Where to run cookie rotator when upgrading to Rails 7?

The Rails 7 new_framework_defaults_7_0.rb file instructs to add some code for registering a cookie rotator (below). Should this code be executed a single time e.g. in a one-off rake task, or executed in an initializer at each application boot? (And in the latter case should it be enclosed in an after_initialize block as suggested here?)

Rails.application.config.action_dispatch.cookies_rotations.tap do |cookies|
  salt = Rails.application.config.action_dispatch.authenticated_encrypted_cookie_salt
  secret_key_base = Rails.application.secrets.secret_key_base
  key_generator = ActiveSupport::KeyGenerator.new(
    secret_key_base, iterations: 1000, hash_digest_class: OpenSSL::Digest::SHA1
  key_len = ActiveSupport::MessageEncryptor.key_len
  secret = key_generator.generate_key(salt, key_len)
  cookies.rotate :encrypted, secret

Question also posted on StackOverflow.