From c6b3191f3c86d261d40590a51425ebdb443ec64e Mon Sep 17 00:00:00 2001
From: Joseph Ferguson <yosifkit@gmail.com>
Date: Mon, 6 Oct 2025 16:58:56 -0700
Subject: [PATCH 1/4] Fix for rails getting confused by an empty env var

---
 5.1/alpine3.21/docker-entrypoint.sh | 7 ++++++-
 5.1/alpine3.22/docker-entrypoint.sh | 7 ++++++-
 5.1/bookworm/docker-entrypoint.sh   | 7 ++++++-
 5.1/trixie/docker-entrypoint.sh     | 7 ++++++-
 6.0/alpine3.21/docker-entrypoint.sh | 7 ++++++-
 6.0/alpine3.22/docker-entrypoint.sh | 7 ++++++-
 6.0/bookworm/docker-entrypoint.sh   | 7 ++++++-
 6.0/trixie/docker-entrypoint.sh     | 7 ++++++-
 6.1/alpine3.21/docker-entrypoint.sh | 7 ++++++-
 6.1/alpine3.22/docker-entrypoint.sh | 7 ++++++-
 6.1/bookworm/docker-entrypoint.sh   | 7 ++++++-
 6.1/trixie/docker-entrypoint.sh     | 7 ++++++-
 docker-entrypoint.sh                | 7 ++++++-
 13 files changed, 78 insertions(+), 13 deletions(-)

