Skip to content
Latchkey

Rails "Missing `secret_key_base` for 'production' environment" in CI

Rails needs a secret_key_base to boot the production environment (for signing cookies and message verifiers). In CI, a production-mode task fails because neither SECRET_KEY_BASE nor decryptable credentials are available.

What this error means

A production-mode step (assets, a release check) fails with "Missing secret_key_base for 'production' environment, set this string with bin/rails credentials:edit".

Rails
ArgumentError: Missing `secret_key_base` for 'production' environment, set this
string with `bin/rails credentials:edit`

Common causes

No SECRET_KEY_BASE in the environment

Production reads SECRET_KEY_BASE from the environment or credentials; in CI neither is provided, so boot aborts.

Credentials cannot be decrypted without the master key

The value lives in config/credentials.yml.enc, but RAILS_MASTER_KEY is not set in CI, so Rails cannot read it.

How to fix it

Provide SECRET_KEY_BASE for CI production tasks

A throwaway value is fine for tasks like asset precompilation that only need boot to succeed.

.github/workflows/ci.yml
env:
  RAILS_ENV: production
  SECRET_KEY_BASE: ${{ secrets.SECRET_KEY_BASE }}

Or supply the master key for credentials

Set RAILS_MASTER_KEY from a secret so Rails can decrypt the stored secret_key_base.

.github/workflows/ci.yml
env:
  RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}

How to prevent it

  • Store SECRET_KEY_BASE or RAILS_MASTER_KEY as a CI secret.
  • Avoid running unnecessary production-mode tasks in CI.
  • Use SECRET_KEY_BASE_DUMMY where only boot, not real secrets, is needed.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →