3.5
+          ruby-version: .ruby-version
           bundler-cache: true
       - name: Security audit dependencies
         run: bundle exec bundler-audit --update
       - name: Security audit
         run: bundle exec bundle audit
       - name: Security audit application code
         run: bin/brakeman -q -w2
+      - name: Scan for security vulnerabilities in JavaScript dependencies
+        run: bin/importmap audit
       - name: Lint Ruby files
-        run: bin/rubocop --parallel
+        run: bin/rubocop --parallel -f github
       - name: Install Hadolint
         run: |
           wget -O ./hadolint https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64
@@ -73,7 +75,7 @@ jobs:
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
         with:
-          ruby-version: 3.3.5
+          ruby-version: .ruby-version
           bundler-cache: true
       - name: Set up Docker Buildx
         id: buildx
@@ -107,7 +109,6 @@ jobs:
     env:
       RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
       KAMAL_REGISTRY_PASSWORD: ${{ secrets.KAMAL_REGISTRY_PASSWORD }}
-      SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }}
       POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
       APP_VERSION: ${{ github.ref_name }}
 
@@ -122,7 +123,5 @@ jobs:
       - uses: webfactory/[email protected]
         with:
           ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
-      - name: Env push command
-        run: bundle exec kamal env push
       - name: Deploy command
         run: bundle exec kamal deploy --skip-push --version ${{ github.ref_name }}

.github/workflows/kamal.yml

@@ -14,7 +14,6 @@ jobs:
     env:
       RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
       KAMAL_REGISTRY_PASSWORD: ${{ secrets.KAMAL_REGISTRY_PASSWORD }}
-      SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }}
       POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
 
     steps:
@@ -26,6 +25,6 @@ jobs:
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
         with:
-          ruby-version: 3.3.5
+          ruby-version: .ruby-version
       - name: Run KAMAL command
         run: ${{ github.event.inputs.command }}

.kamal/secrets

@@ -0,0 +1,19 @@
+# Secrets defined here are available for reference under registry/password, env/secret, builder/secrets,
+# and accessories/*/env/secret in config/deploy.yml. All secrets should be pulled from either
+# password manager, ENV, or a file. DO NOT ENTER RAW CREDENTIALS HERE! This file needs to be safe for git.
+
+# Example of extracting secrets from 1password (or another compatible pw manager)
+# SECRETS=$(kamal secrets fetch --adapter 1password --account your-account --from Vault/Item KAMAL_REGISTRY_PASSWORD RAILS_MASTER_KEY)
+# KAMAL_REGISTRY_PASSWORD=$(kamal secrets extract KAMAL_REGISTRY_PASSWORD ${SECRETS})
+# RAILS_MASTER_KEY=$(kamal secrets extract RAILS_MASTER_KEY ${SECRETS})
+
+# Use a GITHUB_TOKEN if private repositories are needed for the image
+# GITHUB_TOKEN=$(gh config get -h github.com oauth_token)
+
+# Grab the registry password from ENV
+KAMAL_REGISTRY_PASSWORD=$KAMAL_REGISTRY_PASSWORD
+POSTGRES_PASSWORD=$POSTGRES_PASSWORD
+APP_VERSION=$APP_VERSION
+
+# Improve security by using a password manager. Never check config/master.key into git!
+RAILS_MASTER_KEY=$RAILS_MASTER_KEY

Gemfile

@@ -76,7 +76,7 @@ group :development do
   gem 'brakeman', require: false
   gem 'bundle-audit', require: false
   gem 'htmlbeautifier'
-  gem 'kamal'
+  gem 'kamal', '~> 2.0'
   gem 'web-console'
 end
 