diff --git a/5.1/alpine3.21/docker-entrypoint.sh b/5.1/alpine3.21/docker-entrypoint.sh
index 0bcee63..87b09cf 100755
--- a/5.1/alpine3.21/docker-entrypoint.sh
+++ b/5.1/alpine3.21/docker-entrypoint.sh
@@ -150,7 +150,12 @@ if [ -n "$isLikelyRedmine" ]; then
 		echo >&2
 	fi
 	: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"
-	export SECRET_KEY_BASE
+	if [ -n "$SECRET_KEY_BASE" ]; then
+		# https://github.com/docker-library/redmine/issues/397
+		# empty string is truthy in ruby and so masks the generated fallback config
+		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
+		export SECRET_KEY_BASE
+	fi
 	# generate SECRET_KEY_BASE if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
 	if [ -z "$SECRET_KEY_BASE" ] && [ ! -f config/initializers/secret_token.rb ]; then
 		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
diff --git a/5.1/alpine3.22/docker-entrypoint.sh b/5.1/alpine3.22/docker-entrypoint.sh
index 0bcee63..87b09cf 100755
--- a/5.1/alpine3.22/docker-entrypoint.sh
+++ b/5.1/alpine3.22/docker-entrypoint.sh
@@ -150,7 +150,12 @@ if [ -n "$isLikelyRedmine" ]; then
 		echo >&2
 	fi
 	: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"
-	export SECRET_KEY_BASE
+	if [ -n "$SECRET_KEY_BASE" ]; then
+		# https://github.com/docker-library/redmine/issues/397
+		# empty string is truthy in ruby and so masks the generated fallback config
+		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
+		export SECRET_KEY_BASE
+	fi
 	# generate SECRET_KEY_BASE if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
 	if [ -z "$SECRET_KEY_BASE" ] && [ ! -f config/initializers/secret_token.rb ]; then
 		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
diff --git a/5.1/bookworm/docker-entrypoint.sh b/5.1/bookworm/docker-entrypoint.sh
index 0bcee63..87b09cf 100755
--- a/5.1/bookworm/docker-entrypoint.sh
+++ b/5.1/bookworm/docker-entrypoint.sh
@@ -150,7 +150,12 @@ if [ -n "$isLikelyRedmine" ]; then
 		echo >&2
 	fi
 	: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"
-	export SECRET_KEY_BASE
+	if [ -n "$SECRET_KEY_BASE" ]; then
+		# https://github.com/docker-library/redmine/issues/397
+		# empty string is truthy in ruby and so masks the generated fallback config
+		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
+		export SECRET_KEY_BASE
+	fi
 	# generate SECRET_KEY_BASE if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
 	if [ -z "$SECRET_KEY_BASE" ] && [ ! -f config/initializers/secret_token.rb ]; then
 		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
diff --git a/5.1/trixie/docker-entrypoint.sh b/5.1/trixie/docker-entrypoint.sh
index 0bcee63..87b09cf 100755
--- a/5.1/trixie/docker-entrypoint.sh
+++ b/5.1/trixie/docker-entrypoint.sh
@@ -150,7 +150,12 @@ if [ -n "$isLikelyRedmine" ]; then
 		echo >&2
 	fi
 	: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"
-	export SECRET_KEY_BASE
+	if [ -n "$SECRET_KEY_BASE" ]; then
+		# https://github.com/docker-library/redmine/issues/397
+		# empty string is truthy in ruby and so masks the generated fallback config
+		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
+		export SECRET_KEY_BASE
+	fi
 	# generate SECRET_KEY_BASE if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
 	if [ -z "$SECRET_KEY_BASE" ] && [ ! -f config/initializers/secret_token.rb ]; then
 		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
diff --git a/6.0/alpine3.21/docker-entrypoint.sh b/6.0/alpine3.21/docker-entrypoint.sh
index 0bcee63..87b09cf 100755
--- a/6.0/alpine3.21/docker-entrypoint.sh
+++ b/6.0/alpine3.21/docker-entrypoint.sh
@@ -150,7 +150,12 @@ if [ -n "$isLikelyRedmine" ]; then
 		echo >&2
 	fi
 	: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"
-	export SECRET_KEY_BASE
+	if [ -n "$SECRET_KEY_BASE" ]; then
+		# https://github.com/docker-library/redmine/issues/397
+		# empty string is truthy in ruby and so masks the generated fallback config
+		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
+		export SECRET_KEY_BASE
+	fi
 	# generate SECRET_KEY_BASE if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
 	if [ -z "$SECRET_KEY_BASE" ] && [ ! -f config/initializers/secret_token.rb ]; then
 		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
diff --git a/6.0/alpine3.22/docker-entrypoint.sh b/6.0/alpine3.22/docker-entrypoint.sh
index 0bcee63..87b09cf 100755
--- a/6.0/alpine3.22/docker-entrypoint.sh
+++ b/6.0/alpine3.22/docker-entrypoint.sh
@@ -150,7 +150,12 @@ if [ -n "$isLikelyRedmine" ]; then
 		echo >&2
 	fi
 	: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"
-	export SECRET_KEY_BASE
+	if [ -n "$SECRET_KEY_BASE" ]; then
+		# https://github.com/docker-library/redmine/issues/397
+		# empty string is truthy in ruby and so masks the generated fallback config
+		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
+		export SECRET_KEY_BASE
+	fi
 	# generate SECRET_KEY_BASE if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
 	if [ -z "$SECRET_KEY_BASE" ] && [ ! -f config/initializers/secret_token.rb ]; then
 		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
diff --git a/6.0/bookworm/docker-entrypoint.sh b/6.0/bookworm/docker-entrypoint.sh
index 0bcee63..87b09cf 100755
--- a/6.0/bookworm/docker-entrypoint.sh
+++ b/6.0/bookworm/docker-entrypoint.sh
@@ -150,7 +150,12 @@ if [ -n "$isLikelyRedmine" ]; then
 		echo >&2
 	fi
 	: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"
-	export SECRET_KEY_BASE
+	if [ -n "$SECRET_KEY_BASE" ]; then
+		# https://github.com/docker-library/redmine/issues/397
+		# empty string is truthy in ruby and so masks the generated fallback config
+		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
+		export SECRET_KEY_BASE
+	fi
 	# generate SECRET_KEY_BASE if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
 	if [ -z "$SECRET_KEY_BASE" ] && [ ! -f config/initializers/secret_token.rb ]; then
 		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
diff --git a/6.0/trixie/docker-entrypoint.sh b/6.0/trixie/docker-entrypoint.sh
index 0bcee63..87b09cf 100755
--- a/6.0/trixie/docker-entrypoint.sh
+++ b/6.0/trixie/docker-entrypoint.sh
@@ -150,7 +150,12 @@ if [ -n "$isLikelyRedmine" ]; then
 		echo >&2
 	fi
 	: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"
-	export SECRET_KEY_BASE
+	if [ -n "$SECRET_KEY_BASE" ]; then
+		# https://github.com/docker-library/redmine/issues/397
+		# empty string is truthy in ruby and so masks the generated fallback config
+		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
+		export SECRET_KEY_BASE
+	fi
 	# generate SECRET_KEY_BASE if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
 	if [ -z "$SECRET_KEY_BASE" ] && [ ! -f config/initializers/secret_token.rb ]; then
 		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
diff --git a/6.1/alpine3.21/docker-entrypoint.sh b/6.1/alpine3.21/docker-entrypoint.sh
index 0bcee63..87b09cf 100755
--- a/6.1/alpine3.21/docker-entrypoint.sh
+++ b/6.1/alpine3.21/docker-entrypoint.sh
@@ -150,7 +150,12 @@ if [ -n "$isLikelyRedmine" ]; then
 		echo >&2
 	fi
 	: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"
-	export SECRET_KEY_BASE
+	if [ -n "$SECRET_KEY_BASE" ]; then
+		# https://github.com/docker-library/redmine/issues/397
+		# empty string is truthy in ruby and so masks the generated fallback config
+		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
+		export SECRET_KEY_BASE
+	fi
 	# generate SECRET_KEY_BASE if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
 	if [ -z "$SECRET_KEY_BASE" ] && [ ! -f config/initializers/secret_token.rb ]; then
 		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
diff --git a/6.1/alpine3.22/docker-entrypoint.sh b/6.1/alpine3.22/docker-entrypoint.sh
index 0bcee63..87b09cf 100755
--- a/6.1/alpine3.22/docker-entrypoint.sh
+++ b/6.1/alpine3.22/docker-entrypoint.sh
@@ -150,7 +150,12 @@ if [ -n "$isLikelyRedmine" ]; then
 		echo >&2
 	fi
 	: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"
-	export SECRET_KEY_BASE
+	if [ -n "$SECRET_KEY_BASE" ]; then
+		# https://github.com/docker-library/redmine/issues/397
+		# empty string is truthy in ruby and so masks the generated fallback config
+		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
+		export SECRET_KEY_BASE
+	fi
 	# generate SECRET_KEY_BASE if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
 	if [ -z "$SECRET_KEY_BASE" ] && [ ! -f config/initializers/secret_token.rb ]; then
 		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
diff --git a/6.1/bookworm/docker-entrypoint.sh b/6.1/bookworm/docker-entrypoint.sh
index 0bcee63..87b09cf 100755
--- a/6.1/bookworm/docker-entrypoint.sh
+++ b/6.1/bookworm/docker-entrypoint.sh
@@ -150,7 +150,12 @@ if [ -n "$isLikelyRedmine" ]; then
 		echo >&2
 	fi
 	: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"
-	export SECRET_KEY_BASE
+	if [ -n "$SECRET_KEY_BASE" ]; then
+		# https://github.com/docker-library/redmine/issues/397
+		# empty string is truthy in ruby and so masks the generated fallback config
+		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
+		export SECRET_KEY_BASE
+	fi
 	# generate SECRET_KEY_BASE if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
 	if [ -z "$SECRET_KEY_BASE" ] && [ ! -f config/initializers/secret_token.rb ]; then
 		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
diff --git a/6.1/trixie/docker-entrypoint.sh b/6.1/trixie/docker-entrypoint.sh
index 0bcee63..87b09cf 100755
--- a/6.1/trixie/docker-entrypoint.sh
+++ b/6.1/trixie/docker-entrypoint.sh
@@ -150,7 +150,12 @@ if [ -n "$isLikelyRedmine" ]; then
 		echo >&2
 	fi
 	: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"
-	export SECRET_KEY_BASE
+	if [ -n "$SECRET_KEY_BASE" ]; then
+		# https://github.com/docker-library/redmine/issues/397
+		# empty string is truthy in ruby and so masks the generated fallback config
+		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
+		export SECRET_KEY_BASE
+	fi
 	# generate SECRET_KEY_BASE if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
 	if [ -z "$SECRET_KEY_BASE" ] && [ ! -f config/initializers/secret_token.rb ]; then
 		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index 0bcee63..87b09cf 100755
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -150,7 +150,12 @@ if [ -n "$isLikelyRedmine" ]; then
 		echo >&2
 	fi
 	: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"
-	export SECRET_KEY_BASE
+	if [ -n "$SECRET_KEY_BASE" ]; then
+		# https://github.com/docker-library/redmine/issues/397
+		# empty string is truthy in ruby and so masks the generated fallback config
+		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
+		export SECRET_KEY_BASE
+	fi
 	# generate SECRET_KEY_BASE if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
 	if [ -z "$SECRET_KEY_BASE" ] && [ ! -f config/initializers/secret_token.rb ]; then
 		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'

