Specify secret file path as env var

Author: MasterKale

.github/workflows/unit_test.yml

@@ -11,7 +11,7 @@ jobs:
 
     runs-on: ubuntu-latest
     env:
-      DJANGO_SECRET_KEY: for-testing-only
+      DJANGO_SECRET_KEY_FILE: ${{ runner.temp }}/django_secret_key
     strategy:
       matrix:
         python-version: ['3.10']
@@ -32,8 +32,7 @@ jobs:
     steps:
     - name: Write Docker-secrets-like file for CI
       run: |
-        mkdir -p /run/secrets && touch /run/secrets/django_secret_key
-        echo "for-testing-only" > /run/secrets/django_secret_key
+        echo "for-testing-only" > $DJANGO_SECRET_KEY_FILE
 
     - uses: actions/checkout@v5
 

Dockerfile

@@ -20,4 +20,5 @@ WORKDIR /usr/src/app
 RUN uv sync --locked
 
 # Collect static files
-RUN --mount=type=secret,id=django_secret_key,required=true uv run python manage.py collectstatic --no-input
+RUN --mount=type=secret,id=django_secret_key,required=true \
+DJANGO_SECRET_KEY_FILE=/run/secrets/django_secret_key uv run python manage.py collectstatic --no-input

_app/webauthnio/settings.py

@@ -4,9 +4,13 @@
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = Path(__file__).resolve().parent.parent
 
-# Read the secret from the file that Docker injects
-# (see https://docs.docker.com/reference/compose-file/build/#secrets)
-_secret_key_file = open("/run/secrets/django_secret_key", "r")
+# Get path to the file containing the secret (this is a Docker-specific method)
+_secret_key_file_path = os.getenv("DJANGO_SECRET_KEY_FILE")
+if not _secret_key_file_path:
+    raise Exception("DJANGO_SECRET_KEY_FILE must be a file path string")
+
+# Read the secret from the file
+_secret_key_file = open(_secret_key_file_path, "r")
 SECRET_KEY = _secret_key_file.read()
 _secret_key_file.close()
 

docker-compose.yml

@@ -46,6 +46,7 @@ services:
       - django_secret_key
     environment:
       - PYTHONUNBUFFERED=0
+      - DJANGO_SECRET_KEY_FILE=/run/secrets/django_secret_key
       - PROD_HOST_NAME
       - PROD_CSRF_ORIGIN
       - RP_ID