Update licence public key

[AbanoubGhadban]

Summary

Remove this paragraph and provide a general description of the code changes in your pull
request... were there any bugs you had fixed? If so, mention them. If
these bugs have open GitHub issues, be sure to tag them here as well,
to keep the conversation linked together.

Pull Request checklist

Remove this line after checking all the items here. If the item is not applicable to the PR, both check it out and wrap it by ~.

• Add/update test to cover these changes
• Update documentation
• Update CHANGELOG file

Add the CHANGELOG entry at the top of the file.

Other Information

Remove this paragraph and mention any other important and relevant information such as benchmarks.

---

This change is 

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflows with refreshed security credentials across multiple jobs
  • Enhanced test infrastructure stability by increasing timeout thresholds for E2E tests
  • Rotated license validation keys to maintain security compliance

[coderabbitai]

Walkthrough

License key rotation applied across the React on Rails Pro codebase: updated GitHub Actions workflows to reference REACT_ON_RAILS_PRO_LICENSE_V2 secret, rotated RSA public key constants in Ruby and TypeScript license verification modules, and extended Rails startup timeout from 60 to 300 seconds in E2E test workflows.

Changes

Cohort / File(s)	Summary
GitHub Actions workflow secret updates .github/workflows/pro-integration-tests.yml, pro-lint.yml, pro-package-tests.yml	Updated environment variable references from REACT_ON_RAILS_PRO_LICENSE to REACT_ON_RAILS_PRO_LICENSE_V2 across build, test, and lint jobs; increased Rails server startup timeout from 60s to 300s in E2E test workflow
License public key rotation react_on_rails_pro/lib/react_on_rails_pro/license_public_key.rb, react_on_rails_pro/packages/node-renderer/src/shared/licensePublicKey.ts	Updated RSA public key constants in Ruby and TypeScript modules with new key material; surrounding structure and declarations remain unchanged

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Key areas requiring extra attention:
  • Verify the new RSA public keys in both Ruby and TypeScript files are identical/compatible and legitimately rotate from previous versions
  • Confirm that the new REACT_ON_RAILS_PRO_LICENSE_V2 secrets are correctly provisioned in GitHub repository settings
  • Validate the rationale for increasing Rails startup timeout from 60s to 300s in E2E tests

Possibly related PRs

• Migrate React on Rails Pro CI from CircleCI to GitHub Actions #1872: Introduces the GitHub Actions workflow files (pro-integration-tests.yml, pro-lint.yml, pro-package-tests.yml) that are now being updated with secret references and timeout adjustments in this PR.

Suggested reviewers

• Judahmeek

Poem

🔑 Old keys retire, new keys shine bright,
License rotation keeps the system right,
From Ruby to TypeScript, secrets align,
Workflows updated, more time to unwind,
The rabbit hops forward with keys in hand! 🐰

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Update licence public key' directly aligns with the main changes: rotating RSA public keys in license files, updating secrets references, and extending timeout values.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch update-licence-public-key

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

PR Review: Update licence public key

Summary

This PR updates the RSA public key used for React on Rails Pro license verification across both the Ruby gem and Node.js package, and updates GitHub Actions workflows to use a new license secret (REACT_ON_RAILS_PRO_LICENSE_V2).

---

Code Quality & Best Practices

Strengths:

• ✅ Consistent updates: The public key is updated in both Ruby (license_public_key.rb) and TypeScript (licensePublicKey.ts) files, maintaining consistency across the stack
• ✅ Automated tooling exists: The react_on_rails_pro:update_public_key rake task appears to have been used correctly for generating these changes
• ✅ Security-conscious: Public key rotation is a good security practice for cryptographic systems
• ✅ Gemfile.lock updates: Dependencies were properly updated (Shakapacker 8.0.0 → 9.3.0, which aligns with the latest configuration)

Areas for Improvement:

• ⚠️ Missing PR description: The template text was not replaced with actual details about WHY the public key needed rotation
• ⚠️ Checklist incomplete: All checklist items are unchecked, including critical ones like tests and CHANGELOG

---

Security Concerns

Critical Questions:

1. Key rotation justification: What prompted this public key update? Was the old private key compromised, or is this routine rotation?
2. Existing licenses compatibility: This change will invalidate all existing licenses signed with the old private key. Have all active license holders been re-issued licenses signed with the new private key?
3. Secret coordination: The GitHub Actions secret REACT_ON_RAILS_PRO_LICENSE_V2 must contain a license signed with the NEW private key. Has this been verified?