From d317fae85a4b7562a3f705ad15bc4df407ee1e8c Mon Sep 17 00:00:00 2001
From: Tianon Gravi <admwiggin@gmail.com>
Date: Wed, 8 Oct 2025 14:25:15 -0700
Subject: [PATCH 2/4] Alternate suggestion

---
 5.1/alpine3.21/docker-entrypoint.sh | 14 +++++++-------
 5.1/alpine3.22/docker-entrypoint.sh | 14 +++++++-------
 5.1/bookworm/docker-entrypoint.sh   | 14 +++++++-------
 5.1/trixie/docker-entrypoint.sh     | 14 +++++++-------
 6.0/alpine3.21/docker-entrypoint.sh | 14 +++++++-------
 6.0/alpine3.22/docker-entrypoint.sh | 14 +++++++-------
 6.0/bookworm/docker-entrypoint.sh   | 14 +++++++-------
 6.0/trixie/docker-entrypoint.sh     | 14 +++++++-------
 6.1/alpine3.21/docker-entrypoint.sh | 14 +++++++-------
 6.1/alpine3.22/docker-entrypoint.sh | 14 +++++++-------
 6.1/bookworm/docker-entrypoint.sh   | 14 +++++++-------
 6.1/trixie/docker-entrypoint.sh     | 14 +++++++-------
 docker-entrypoint.sh                | 14 +++++++-------
 13 files changed, 91 insertions(+), 91 deletions(-)

diff --git a/5.1/alpine3.21/docker-entrypoint.sh b/5.1/alpine3.21/docker-entrypoint.sh
index 87b09cf..f227e5f 100755
--- a/5.1/alpine3.21/docker-entrypoint.sh
+++ b/5.1/alpine3.21/docker-entrypoint.sh
@@ -144,22 +144,22 @@ if [ -n "$isLikelyRedmine" ]; then
 	# just use the rails variable rather than trying to put it into a yml file
 	# https://github.com/rails/rails/blob/6-1-stable/railties/lib/rails/application.rb#L438
 	# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L484 (rails 7.1-stable)
-	if [ -n "${SECRET_KEY_BASE}" ] && [ -n "${REDMINE_SECRET_KEY_BASE}" ]; then
+	if [ -n "${SECRET_KEY_BASE:-}" ] && [ -n "${REDMINE_SECRET_KEY_BASE:-}" ]; then
 		echo >&2
 		echo >&2 'warning: both SECRET_KEY_BASE and REDMINE_SECRET_KEY_BASE{_FILE} set, only SECRET_KEY_BASE will apply'
 		echo >&2
 	fi
-	: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"
-	if [ -n "$SECRET_KEY_BASE" ]; then
+	: "${SECRET_KEY_BASE:=${REDMINE_SECRET_KEY_BASE:-}}"
+	export SECRET_KEY_BASE
+	if [ -z "$SECRET_KEY_BASE" ]; then
 		# https://github.com/docker-library/redmine/issues/397
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
-		export SECRET_KEY_BASE
+		unset SECRET_KEY_BASE
 	fi
-	# generate SECRET_KEY_BASE if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
-	if [ -z "$SECRET_KEY_BASE" ] && [ ! -f config/initializers/secret_token.rb ]; then
+	# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+	if [ -z "${SECRET_KEY_BASE:-}" ] && [ ! -f config/initializers/secret_token.rb ]; then
 		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
-		unset SECRET_KEY_BASE # just in case
 		rake generate_secret_token
 	fi
 
diff --git a/5.1/alpine3.22/docker-entrypoint.sh b/5.1/alpine3.22/docker-entrypoint.sh
index 87b09cf..f227e5f 100755
--- a/5.1/alpine3.22/docker-entrypoint.sh
+++ b/5.1/alpine3.22/docker-entrypoint.sh
@@ -144,22 +144,22 @@ if [ -n "$isLikelyRedmine" ]; then
 	# just use the rails variable rather than trying to put it into a yml file
 	# https://github.com/rails/rails/blob/6-1-stable/railties/lib/rails/application.rb#L438
 	# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L484 (rails 7.1-stable)
-	if [ -n "${SECRET_KEY_BASE}" ] && [ -n "${REDMINE_SECRET_KEY_BASE}" ]; then
+	if [ -n "${SECRET_KEY_BASE:-}" ] && [ -n "${REDMINE_SECRET_KEY_BASE:-}" ]; then
 		echo >&2
 		echo >&2 'warning: both SECRET_KEY_BASE and REDMINE_SECRET_KEY_BASE{_FILE} set, only SECRET_KEY_BASE will apply'
 		echo >&2
 	fi
-	: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"
-	if [ -n "$SECRET_KEY_BASE" ]; then
+	: "${SECRET_KEY_BASE:=${REDMINE_SECRET_KEY_BASE:-}}"
+	export SECRET_KEY_BASE
+	if [ -z "$SECRET_KEY_BASE" ]; then
 		# https://github.com/docker-library/redmine/issues/397
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
-		export SECRET_KEY_BASE
+		unset SECRET_KEY_BASE
 	fi
-	# generate SECRET_KEY_BASE if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
-	if [ -z "$SECRET_KEY_BASE" ] && [ ! -f config/initializers/secret_token.rb ]; then
+	# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+	if [ -z "${SECRET_KEY_BASE:-}" ] && [ ! -f config/initializers/secret_token.rb ]; then
 		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
-		unset SECRET_KEY_BASE # just in case
 		rake generate_secret_token
 	fi
 