Gemfile.lock

@@ -149,10 +149,10 @@ GEM
     devise-i18n (1.12.1)
       devise (>= 4.9.0)
     docile (1.4.1)
-    dotenv (2.8.1)
-    dotenv-rails (2.8.1)
-      dotenv (= 2.8.1)
-      railties (>= 3.2)
+    dotenv (3.1.4)
+    dotenv-rails (3.1.4)
+      dotenv (= 3.1.4)
+      railties (>= 6.1)
     drb (2.2.1)
     dry-initializer (3.1.1)
     ed25519 (1.3.0)
@@ -175,7 +175,7 @@ GEM
     globalid (1.2.1)
       activesupport (>= 6.1)
     htmlbeautifier (1.4.3)
-    i18n (1.14.5)
+    i18n (1.14.6)
       concurrent-ruby (~> 1.0)
     image_processing (1.12.2)
       mini_magick (>= 4.9.5, < 5)
@@ -185,24 +185,24 @@ GEM
       activesupport (>= 6.0.0)
       railties (>= 6.0.0)
     io-console (0.7.2)
-    irb (1.14.0)
+    irb (1.14.1)
       rdoc (>= 4.0.0)
       reline (>= 0.4.2)
     jbuilder (2.12.0)
       actionview (>= 5.0.0)
       activesupport (>= 5.0.0)
     jmespath (1.6.2)
     json (2.7.2)
-    kamal (1.8.1)
+    kamal (2.0.0)
       activesupport (>= 7.0)
       base64 (~> 0.2)
       bcrypt_pbkdf (~> 1.0)
       concurrent-ruby (~> 1.2)
-      dotenv (~> 2.8)
+      dotenv (~> 3.1)
       ed25519 (~> 1.2)
       net-ssh (~> 7.0)
       sshkit (>= 1.23.0, < 2.0)
-      thor (~> 1.2)
+      thor (~> 1.3)
       zeitwerk (~> 2.5)
     kaminari (1.2.2)
       activesupport (>= 4.1.0)
@@ -220,7 +220,7 @@ GEM
       kaminari
       rails
     language_server-protocol (3.17.0.3)
-    logger (1.6.0)
+    logger (1.6.1)
     logtail (0.1.13)
       msgpack (~> 1.0)
     logtail-rack (0.2.5)
@@ -244,7 +244,7 @@ GEM
     matrix (0.4.2)
     mini_magick (4.13.0)
     mini_mime (1.1.5)
-    minitest (5.24.1)
+    minitest (5.25.1)
     mission_control-jobs (0.3.1)
       importmap-rails
       irb (~> 1.13)
@@ -280,6 +280,7 @@ GEM
     nokogiri (1.16.7-x86_64-linux)
       racc (~> 1.4)
     orm_adapter (0.5.0)
+    ostruct (0.6.0)
     parallel (1.26.3)
     parser (3.3.3.0)
       ast (~> 2.4.1)
@@ -292,7 +293,7 @@ GEM
     psych (5.1.2)
       stringio
     public_suffix (5.0.5)
-    puma (6.4.2)
+    puma (6.4.3)
       nio4r (~> 2.0)
     raabro (1.4.0)
     racc (1.8.1)
@@ -349,7 +350,7 @@ GEM
     redis-client (0.22.2)
       connection_pool
     regexp_parser (2.9.2)
-    reline (0.5.9)
+    reline (0.5.10)
       io-console (~> 0.5)
     responders (3.1.1)
       actionpack (>= 5.2)
@@ -445,16 +446,17 @@ GEM
     sqlite3 (1.7.3-x86-linux)
     sqlite3 (1.7.3-x86_64-darwin)
     sqlite3 (1.7.3-x86_64-linux)
-    sshkit (1.23.0)
+    sshkit (1.23.1)
       base64
       net-scp (>= 1.1.2)
       net-sftp (>= 2.1.2)
       net-ssh (>= 2.8.0)
+      ostruct
     stimulus-rails (1.3.3)
       railties (>= 6.0.0)
     stringio (3.1.1)
     strscan (3.1.0)
-    thor (1.3.1)
+    thor (1.3.2)
     tilt (2.3.0)
     timeout (0.4.1)
     turbo-rails (2.0.5)
@@ -471,7 +473,7 @@ GEM
       activemodel (>= 6.0.0)
       bindex (>= 0.4.0)
       railties (>= 6.0.0)
-    webrick (1.8.1)
+    webrick (1.8.2)
     websocket (1.2.10)
     websocket-driver (0.7.6)
       websocket-extensions (>= 0.1.0)
@@ -495,7 +497,7 @@ GEM
       anyway_config (>= 1.3, < 3)
       railties
       yabeda (~> 0.8)
-    zeitwerk (2.6.17)
+    zeitwerk (2.6.18)
 