Security Best Practices:

• ✅ The JWT verification uses verify_signature: true and hardcoded algorithm: "RS256" (per license_validator.rb:141-147), which prevents algorithm substitution attacks
• ✅ RSA-2048 key size is adequate for current security standards
• ⚠️ Deployment coordination required: This change needs careful coordination between:
  • Deploying the new public key to production
  • Ensuring the new private key is active on the license generation server
  • Updating all CI/CD secrets

---

Potential Bugs & Issues

High Priority:

1. CI will fail if secrets aren't updated: The workflow changes reference REACT_ON_RAILS_PRO_LICENSE_V2, but if this secret doesn't exist or contains a license signed with the old key, ALL Pro CI jobs will fail
2. Backwards compatibility: There's no grace period mechanism to accept licenses signed with either old or new keys during transition

Recommendation:

• Verify REACT_ON_RAILS_PRO_LICENSE_V2 secret exists in GitHub repository settings
• Consider a phased approach: temporarily support both keys during transition period

---

Test Coverage

Concerns:

• ❌ No new tests added: While existing tests in license_validator_spec.rb use a dynamically generated test key (line 7-13), there are no tests verifying:
  • The actual public key format is valid
  • The public key successfully decodes a real license
  • Both Ruby and TypeScript keys are identical

Recommended Tests:

# Add to license_validator_spec.rb
describe "public key validation" do
  it "has a valid RSA public key" do
    expect(ReactOnRailsPro::LicensePublicKey::KEY).to be_a(OpenSSL::PKey::RSA)
    expect(ReactOnRailsPro::LicensePublicKey::KEY.public?).to be true
  end
  
  it "has 2048-bit key size" do
    key_size = ReactOnRailsPro::LicensePublicKey::KEY.n.num_bits
    expect(key_size).to eq(2048)
  end
end

---

Performance Considerations

• ✅ No performance impact - public key is loaded once and cached
• ✅ RSA-2048 verification performance is acceptable for license validation

---

CHANGELOG Requirements

According to CLAUDE.md, this change does NOT require a CHANGELOG entry because:

• This is an internal infrastructure/security update
• No user-facing features or bug fixes
• Not a breaking change from the user's perspective (licenses are re-issued server-side)

However, if existing users need to take action (get new licenses), a CHANGELOG entry would be appropriate.

---

Action Items

Before Merging:

1. ✅ Fill out PR description explaining:
   • Why the key rotation was necessary
   • Confirmation that all active licenses have been re-issued
   • Verification that REACT_ON_RAILS_PRO_LICENSE_V2 secret is configured correctly
2. ✅ Verify secrets: Check that REACT_ON_RAILS_PRO_LICENSE_V2 exists and contains a valid license signed with the NEW private key
3. ✅ Add basic validation tests to ensure the public key is properly formatted
4. ✅ Consider CHANGELOG: If users need new licenses, document this
5. ✅ Test CI: Verify at least one CI job runs successfully with the new secret

Post-Merge:

• Monitor CI for any license validation failures
• Have rollback plan ready (revert commit + restore old secret)

---

Overall Assessment

Risk Level: 🟡 Medium-High

This is a straightforward but critical security infrastructure change. The code changes themselves are correct, but the coordination between private key, public key, issued licenses, and CI secrets is complex and error-prone.

Recommendation: Approve with conditions - ensure all action items above are addressed, particularly verification of the GitHub secret and coordination of license re-issuance.

---

Review generated following repository guidelines in CLAUDE.md

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

react_on_rails_pro/lib/react_on_rails_pro/license_public_key.rb (1)

8-8: Consider updating the timestamp comment.

The "Last updated" date (2025-10-09) predates this PR by about a month. If this represents when the key was rotated into the codebase, consider updating it to reflect the actual update date.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ad7c916 and 20ac2c6.

⛔ Files ignored due to path filters (1)

• react_on_rails_pro/spec/dummy/Gemfile.lock is excluded by !**/*.lock

📒 Files selected for processing (5)

• .github/workflows/pro-integration-tests.yml (3 hunks)
• .github/workflows/pro-lint.yml (1 hunks)
• .github/workflows/pro-package-tests.yml (3 hunks)
• react_on_rails_pro/lib/react_on_rails_pro/license_public_key.rb (1 hunks)
• react_on_rails_pro/packages/node-renderer/src/shared/licensePublicKey.ts (1 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: AbanoubGhadban
Repo: shakacode/react_on_rails PR: 1875
File: lib/react_on_rails/utils.rb:112-124
Timestamp: 2025-10-23T17:22:01.074Z
Learning: In React on Rails, when Pro is installed but not licensed, the intended behavior is to raise an error on boot. The `react_on_rails_pro?` method validates licenses and should raise errors early (including during path resolution in methods like `server_bundle?`) to enforce licensing requirements rather than failing later with obscure errors.

Learnt from: AbanoubGhadban
Repo: shakacode/react_on_rails PR: 1781
File: node_package/src/ClientSideRenderer.ts:82-95
Timestamp: 2025-09-15T21:24:48.207Z
Learning: In React on Rails, the force_load feature includes both explicit `data-force-load="true"` usage and the ability to hydrate components during the page loading state (`document.readyState === 'loading'`). Both capabilities require a Pro license, so the condition `!railsContext.rorPro && (isComponentForceLoaded || document.readyState === 'loading')` correctly gates both scenarios.

📚 Learning: 2025-04-26T21:55:55.874Z

Learnt from: alexeyr-ci2
Repo: shakacode/react_on_rails PR: 1732
File: spec/dummy/client/app-react16/startup/ReduxSharedStoreApp.client.jsx:40-44
Timestamp: 2025-04-26T21:55:55.874Z
Learning: In the react_on_rails project, files under `app-react16` directories are copied/moved to corresponding `/app` directories during the conversion process (removing the `-react16` suffix), which affects their relative import paths at runtime.

Applied to files:

• .github/workflows/pro-integration-tests.yml

📚 Learning: 2025-10-23T17:22:01.074Z

Learnt from: AbanoubGhadban
Repo: shakacode/react_on_rails PR: 1875
File: lib/react_on_rails/utils.rb:112-124
Timestamp: 2025-10-23T17:22:01.074Z
Learning: In React on Rails, when Pro is installed but not licensed, the intended behavior is to raise an error on boot. The `react_on_rails_pro?` method validates licenses and should raise errors early (including during path resolution in methods like `server_bundle?`) to enforce licensing requirements rather than failing later with obscure errors.

Applied to files:

• react_on_rails_pro/lib/react_on_rails_pro/license_public_key.rb

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: build-dummy-app-webpack-test-bundles
• GitHub Check: build
• GitHub Check: lint-js-and-ruby
• GitHub Check: build-dummy-app-webpack-test-bundles
• GitHub Check: claude-review

🔇 Additional comments (6)

.github/workflows/pro-lint.yml (1)

39-39: LGTM! Secret rotation applied consistently.

The update to use REACT_ON_RAILS_PRO_LICENSE_V2 aligns with the license key rotation across the repository.

.github/workflows/pro-package-tests.yml (1)

40-40: LGTM! Consistent secret rotation across all jobs.

All three jobs (build-dummy-app-webpack-test-bundles, package-js-tests, and rspec-package-specs) correctly reference the updated REACT_ON_RAILS_PRO_LICENSE_V2 secret.

Also applies to: 141-141, 214-214

react_on_rails_pro/packages/node-renderer/src/shared/licensePublicKey.ts (1)

12-18: Public key rotation looks correct.

The TypeScript public key has been updated consistently with the Ruby version. The verification script in the previous file will confirm they match exactly.

.github/workflows/pro-integration-tests.yml (2)

40-40: LGTM! Secret rotation applied across all integration test jobs.

All three jobs (build-dummy-app-webpack-test-bundles, rspec-dummy-app-node-renderer, and dummy-app-node-renderer-e2e-tests) correctly reference the updated REACT_ON_RAILS_PRO_LICENSE_V2 secret.

Also applies to: 130-130, 310-310

---

436-436: Clarify the timeout increase rationale.

The Rails server startup timeout has been increased from 60 to 300 seconds (5x increase) in the E2E test job. This seems unrelated to the license key rotation. Can you clarify:

1. Was this change intentional or accidentally bundled?
2. If intentional, what issue does it address?
3. Should the timeout in the rspec-dummy-app-node-renderer job (line 245) also be increased for consistency?

react_on_rails_pro/lib/react_on_rails_pro/license_public_key.rb (1)

20-26: Public key rotation verified and consistent across both implementations.

The new RSA public key is properly formatted and matches between the Ruby and TypeScript versions, confirming the key rotation is complete and synchronized.

[AbanoubGhadban]

I just updated the secret name, I don't need to change the licence and at the old secret and PRs that use it have a failure on CI