diff --git a/5.1/bookworm/docker-entrypoint.sh b/5.1/bookworm/docker-entrypoint.sh
index 87b09cf..f227e5f 100755
--- a/5.1/bookworm/docker-entrypoint.sh
+++ b/5.1/bookworm/docker-entrypoint.sh
@@ -144,22 +144,22 @@ if [ -n "$isLikelyRedmine" ]; then
 	# just use the rails variable rather than trying to put it into a yml file
 	# https://github.com/rails/rails/blob/6-1-stable/railties/lib/rails/application.rb#L438
 	# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L484 (rails 7.1-stable)
-	if [ -n "${SECRET_KEY_BASE}" ] && [ -n "${REDMINE_SECRET_KEY_BASE}" ]; then
+	if [ -n "${SECRET_KEY_BASE:-}" ] && [ -n "${REDMINE_SECRET_KEY_BASE:-}" ]; then
 		echo >&2
 		echo >&2 'warning: both SECRET_KEY_BASE and REDMINE_SECRET_KEY_BASE{_FILE} set, only SECRET_KEY_BASE will apply'
 		echo >&2
 	fi
-	: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"
-	if [ -n "$SECRET_KEY_BASE" ]; then
+	: "${SECRET_KEY_BASE:=${REDMINE_SECRET_KEY_BASE:-}}"
+	export SECRET_KEY_BASE
+	if [ -z "$SECRET_KEY_BASE" ]; then
 		# https://github.com/docker-library/redmine/issues/397
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
-		export SECRET_KEY_BASE
+		unset SECRET_KEY_BASE
 	fi
-	# generate SECRET_KEY_BASE if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
-	if [ -z "$SECRET_KEY_BASE" ] && [ ! -f config/initializers/secret_token.rb ]; then
+	# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+	if [ -z "${SECRET_KEY_BASE:-}" ] && [ ! -f config/initializers/secret_token.rb ]; then
 		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
-		unset SECRET_KEY_BASE # just in case
 		rake generate_secret_token
 	fi
 
diff --git a/5.1/trixie/docker-entrypoint.sh b/5.1/trixie/docker-entrypoint.sh
index 87b09cf..f227e5f 100755
--- a/5.1/trixie/docker-entrypoint.sh
+++ b/5.1/trixie/docker-entrypoint.sh
@@ -144,22 +144,22 @@ if [ -n "$isLikelyRedmine" ]; then
 	# just use the rails variable rather than trying to put it into a yml file
 	# https://github.com/rails/rails/blob/6-1-stable/railties/lib/rails/application.rb#L438
 	# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L484 (rails 7.1-stable)
-	if [ -n "${SECRET_KEY_BASE}" ] && [ -n "${REDMINE_SECRET_KEY_BASE}" ]; then
+	if [ -n "${SECRET_KEY_BASE:-}" ] && [ -n "${REDMINE_SECRET_KEY_BASE:-}" ]; then
 		echo >&2
 		echo >&2 'warning: both SECRET_KEY_BASE and REDMINE_SECRET_KEY_BASE{_FILE} set, only SECRET_KEY_BASE will apply'
 		echo >&2
 	fi
-	: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"
-	if [ -n "$SECRET_KEY_BASE" ]; then
+	: "${SECRET_KEY_BASE:=${REDMINE_SECRET_KEY_BASE:-}}"
+	export SECRET_KEY_BASE
+	if [ -z "$SECRET_KEY_BASE" ]; then
 		# https://github.com/docker-library/redmine/issues/397
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
-		export SECRET_KEY_BASE
+		unset SECRET_KEY_BASE
 	fi
-	# generate SECRET_KEY_BASE if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
-	if [ -z "$SECRET_KEY_BASE" ] && [ ! -f config/initializers/secret_token.rb ]; then
+	# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+	if [ -z "${SECRET_KEY_BASE:-}" ] && [ ! -f config/initializers/secret_token.rb ]; then
 		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
-		unset SECRET_KEY_BASE # just in case
 		rake generate_secret_token
 	fi
 
diff --git a/6.0/alpine3.21/docker-entrypoint.sh b/6.0/alpine3.21/docker-entrypoint.sh
index 87b09cf..f227e5f 100755
--- a/6.0/alpine3.21/docker-entrypoint.sh
+++ b/6.0/alpine3.21/docker-entrypoint.sh
@@ -144,22 +144,22 @@ if [ -n "$isLikelyRedmine" ]; then
 	# just use the rails variable rather than trying to put it into a yml file
 	# https://github.com/rails/rails/blob/6-1-stable/railties/lib/rails/application.rb#L438
 	# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L484 (rails 7.1-stable)
-	if [ -n "${SECRET_KEY_BASE}" ] && [ -n "${REDMINE_SECRET_KEY_BASE}" ]; then
+	if [ -n "${SECRET_KEY_BASE:-}" ] && [ -n "${REDMINE_SECRET_KEY_BASE:-}" ]; then
 		echo >&2
 		echo >&2 'warning: both SECRET_KEY_BASE and REDMINE_SECRET_KEY_BASE{_FILE} set, only SECRET_KEY_BASE will apply'
 		echo >&2
 	fi
-	: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"
-	if [ -n "$SECRET_KEY_BASE" ]; then
+	: "${SECRET_KEY_BASE:=${REDMINE_SECRET_KEY_BASE:-}}"
+	export SECRET_KEY_BASE
+	if [ -z "$SECRET_KEY_BASE" ]; then
 		# https://github.com/docker-library/redmine/issues/397
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
-		export SECRET_KEY_BASE
+		unset SECRET_KEY_BASE
 	fi
-	# generate SECRET_KEY_BASE if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
-	if [ -z "$SECRET_KEY_BASE" ] && [ ! -f config/initializers/secret_token.rb ]; then
+	# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+	if [ -z "${SECRET_KEY_BASE:-}" ] && [ ! -f config/initializers/secret_token.rb ]; then
 		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
-		unset SECRET_KEY_BASE # just in case
 		rake generate_secret_token
 	fi
 
