Rails memoizes `@app_env_config`, so running push subscriptions test
after join codes test will result in running with `show_exceptions:
:none`, causing RecordInvalid to raise instead of returning 422 status.
References #1996
When ActiveStorage::Record uses `connects_to` for read replica support,
it creates a separate connection pool from ApplicationRecord. This causes
`after_commit` callbacks to fire in non-deterministic order - the
Attachment's `create_variants` callback can fire before the User model's
upload callback completes, resulting in FileNotFoundError.
The fix removes replica connection configuration from ActiveStorage::Record
so it shares the same connection pool as application models, ensuring
proper callback ordering.
Also reverts test workarounds that were added to work around this issue,
since the root cause is now fixed.
See: https://github.com/rails/rails/issues/53694
As suggested by @flavorjones, and explained in:
https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
This applies:
- 7 days as default: from the article, a 7-day
cooldown would have prevented 8 out of 10 recent
supply chain attacks. It seems reasonably long
but not crazy long.
- 14 days for major versions, to give some time
to the community to find problems.
Register a middleware with Rails.error that adds identity_id and
account_id from Current attributes. Only evaluated when an error
is actually reported, avoiding the cost on successful requests.
Move thousands of info-level Sentry events to logs. Query Loki rather
than downsampling events: `event.action = "run.ruby-script",
script.name = "autotuner"`
I find it helpful (especially when going through a long list of
results) to know how far back in time I'm looking.
A note on the timestamp being used: it's the search index
timestamp. Using the card or comment `updated_at` is fraught because
we do so much touching of records (e.g., comment is touched when a
reaction is added; card is touched when a comment is added). Let's
display the search record's `created_at`, which is the ordering used
for the overall results.
Avoid Sentry exceptions when attackers try to stuff invalid emails. The
browser performs form field validation that should normally prevent this
from occurring, so we just return 422 without validation error messages.
See similar change in #1996 for sign-in and sign-up
Avoid Sentry exceptions when attackers try to stuff invalid emails. The
browser performs form field validation that should normally prevent this
from occurring, so we just return 422 without validation error messages.
Also:
- extract redirect_to_session_magic_link helper
- some controller refactoring and cleanup