CP-11565 - Update webhook secret to load for new accounts#49
Merged
bernardodsanderson merged 7 commits intomainfrom Feb 17, 2026
Merged
CP-11565 - Update webhook secret to load for new accounts#49bernardodsanderson merged 7 commits intomainfrom
bernardodsanderson merged 7 commits intomainfrom
Conversation
bernardodsanderson
requested review from
jewls618,
ryanarakawa and
spaulsandhu
Collaborator
|
@bernardodsanderson |
Collaborator
Author
|
@ryanarakawa - The actual secret is in AWS, so I think we're safe. What do you think, @mikhael-rakauskas? |
ryanarakawa
reviewed
Feb 11, 2026
Load dotenv in development for environment variable access
default Removed default URL for CareerPlug webhook configuration to force explicit setting of required environment variable.
ryanarakawa
reviewed
Feb 16, 2026
| export SECURED_STORAGE_BUCKET=$(echo "$SECRET_JSON" | jq -r '.secured_storage_bucket') | ||
| export SECURED_STORAGE_REGION=$(echo "$SECRET_JSON" | jq -r '.secured_storage_region') | ||
| export ENCRYPTION_SECRET=$(echo "$SECRET_JSON" | jq -r '.ENCRYPTION_SECRET // empty') | ||
| export CAREERPLUG_WEBHOOK_SECRET=$(echo "$SECRET_JSON" | jq -r '.CAREERPLUG_WEBHOOK_SECRET // empty') |
Collaborator
There was a problem hiding this comment.
add CAREERPLUG_WEBHOOK_URL?
ryanarakawa
reviewed
Feb 16, 2026
app/models/account.rb
Outdated
|
|
||
| validates :external_account_id, uniqueness: true, allow_nil: true | ||
|
|
||
| after_create :create_careerplug_webhook |
Collaborator
There was a problem hiding this comment.
Should we change this to after_commit? So if there's some error in the account creation we don't have a random webhook hanging around?
after_commit :create_careerplug_webhook, on: :create
Read CAREERPLUG_WEBHOOK_SECRET and CAREERPLUG_WEBHOOK_URL from SECRET_JSON and write them to .env.production and .env.staging across all start scripts; remove old vars with a single regex and only append the new vars when provided
This ensures that CareerPlug webhooks are only created after the account transaction has been successfully committed to the database. This prevents orphaned webhook records if account creation fails or is rolled back. The change improves data consistency and follows Rails best practices for callbacks that create associated records or have external side effects. Includes tests to verify that: - Webhooks are created after successful account creation - Webhooks are not created if account creation fails/rolls back - Webhooks are not created when CAREERPLUG_WEBHOOK_SECRET is blank
ryanarakawa
approved these changes
Feb 17, 2026
mikhael-rakauskas
approved these changes
Feb 17, 2026
Collaborator
mikhael-rakauskas
left a comment
mikhael-rakauskas
left a comment
There was a problem hiding this comment.
One q but otherwise looks good!
Comment on lines
+131
to
+136
| # Remove existing ALLOWED_HOSTS line if it exists | ||
| if [ -f "./.env.production" ]; then | ||
| grep -v "^ALLOWED_HOSTS=" ./.env.production > ./.env.production.tmp || true | ||
| mv ./.env.production.tmp ./.env.production | ||
| fi | ||
|
|
Collaborator
There was a problem hiding this comment.
Was there a reason for removing this?
Collaborator
Author
There was a problem hiding this comment.
This is needed since Docker containers in ECS restart frequently, and the .env.production file persists across restarts, causing duplicates without this cleanup logic. At least that's my understanding 😅
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This update allows for future added accounts to have the webhook setup automatically. Currently, all accounts have the secret, but for the future ones, we don't want to manually add it.