diff --git a/6.0/alpine3.22/docker-entrypoint.sh b/6.0/alpine3.22/docker-entrypoint.sh
index 87b09cf..f227e5f 100755
--- a/6.0/alpine3.22/docker-entrypoint.sh
+++ b/6.0/alpine3.22/docker-entrypoint.sh
@@ -144,22 +144,22 @@ if [ -n "$isLikelyRedmine" ]; then
 	# just use the rails variable rather than trying to put it into a yml file
 	# https://github.com/rails/rails/blob/6-1-stable/railties/lib/rails/application.rb#L438
 	# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L484 (rails 7.1-stable)
-	if [ -n "${SECRET_KEY_BASE}" ] && [ -n "${REDMINE_SECRET_KEY_BASE}" ]; then
+	if [ -n "${SECRET_KEY_BASE:-}" ] && [ -n "${REDMINE_SECRET_KEY_BASE:-}" ]; then
 		echo >&2
 		echo >&2 'warning: both SECRET_KEY_BASE and REDMINE_SECRET_KEY_BASE{_FILE} set, only SECRET_KEY_BASE will apply'
 		echo >&2
 	fi
-	: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"
-	if [ -n "$SECRET_KEY_BASE" ]; then
+	: "${SECRET_KEY_BASE:=${REDMINE_SECRET_KEY_BASE:-}}"
+	export SECRET_KEY_BASE
+	if [ -z "$SECRET_KEY_BASE" ]; then
 		# https://github.com/docker-library/redmine/issues/397
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
-		export SECRET_KEY_BASE
+		unset SECRET_KEY_BASE
 	fi
-	# generate SECRET_KEY_BASE if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
-	if [ -z "$SECRET_KEY_BASE" ] && [ ! -f config/initializers/secret_token.rb ]; then
+	# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+	if [ -z "${SECRET_KEY_BASE:-}" ] && [ ! -f config/initializers/secret_token.rb ]; then
 		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
-		unset SECRET_KEY_BASE # just in case
 		rake generate_secret_token
 	fi
 
diff --git a/6.0/bookworm/docker-entrypoint.sh b/6.0/bookworm/docker-entrypoint.sh
index 87b09cf..f227e5f 100755
--- a/6.0/bookworm/docker-entrypoint.sh
+++ b/6.0/bookworm/docker-entrypoint.sh
@@ -144,22 +144,22 @@ if [ -n "$isLikelyRedmine" ]; then
 	# just use the rails variable rather than trying to put it into a yml file
 	# https://github.com/rails/rails/blob/6-1-stable/railties/lib/rails/application.rb#L438
 	# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L484 (rails 7.1-stable)
-	if [ -n "${SECRET_KEY_BASE}" ] && [ -n "${REDMINE_SECRET_KEY_BASE}" ]; then
+	if [ -n "${SECRET_KEY_BASE:-}" ] && [ -n "${REDMINE_SECRET_KEY_BASE:-}" ]; then
 		echo >&2
 		echo >&2 'warning: both SECRET_KEY_BASE and REDMINE_SECRET_KEY_BASE{_FILE} set, only SECRET_KEY_BASE will apply'
 		echo >&2
 	fi
-	: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"
-	if [ -n "$SECRET_KEY_BASE" ]; then
+	: "${SECRET_KEY_BASE:=${REDMINE_SECRET_KEY_BASE:-}}"
+	export SECRET_KEY_BASE
+	if [ -z "$SECRET_KEY_BASE" ]; then
 		# https://github.com/docker-library/redmine/issues/397
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
-		export SECRET_KEY_BASE
+		unset SECRET_KEY_BASE
 	fi
-	# generate SECRET_KEY_BASE if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
-	if [ -z "$SECRET_KEY_BASE" ] && [ ! -f config/initializers/secret_token.rb ]; then
+	# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+	if [ -z "${SECRET_KEY_BASE:-}" ] && [ ! -f config/initializers/secret_token.rb ]; then
 		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
-		unset SECRET_KEY_BASE # just in case
 		rake generate_secret_token
 	fi
 
diff --git a/6.0/trixie/docker-entrypoint.sh b/6.0/trixie/docker-entrypoint.sh
index 87b09cf..f227e5f 100755
--- a/6.0/trixie/docker-entrypoint.sh
+++ b/6.0/trixie/docker-entrypoint.sh
@@ -144,22 +144,22 @@ if [ -n "$isLikelyRedmine" ]; then
 	# just use the rails variable rather than trying to put it into a yml file
 	# https://github.com/rails/rails/blob/6-1-stable/railties/lib/rails/application.rb#L438
 	# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L484 (rails 7.1-stable)
-	if [ -n "${SECRET_KEY_BASE}" ] && [ -n "${REDMINE_SECRET_KEY_BASE}" ]; then
+	if [ -n "${SECRET_KEY_BASE:-}" ] && [ -n "${REDMINE_SECRET_KEY_BASE:-}" ]; then
 		echo >&2
 		echo >&2 'warning: both SECRET_KEY_BASE and REDMINE_SECRET_KEY_BASE{_FILE} set, only SECRET_KEY_BASE will apply'
 		echo >&2
 	fi
-	: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"
-	if [ -n "$SECRET_KEY_BASE" ]; then
+	: "${SECRET_KEY_BASE:=${REDMINE_SECRET_KEY_BASE:-}}"
+	export SECRET_KEY_BASE
+	if [ -z "$SECRET_KEY_BASE" ]; then
 		# https://github.com/docker-library/redmine/issues/397
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
-		export SECRET_KEY_BASE
+		unset SECRET_KEY_BASE
 	fi
-	# generate SECRET_KEY_BASE if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
-	if [ -z "$SECRET_KEY_BASE" ] && [ ! -f config/initializers/secret_token.rb ]; then
+	# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+	if [ -z "${SECRET_KEY_BASE:-}" ] && [ ! -f config/initializers/secret_token.rb ]; then
 		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
-		unset SECRET_KEY_BASE # just in case
 		rake generate_secret_token
 	fi
 
