Skip to content

Secure Docker build and improve Gunicorn configuration#4

Merged
Aurelien7777 merged 2 commits into
masterfrom
fix/docker-secret-key
Jun 24, 2026
Merged

Secure Docker build and improve Gunicorn configuration#4
Aurelien7777 merged 2 commits into
masterfrom
fix/docker-secret-key

Conversation

@Aurelien7777

@Aurelien7777 Aurelien7777 commented Jun 24, 2026

Copy link
Copy Markdown
Owner

Modifications

  • remplacement de la clé Docker fixe utilisée pendant collectstatic par une clé temporaire générée au build ;
  • vérification que la véritable SECRET_KEY reste fournie uniquement à l'exécution ;
  • configuration de Gunicorn avec gthread, 2 workers et 2 threads ;
  • ajout des logs d'accès Gunicorn ;
  • correction des boutons Home dans les pages lettings et profiles.

Vérifications

  • image Docker reconstruite sans cache ;
  • aucune SECRET_KEY stockée dans l'image ;
  • démarrage refusé sans variable SECRET_KEY ;
  • démarrage réussi avec une clé fournie à l'exécution ;
  • fichiers statiques chargés correctement ;
  • navigation entre l'accueil, les locations et les profils validée ;
  • absence de nouveau WORKER TIMEOUT pendant les tests.

Summary by Sourcery

Secure Docker build-time static collection and fix navigation home links.

New Features:

  • Generate a unique temporary SECRET_KEY at Docker build time for Django collectstatic.

Bug Fixes:

  • Correct lettings and profiles Home buttons to link back to the main index page.

@sourcery-ai

sourcery-ai Bot commented Jun 24, 2026

Copy link
Copy Markdown
Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Updates the Docker build to use a per-build temporary Django SECRET_KEY for collectstatic, prepares the container to rely on a runtime SECRET_KEY only, adjusts Gunicorn invocation (likely via external configuration) and fixes Home navigation links in lettings and profiles templates.

Flow diagram for Docker build-time vs runtime SECRET_KEY handling

flowchart LR
    A[Docker_build] --> B[Run collectstatic]
    B --> C[SECRET_KEY generated with python -c secrets.token_urlsafe]
    C --> D[Static files collected]
    D --> E[Docker_image_built_without_SECRET_KEY]

    F[Container_runtime] --> G[SECRET_KEY env variable provided]
    G --> H[Django_wsgi_application_start]
    H --> I[Gunicorn_serves_app]
Loading

File-Level Changes

Change Details Files
Use a per-build temporary SECRET_KEY during Docker collectstatic without baking a fixed secret into the image.
  • Replaced hard-coded SECRET_KEY used at build time with a dynamically generated token using Python's secrets.token_urlsafe
  • Kept collectstatic invocation in the Docker build while ensuring the real SECRET_KEY is not stored in the image
Dockerfile
Fix Home buttons in lettings and profiles to link back to the global index view instead of local app indexes.
  • Updated lettings index template Home button URL from lettings:index to index
  • Updated profiles index template Home button URL from profiles:index to index
lettings/templates/lettings/index.html
profiles/templates/profiles/index.html

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • The PR description mentions configuring Gunicorn with gthread, multiple workers/threads, and access logs, but there are no corresponding changes in the Dockerfile CMD or elsewhere in the diff; either update the code to reflect those settings or trim the description to what’s actually included.
  • When generating the temporary SECRET_KEY in the Dockerfile, consider moving the python -c 'import secrets; ...' command into a small script or make target to keep the Dockerfile line simpler and easier to maintain.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- The PR description mentions configuring Gunicorn with gthread, multiple workers/threads, and access logs, but there are no corresponding changes in the Dockerfile CMD or elsewhere in the diff; either update the code to reflect those settings or trim the description to what’s actually included.
- When generating the temporary SECRET_KEY in the Dockerfile, consider moving the `python -c 'import secrets; ...'` command into a small script or make target to keep the Dockerfile line simpler and easier to maintain.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@Aurelien7777 Aurelien7777 merged commit 82323a7 into master Jun 24, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant