[Feature Proposal] Add --internalise-conflicts option to the rails credentials edit

SixiS · June 17, 2025, 2:13pm

Hey Rails community!
Just a quick proposal/sanity check on a feature to help with git conflicts in credential files.
Thanks so much for reading and for any insight / feedback.

Background

Handling merge conflicts in the encrypted credentials files feels manual and difficult.

We do have the ability to make git diff work with the encrypted files via rails credentials:diff --enroll but that doesn’t seem to help with merge or rebase conflicts.

Resolving the conflict is a manual process, pulling the conflicted filed apart, diff’ing them and then putting them back together.
We have the encrypted files in the diff, and we have the key, so we have everything we need to resolve the issue in an automated way.

Googling the issue also doesn’t bring up much. But there are few complaints that users expect the flow to be easier.

https://stackoverflow.com/questions/58980566/how-to-deal-with-merge-conflicts-in-rails-encrypted-credential-files

github.com/rails/rails

Rails Credentials Merge Conflitcts Proposal

opened 10:32AM - 16 Mar 22 UTC

closed 04:21PM - 16 Mar 22 UTC

itay-grudev

Rails Credentials are great for a lot of purposes, but merge conflicts are reall…y annoying to resolve even with the included tools. But if we were to restructure how they work we could enable git to auto-resolve conflicts. To that end I propose we convert the file from one big encrypted chunk to lots of small encrypted keypairs. There are two approaches we could take: 1. Keeps keys encrypted as well 2. Maintain keys in plain text Note that we don't actually have to encrypt keys. Key names could be inferred from the code base of an application. Therefore keys are not secret - values are. This means that if we were to parse the file and only encrypt values In both cases git would be able to match individual lines and apply diffs automatically as the lines around our changes would remain the same. But if keys were kept in plain text (PR/MR) reviews would be easier as developer could infer what was changes just by looking at the diff. This presents a small problem, where someone with access to the code-base could be able to tamper credentials without having access to the key, but we can add an HMAC checksum at the end of the file or each keypair to validate contents and mitigate that. I don't believe such an approach decreases security even in the case of plain text keys since as I mentioned before - we already know the keys, we even have clues about the content of values from the code base. The only thing we are doing is making it possible for git to auto resolve changes. This could potentially add two improvements: 1. Git would be able to auto-resolve conflicts 2. PR diffs would be able to show what key was changed (the value would be unintelligible). 3. The credential file would be tamper-evident. I would like us to start a discussion about the next iteration of credential management so we could improve it for future versions. Related to: #28038

There are a few references to git doing the correct thing with conflicts withe the rails credentials:diff --enroll, but it’s not working for me.

git -v
#=> git version 2.49.0

Using git merge other_branch cases the regular merge conflicts over the whole set of binary data.

Auto-merging config/credentials/development.yml.enc
CONFLICT (content): Merge conflict in config/credentials/development.yml.enc

Detail

The Pull Request add an --internalise-conflicts option to the rails credentials edit command.

If there is a merge conflict, this option decrypts both versions of the file in the conflict, uses git to combine them so the merge conflict is resolved or added to the unencrypted text, writes it to the encrypted file and then continues with the normal edit command flow.

PR

I have an initial PR ready with the feature.
The PR is just to the forked repo so people can check the changes.
I would like to see if it’s just a me problem, and merge with the credentials diff enrolling is supposed to fix it?.
Or if anyone else thinks the PR is a good idea.

github.com/SixiS/rails

Feature / Add option to internalise git conflicts when editing credentials

main ← feature/edit_conflicted_credentials

opened 04:36PM - 13 Jun 25 UTC

SixiS

+226 -3

### Motivation / Background This Pull Request has been created because handli…ng merge conflicts in the encrypted credentials files feels manual and difficult. We do have the ability to make git diff work with the encrypted files via `rails credentials:diff --enroll` but that doesn't seem to help with merge or rebase conflicts. Resolving the conflict is a manual process, pulling the conflicted filed apart, diff'ing them and then putting them back together. We have the encrypted files in the diff, and we have the key, so we have everything we need to resolve the issue in an automated way. Googling the issue also doesn't bring up much. But there are few complaints that users expect the flow to be easier. https://discuss.rubyonrails.org/t/editing-rails-credentials-when-theres-a-git-merge-conflict/81487 https://stackoverflow.com/questions/58980566/how-to-deal-with-merge-conflicts-in-rails-encrypted-credential-files https://github.com/rails/rails/issues/44701 ### Detail This Pull Request add an `--internalise-conflicts` option to the `rails credentials edit` command. This option decrypts both versions of the file in the conflict, uses git to combine them so the merge conflict is resolved or added to the unencrypted text, writes it to the encrypted file and then continues with the normal edit command flow. ### Additional information - ### Checklist Before submitting the PR make sure the following are checked: * [✓] This Pull Request is related to one change. Unrelated changes should be opened in separate PRs. * [✓] Commit message has a detailed description of what changed and why. If this PR fixes a related issue include it in the commit message. Ex: `[Fix #issue-number]` * [✓] Tests are added or updated if you fix a bug or add a feature. * [✓] CHANGELOG files are updated for the changed libraries if there is a behavior change or additional feature. Minor bug fixes and documentation changes should not be included.

I first implemented the resolution at the encrypted file level in active support, which didn’t need writing the encrypted file before editing, but refactored it to be an option on the credential edit command itself to limit the potential impacts.

Thanks!
SixiS

SixiS · July 1, 2025, 7:47pm

Just an update.
Still wasn’t sure something this specific really needed to be a part of Rails.
Decided to turn it into a gem instead for now.

Topic		Replies	Views
Rails Credentials Merge Conflitcts Proposal rubyonrails-core	1	878	March 19, 2024
Editing Rails credentials when there's a git merge conflict rubyonrails-talk	1	1975	September 30, 2022
Rails credentials diff helper only decrypting the "local" state rubyonrails-talk credentials	0	421	June 18, 2024
Looking for the feedback on suggested feature for rails credentials rubyonrails-core	0	196	October 17, 2018
Viewing changes to credentials.yml.enc in Git A May Of WTFs	3	2597	May 23, 2020

[Feature Proposal] Add --internalise-conflicts option to the rails credentials edit

Background

Detail

PR

Related topics

More Resources