diff --git a/6.1/alpine3.21/docker-entrypoint.sh b/6.1/alpine3.21/docker-entrypoint.sh
index 87b09cf..f227e5f 100755
--- a/6.1/alpine3.21/docker-entrypoint.sh
+++ b/6.1/alpine3.21/docker-entrypoint.sh
@@ -144,22 +144,22 @@ if [ -n "$isLikelyRedmine" ]; then
 	# just use the rails variable rather than trying to put it into a yml file
 	# https://github.com/rails/rails/blob/6-1-stable/railties/lib/rails/application.rb#L438
 	# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L484 (rails 7.1-stable)
-	if [ -n "${SECRET_KEY_BASE}" ] && [ -n "${REDMINE_SECRET_KEY_BASE}" ]; then
+	if [ -n "${SECRET_KEY_BASE:-}" ] && [ -n "${REDMINE_SECRET_KEY_BASE:-}" ]; then
 		echo >&2
 		echo >&2 'warning: both SECRET_KEY_BASE and REDMINE_SECRET_KEY_BASE{_FILE} set, only SECRET_KEY_BASE will apply'
 		echo >&2
 	fi
-	: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"
-	if [ -n "$SECRET_KEY_BASE" ]; then
+	: "${SECRET_KEY_BASE:=${REDMINE_SECRET_KEY_BASE:-}}"
+	export SECRET_KEY_BASE
+	if [ -z "$SECRET_KEY_BASE" ]; then
 		# https://github.com/docker-library/redmine/issues/397
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
-		export SECRET_KEY_BASE
+		unset SECRET_KEY_BASE
 	fi
-	# generate SECRET_KEY_BASE if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
-	if [ -z "$SECRET_KEY_BASE" ] && [ ! -f config/initializers/secret_token.rb ]; then
+	# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+	if [ -z "${SECRET_KEY_BASE:-}" ] && [ ! -f config/initializers/secret_token.rb ]; then
 		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
-		unset SECRET_KEY_BASE # just in case
 		rake generate_secret_token
 	fi
 
diff --git a/6.1/alpine3.22/docker-entrypoint.sh b/6.1/alpine3.22/docker-entrypoint.sh
index 87b09cf..f227e5f 100755
--- a/6.1/alpine3.22/docker-entrypoint.sh
+++ b/6.1/alpine3.22/docker-entrypoint.sh
@@ -144,22 +144,22 @@ if [ -n "$isLikelyRedmine" ]; then
 	# just use the rails variable rather than trying to put it into a yml file
 	# https://github.com/rails/rails/blob/6-1-stable/railties/lib/rails/application.rb#L438
 	# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L484 (rails 7.1-stable)
-	if [ -n "${SECRET_KEY_BASE}" ] && [ -n "${REDMINE_SECRET_KEY_BASE}" ]; then
+	if [ -n "${SECRET_KEY_BASE:-}" ] && [ -n "${REDMINE_SECRET_KEY_BASE:-}" ]; then
 		echo >&2
 		echo >&2 'warning: both SECRET_KEY_BASE and REDMINE_SECRET_KEY_BASE{_FILE} set, only SECRET_KEY_BASE will apply'
 		echo >&2
 	fi
-	: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"
-	if [ -n "$SECRET_KEY_BASE" ]; then
+	: "${SECRET_KEY_BASE:=${REDMINE_SECRET_KEY_BASE:-}}"
+	export SECRET_KEY_BASE
+	if [ -z "$SECRET_KEY_BASE" ]; then
 		# https://github.com/docker-library/redmine/issues/397
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
-		export SECRET_KEY_BASE
+		unset SECRET_KEY_BASE
 	fi
-	# generate SECRET_KEY_BASE if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
-	if [ -z "$SECRET_KEY_BASE" ] && [ ! -f config/initializers/secret_token.rb ]; then
+	# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+	if [ -z "${SECRET_KEY_BASE:-}" ] && [ ! -f config/initializers/secret_token.rb ]; then
 		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
-		unset SECRET_KEY_BASE # just in case
 		rake generate_secret_token
 	fi
 
diff --git a/6.1/bookworm/docker-entrypoint.sh b/6.1/bookworm/docker-entrypoint.sh
index 87b09cf..f227e5f 100755
--- a/6.1/bookworm/docker-entrypoint.sh
+++ b/6.1/bookworm/docker-entrypoint.sh
@@ -144,22 +144,22 @@ if [ -n "$isLikelyRedmine" ]; then
 	# just use the rails variable rather than trying to put it into a yml file
 	# https://github.com/rails/rails/blob/6-1-stable/railties/lib/rails/application.rb#L438
 	# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L484 (rails 7.1-stable)
-	if [ -n "${SECRET_KEY_BASE}" ] && [ -n "${REDMINE_SECRET_KEY_BASE}" ]; then
+	if [ -n "${SECRET_KEY_BASE:-}" ] && [ -n "${REDMINE_SECRET_KEY_BASE:-}" ]; then
 		echo >&2
 		echo >&2 'warning: both SECRET_KEY_BASE and REDMINE_SECRET_KEY_BASE{_FILE} set, only SECRET_KEY_BASE will apply'
 		echo >&2
 	fi
-	: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"
-	if [ -n "$SECRET_KEY_BASE" ]; then
+	: "${SECRET_KEY_BASE:=${REDMINE_SECRET_KEY_BASE:-}}"
+	export SECRET_KEY_BASE
+	if [ -z "$SECRET_KEY_BASE" ]; then
 		# https://github.com/docker-library/redmine/issues/397
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
-		export SECRET_KEY_BASE
+		unset SECRET_KEY_BASE
 	fi
-	# generate SECRET_KEY_BASE if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
-	if [ -z "$SECRET_KEY_BASE" ] && [ ! -f config/initializers/secret_token.rb ]; then
+	# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+	if [ -z "${SECRET_KEY_BASE:-}" ] && [ ! -f config/initializers/secret_token.rb ]; then
 		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
-		unset SECRET_KEY_BASE # just in case
 		rake generate_secret_token
 	fi
 
diff --git a/6.1/trixie/docker-entrypoint.sh b/6.1/trixie/docker-entrypoint.sh
index 87b09cf..f227e5f 100755
--- a/6.1/trixie/docker-entrypoint.sh
+++ b/6.1/trixie/docker-entrypoint.sh
@@ -144,22 +144,22 @@ if [ -n "$isLikelyRedmine" ]; then
 	# just use the rails variable rather than trying to put it into a yml file
 	# https://github.com/rails/rails/blob/6-1-stable/railties/lib/rails/application.rb#L438
 	# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L484 (rails 7.1-stable)
-	if [ -n "${SECRET_KEY_BASE}" ] && [ -n "${REDMINE_SECRET_KEY_BASE}" ]; then
+	if [ -n "${SECRET_KEY_BASE:-}" ] && [ -n "${REDMINE_SECRET_KEY_BASE:-}" ]; then
 		echo >&2
 		echo >&2 'warning: both SECRET_KEY_BASE and REDMINE_SECRET_KEY_BASE{_FILE} set, only SECRET_KEY_BASE will apply'
 		echo >&2
 	fi
-	: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"
-	if [ -n "$SECRET_KEY_BASE" ]; then
+	: "${SECRET_KEY_BASE:=${REDMINE_SECRET_KEY_BASE:-}}"
+	export SECRET_KEY_BASE
+	if [ -z "$SECRET_KEY_BASE" ]; then
 		# https://github.com/docker-library/redmine/issues/397
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
-		export SECRET_KEY_BASE
+		unset SECRET_KEY_BASE
 	fi
-	# generate SECRET_KEY_BASE if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
-	if [ -z "$SECRET_KEY_BASE" ] && [ ! -f config/initializers/secret_token.rb ]; then
+	# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+	if [ -z "${SECRET_KEY_BASE:-}" ] && [ ! -f config/initializers/secret_token.rb ]; then
 		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
-		unset SECRET_KEY_BASE # just in case
 		rake generate_secret_token
 	fi
 
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index 87b09cf..f227e5f 100755
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -144,22 +144,22 @@ if [ -n "$isLikelyRedmine" ]; then
 	# just use the rails variable rather than trying to put it into a yml file
 	# https://github.com/rails/rails/blob/6-1-stable/railties/lib/rails/application.rb#L438
 	# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L484 (rails 7.1-stable)
-	if [ -n "${SECRET_KEY_BASE}" ] && [ -n "${REDMINE_SECRET_KEY_BASE}" ]; then
+	if [ -n "${SECRET_KEY_BASE:-}" ] && [ -n "${REDMINE_SECRET_KEY_BASE:-}" ]; then
 		echo >&2
 		echo >&2 'warning: both SECRET_KEY_BASE and REDMINE_SECRET_KEY_BASE{_FILE} set, only SECRET_KEY_BASE will apply'
 		echo >&2
 	fi
-	: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"
-	if [ -n "$SECRET_KEY_BASE" ]; then
+	: "${SECRET_KEY_BASE:=${REDMINE_SECRET_KEY_BASE:-}}"
+	export SECRET_KEY_BASE
+	if [ -z "$SECRET_KEY_BASE" ]; then
 		# https://github.com/docker-library/redmine/issues/397
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
-		export SECRET_KEY_BASE
+		unset SECRET_KEY_BASE
 	fi
-	# generate SECRET_KEY_BASE if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
-	if [ -z "$SECRET_KEY_BASE" ] && [ ! -f config/initializers/secret_token.rb ]; then
+	# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+	if [ -z "${SECRET_KEY_BASE:-}" ] && [ ! -f config/initializers/secret_token.rb ]; then
 		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
-		unset SECRET_KEY_BASE # just in case
 		rake generate_secret_token
 	fi
 

From d0061c1063ebc1e46ec4924ed010aca3e61ef47e Mon Sep 17 00:00:00 2001
From: Tianon Gravi <admwiggin@gmail.com>
Date: Wed, 8 Oct 2025 14:56:15 -0700
Subject: [PATCH 3/4] Moar review

---
 5.1/alpine3.21/docker-entrypoint.sh | 12 +++++++-----
 5.1/alpine3.22/docker-entrypoint.sh | 12 +++++++-----
 5.1/bookworm/docker-entrypoint.sh   | 12 +++++++-----
 5.1/trixie/docker-entrypoint.sh     | 12 +++++++-----
 6.0/alpine3.21/docker-entrypoint.sh | 12 +++++++-----
 6.0/alpine3.22/docker-entrypoint.sh | 12 +++++++-----
 6.0/bookworm/docker-entrypoint.sh   | 12 +++++++-----
 6.0/trixie/docker-entrypoint.sh     | 12 +++++++-----
 6.1/alpine3.21/docker-entrypoint.sh | 12 +++++++-----
 6.1/alpine3.22/docker-entrypoint.sh | 12 +++++++-----
 6.1/bookworm/docker-entrypoint.sh   | 12 +++++++-----
 6.1/trixie/docker-entrypoint.sh     | 12 +++++++-----
 docker-entrypoint.sh                | 12 +++++++-----
 13 files changed, 91 insertions(+), 65 deletions(-)