 PLATFORMS
   aarch64-linux
@@ -523,7 +525,7 @@ DEPENDENCIES
   image_processing (~> 1.2)
   importmap-rails
   jbuilder
-  kamal
+  kamal (~> 2.0)
   kaminari
   kaminari-i18n
   logtail-rails (~> 0.2.7)

config/application.rb

@@ -29,12 +29,5 @@ class Application < Rails::Application
 
     config.i18n.default_locale = :it
     config.hosts = []
-    if Rails.env.production?
-      config.logger = Logtail::Logger.create_default_logger(
-        Rails.application.credentials.dig(
-          :vector, :rails_logs_token
-        )
-      )
-    end
   end
 end

config/credentials.yml.enc

@@ -1 +1 @@
-/K5V6jf8psjxWALA9phkzER3c/3aszNe6tfG8eCGSGFulMESSC6T3k6gQsGQvvQHzVv1u7KsNoGjd86ZW3shpWR5IaPPGF/HKqxhHgyZZF8dVrMRyOlhI/VaNCIWOIhXgq2uTZiw+4LWBaqKF+ecCpZxAdFZhBx8DMmXGfoPi2yXuF6zsL+zVnxsgsSTe1zhArFsSI119g1nGOa2DgKU1ScMh1o7viVtTOjtfb+zJ/g7RBHs3xXdOAR0Fy4g/JghwcwfeYbHH0PaWzN38bUFTijMpCAqoeD8+71iKIchTF8v6Q0Lg3X6cItOS57258WlvnpIzfW8N7mTZjiXz9MiqRTehW56aLzS1q5L+RqRIw3tNI0rc3NsDpLNIvT6l+SOFEwWhr/9tABWz+Z/+EcgPPl8PJZUwJuSar43kIHch0NEZIkq1ABa25t2W3qiOHJZJui5g0sGFhQA8F8cFfr+/hvjSvmMpnMQLnNZGeML7zpsKkaQZcAauaBqso1oltigY28ax7VCwd+a0lO2MiBXUde82LT4aOK0PavpSsaeM/KINIlfxL/+QL6AleyDYj5sFAKxtz9w1vXymGYwNZp8oC1BtVwQlelrsZq9Orlz/RhomF15J/pNrItkKz1mcvfwaqv4JsXTNxGiFDtNIo4d4aV7rbzdaqKLwZEpz8JwUzI+CbOX--CI1brbTk84ZXJ19+--KSyG1pYUx1cb6+LPcrsX6A==
+0jzAHU8ow9zF8PpcXF9uvHb1G4gMQnqaDND2rEdqpdKJYsWAVXDsvswNgIpHFgtk3Rrh18nLQhASM87NUXoflDuUB+Rie0v1UceAkJk+0Zus2z4r7+QYe/dnkFj6/8ytDk1aOe62P9ZuoX1arffDE5m2Okw3heGl71oD5S159gZCtsDK+uMzcKzF2Sj8cFpr7VsDyIDXYIA/EgNKEzFaryfdtFWEIcAzf3fUzJESmFdr/2wNPckWIHUMyO8FGkinh0kLcjql3YJ8nicnOP2G55545ddrJUhDo9vCFqmiuMrZjhqiDeuzyOjhZp6sK/DczmwUrvn4sF2Cmyl9olpx0sO2urlZJSyKsdNaEsRPhD+HJ2tA4XC551DKorr+uCFunHFZMeRauefKJFcnIKqMuFVPzdUW/Lar1JUncGsjWBLFmAz08BJmKnJEdatinlqdIA+uRQ75PEos3QMWbniF5HHaIyfLNPfnSc46AI2zmFsMCLKcPkBH2WJeTDpE50gqDT1G7CzwKbe3trPkhTXdQqffHLpX362YhZfW8cgfVbQS5PGFn8VKP9b4GyxIHUjKQc/ZzdlN0ZvH2Y+sz8D43QsiHwKKm3HYgOMepO7W2dQKeAc3be9hgbdYvdAJhUKpMcnnhzAif5z+i3fMEqSwOm/bdyqiWEIL60B+54x60J2QfqTdgo0x/mt27ZLx3vmGQbCEtK1/znA9SEVTUrbIpDZCBeQ9JQ5nHw==--GR9yMZHk6YurLTID--V1FXeATVLIMqP47eowGGbA==

config/database.yml

@@ -20,5 +20,4 @@ test:
 production:
   primary:
     <<: *default
-    password: <%= ENV.fetch('POSTGRES_PASSWORD', 'opengas') %>
-
+    password: <%= Rails.application.credentials.dig(:pg, :password) %>