From 336dcc4d3ad0a72349b8c4092ad5678858d12c4e Mon Sep 17 00:00:00 2001
From: boris <boris+gitea@ntbx.io>
Date: Fri, 28 Nov 2025 03:23:52 +0000
Subject: [PATCH] erm

---
 .gitea/workflows/ci.yml      |  2 +-
 .github/workflows/ci.yml     |  2 +-
 README.md                    |  1 +
 config/packages/doctrine.php |  3 ++-
 docker/php/Dockerfile        |  4 ----
 docker/prod/entrypoint.sh    | 17 +++++++++++++++++
 6 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 5327314..b4e08ff 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -94,7 +94,7 @@ jobs:
           docker run --rm --entrypoint sh ${{ env.IMAGE_NAME }}:ci -c 'test -f /var/www/html/bin/console'
 
       - name: Smoke-test entrypoint & migrations
-        run: docker run --rm --entrypoint /entrypoint.sh ${{ env.IMAGE_NAME }}:ci true
+        run: docker run --rm -e APP_SECRET=test-secret --entrypoint /entrypoint.sh ${{ env.IMAGE_NAME }}:ci true
 
       - name: Login to registry
         if: ${{ env.REGISTRY != '' && env.REGISTRY_USERNAME != '' && env.REGISTRY_PASSWORD != '' }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 75b8e6a..8908d77 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -98,5 +98,5 @@ jobs:
           docker run --rm --entrypoint sh tonehaus-app:ci -c 'test -f /var/www/html/bin/console'
 
       - name: Smoke-test entrypoint & migrations
-        run: docker run --rm --entrypoint /entrypoint.sh tonehaus-app:ci true
+        run: docker run --rm -e APP_SECRET=test-secret --entrypoint /entrypoint.sh tonehaus-app:ci true
 
diff --git a/README.md b/README.md
index 583c233..d90ad14 100644
--- a/README.md
+++ b/README.md
@@ -69,6 +69,7 @@ docker run -d \
    - The runtime defaults to `DATABASE_DRIVER=sqlite` and stores the database file inside the image at `var/data/database.sqlite`. On each boot the entrypoint runs Doctrine migrations (safe to re-run) so the schema stays current while the container filesystem remains immutable from the host's perspective.
    - To point at Postgres (or any external database), override `DATABASE_DRIVER` and `DATABASE_URL` at `docker run` time and optionally disable auto-migration with `RUN_MIGRATIONS_ON_START=0`.
    - Health endpoint: `GET /healthz` on the published port (example: `curl http://localhost:8080/healthz`).
+   - The entrypoint now also performs Symfony cache clear/warmup on startup, which requires `APP_SECRET` to be set; the container exits with an error if it is missing so misconfigured deployments are caught immediately.
 
 3. Rebuild/redeploy by re-running the `docker build` command; no manual steps or bind mounts are involved.
 
diff --git a/config/packages/doctrine.php b/config/packages/doctrine.php
index bbdb9d8..02ec6e7 100644
--- a/config/packages/doctrine.php
+++ b/config/packages/doctrine.php
@@ -4,6 +4,7 @@ declare(strict_types=1);
 
 use Symfony\Component\Filesystem\Filesystem;
 use Symfony\Config\DoctrineConfig;
+use function Symfony\Component\DependencyInjection\Loader\Configurator\param;
 
 return static function (DoctrineConfig $doctrine): void {
     $driver = strtolower((string) ($_ENV['DATABASE_DRIVER'] ?? $_SERVER['DATABASE_DRIVER'] ?? 'postgres'));
@@ -21,7 +22,7 @@ return static function (DoctrineConfig $doctrine): void {
     $dbal->defaultConnection('default');
 
     $connection = $dbal->connection('default');
-    $connection->profilingCollectBacktrace('%kernel.debug%');
+    $connection->profilingCollectBacktrace(param('kernel.debug'));
     $connection->useSavepoints(true);
 
     if ('sqlite' === $driver) {
diff --git a/docker/php/Dockerfile b/docker/php/Dockerfile
index 66c9b97..8c52769 100644
--- a/docker/php/Dockerfile
+++ b/docker/php/Dockerfile
@@ -90,7 +90,6 @@ CMD ["php-fpm"]
 # -----------------------------------------------------------------------------
 FROM base AS prod
 ARG APP_ENV=prod
-ARG BUILD_APP_SECRET=build-secret
 ENV APP_ENV=${APP_ENV}
 ENV APP_DEBUG=0 \
     DATABASE_DRIVER=sqlite \
@@ -112,10 +111,7 @@ COPY . /var/www/html
 # Finalize install & warm cache
 RUN if [ -f bin/console ]; then \
       set -ex; \
-      export APP_SECRET="${BUILD_APP_SECRET}"; \
       composer dump-autoload --no-dev --optimize; \
-      php bin/console cache:clear --no-warmup; \
-      php bin/console cache:warmup; \
       mkdir -p var var/data public/uploads; \
       chown -R www-data:www-data var public/uploads; \
     fi
diff --git a/docker/prod/entrypoint.sh b/docker/prod/entrypoint.sh
index 5637ab3..df5ff22 100755
--- a/docker/prod/entrypoint.sh
+++ b/docker/prod/entrypoint.sh
@@ -1,6 +1,17 @@
 #!/bin/sh
 set -eu
 
+require_app_secret() {
+    if [ -z "${APP_SECRET:-}" ]; then
+        echo "APP_SECRET environment variable is required at runtime" >&2
+        exit 1
+    fi
+}
+
+if [ -f bin/console ]; then
+    require_app_secret
+fi
+
 if [ "${RUN_MIGRATIONS_ON_START:-1}" = "1" ] && [ -f bin/console ]; then
     if [ "${DATABASE_DRIVER:-sqlite}" = "sqlite" ]; then
         SQLITE_PATH="${DATABASE_SQLITE_PATH:-/var/www/html/var/data/database.sqlite}"
@@ -15,5 +26,11 @@ if [ "${RUN_MIGRATIONS_ON_START:-1}" = "1" ] && [ -f bin/console ]; then
     su-exec www-data php bin/console doctrine:migrations:migrate --no-interaction --allow-no-migration
 fi
 
+if [ -f bin/console ]; then
+    su-exec www-data php bin/console cache:clear --no-warmup
+    su-exec www-data php bin/console cache:warmup
+    chown -R www-data:www-data var
+fi
+
 exec "$@"