Resolving merge conflicts in Rails Encrypted Credentials • Aaron Gray

2 min read Original article ↗

Resolving merge conflicts in Rails Encrypted Credentials

Wanted to post my current workflow for resolving merge conflicts in Rails Encrypted Credentials. Because these files are encrypted, git has trouble working out merge conflicts in them. Maybe this will be useful to someone or maybe someone else has an even better way of doing this you can tell me about.

git checkout master
touch master_credentials.yml
rails credentials:show > master_credentials.yml
git checkout mybranch
touch branch_credentials.yml
rails credentials:show > branch_credentials.yml
cp master_credentials.yml proposed_master_credentials.yml
diff master_credentials.yml branch_credentials.yml

Make edits to proposed_master_credentials.yml, addressing the diffs until you are satisfied with it. Save this file. Copy the content of the file to your clipboard. Now we can rebase master onto our current git branch.

git rebase master
> CONFLICT (content): Merge conflict in config/credentials.yml.enc

Yep, so there’s our merge conflict again. Now we need to restore this encrypted file because git has injected diffs in it but this breaks our ability to decrypt it.

git restore --staged config/credentials.yml.enc
git restore config/credentials.yml.enc
rails credentials:edit

Remove the contents of this file and paste in the contents of your clipboard. Save the file.

git add config/credentials.yml.enc
git rebase --continue

Sanity check to make sure only the lines you’ve added are different and you didn’t accidentally blow away a bunch of secrets.

git diff master config/credentials.yml.enc

Push it back up to your remote.

git push --force origin mybranch

Cleanup so you don’t have encrypted secrets left in plaintext on your computer.

rm master_credentials.yml
rm branch_credentials.yml
rm proposed_master_credentials.yml

This works, but it is clunky, problematic because you might mess up a conflict resolution and end up deleting some important keys off prod and there isn’t a good way for a code reviewer to catch this, and from a security standpoint, I don’t like copying these secrets to temporary files in plaintext on my computer. But for resolving a complex merge conflict in the encrypted credentials file, this is the best thing I’ve been able to come up with. If anyone out there has a better way to do this, please let me know.