diff --git a/5.1/alpine3.21/docker-entrypoint.sh b/5.1/alpine3.21/docker-entrypoint.sh
index f227e5f..b5e7597 100755
--- a/5.1/alpine3.21/docker-entrypoint.sh
+++ b/5.1/alpine3.21/docker-entrypoint.sh
@@ -156,11 +156,13 @@ if [ -n "$isLikelyRedmine" ]; then
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
 		unset SECRET_KEY_BASE
-	fi
-	# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
-	if [ -z "${SECRET_KEY_BASE:-}" ] && [ ! -f config/initializers/secret_token.rb ]; then
-		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
-		rake generate_secret_token
+		# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+		if [ ! -f config/initializers/secret_token.rb ]; then
+			echo >&2
+			echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
+			echo >&2
+			rake generate_secret_token
+		fi
 	fi
 
 	if [ "$1" != 'rake' -a -z "$REDMINE_NO_DB_MIGRATE" ]; then
diff --git a/5.1/alpine3.22/docker-entrypoint.sh b/5.1/alpine3.22/docker-entrypoint.sh
index f227e5f..b5e7597 100755
--- a/5.1/alpine3.22/docker-entrypoint.sh
+++ b/5.1/alpine3.22/docker-entrypoint.sh
@@ -156,11 +156,13 @@ if [ -n "$isLikelyRedmine" ]; then
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
 		unset SECRET_KEY_BASE
-	fi
-	# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
-	if [ -z "${SECRET_KEY_BASE:-}" ] && [ ! -f config/initializers/secret_token.rb ]; then
-		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
-		rake generate_secret_token
+		# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+		if [ ! -f config/initializers/secret_token.rb ]; then
+			echo >&2
+			echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
+			echo >&2
+			rake generate_secret_token
+		fi
 	fi
 
 	if [ "$1" != 'rake' -a -z "$REDMINE_NO_DB_MIGRATE" ]; then
diff --git a/5.1/bookworm/docker-entrypoint.sh b/5.1/bookworm/docker-entrypoint.sh
index f227e5f..b5e7597 100755
--- a/5.1/bookworm/docker-entrypoint.sh
+++ b/5.1/bookworm/docker-entrypoint.sh
@@ -156,11 +156,13 @@ if [ -n "$isLikelyRedmine" ]; then
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
 		unset SECRET_KEY_BASE
-	fi
-	# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
-	if [ -z "${SECRET_KEY_BASE:-}" ] && [ ! -f config/initializers/secret_token.rb ]; then
-		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
-		rake generate_secret_token
+		# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+		if [ ! -f config/initializers/secret_token.rb ]; then
+			echo >&2
+			echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
+			echo >&2
+			rake generate_secret_token
+		fi
 	fi
 
 	if [ "$1" != 'rake' -a -z "$REDMINE_NO_DB_MIGRATE" ]; then
diff --git a/5.1/trixie/docker-entrypoint.sh b/5.1/trixie/docker-entrypoint.sh
index f227e5f..b5e7597 100755
--- a/5.1/trixie/docker-entrypoint.sh
+++ b/5.1/trixie/docker-entrypoint.sh
@@ -156,11 +156,13 @@ if [ -n "$isLikelyRedmine" ]; then
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
 		unset SECRET_KEY_BASE
-	fi
-	# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
-	if [ -z "${SECRET_KEY_BASE:-}" ] && [ ! -f config/initializers/secret_token.rb ]; then
-		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
-		rake generate_secret_token
+		# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+		if [ ! -f config/initializers/secret_token.rb ]; then
+			echo >&2
+			echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
+			echo >&2
+			rake generate_secret_token
+		fi
 	fi
 
 	if [ "$1" != 'rake' -a -z "$REDMINE_NO_DB_MIGRATE" ]; then
diff --git a/6.0/alpine3.21/docker-entrypoint.sh b/6.0/alpine3.21/docker-entrypoint.sh
index f227e5f..b5e7597 100755
--- a/6.0/alpine3.21/docker-entrypoint.sh
+++ b/6.0/alpine3.21/docker-entrypoint.sh
@@ -156,11 +156,13 @@ if [ -n "$isLikelyRedmine" ]; then
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
 		unset SECRET_KEY_BASE
-	fi
-	# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
-	if [ -z "${SECRET_KEY_BASE:-}" ] && [ ! -f config/initializers/secret_token.rb ]; then
-		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
-		rake generate_secret_token
+		# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+		if [ ! -f config/initializers/secret_token.rb ]; then
+			echo >&2
+			echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
+			echo >&2
+			rake generate_secret_token
+		fi
 	fi
 
 	if [ "$1" != 'rake' -a -z "$REDMINE_NO_DB_MIGRATE" ]; then
diff --git a/6.0/alpine3.22/docker-entrypoint.sh b/6.0/alpine3.22/docker-entrypoint.sh
index f227e5f..b5e7597 100755
--- a/6.0/alpine3.22/docker-entrypoint.sh
+++ b/6.0/alpine3.22/docker-entrypoint.sh
@@ -156,11 +156,13 @@ if [ -n "$isLikelyRedmine" ]; then
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
 		unset SECRET_KEY_BASE
-	fi
-	# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
-	if [ -z "${SECRET_KEY_BASE:-}" ] && [ ! -f config/initializers/secret_token.rb ]; then
-		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
-		rake generate_secret_token
+		# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+		if [ ! -f config/initializers/secret_token.rb ]; then
+			echo >&2
+			echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
+			echo >&2
+			rake generate_secret_token
+		fi
 	fi
 
 	if [ "$1" != 'rake' -a -z "$REDMINE_NO_DB_MIGRATE" ]; then
diff --git a/6.0/bookworm/docker-entrypoint.sh b/6.0/bookworm/docker-entrypoint.sh
index f227e5f..b5e7597 100755
--- a/6.0/bookworm/docker-entrypoint.sh
+++ b/6.0/bookworm/docker-entrypoint.sh
@@ -156,11 +156,13 @@ if [ -n "$isLikelyRedmine" ]; then
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
 		unset SECRET_KEY_BASE
-	fi
-	# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
-	if [ -z "${SECRET_KEY_BASE:-}" ] && [ ! -f config/initializers/secret_token.rb ]; then
-		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
-		rake generate_secret_token
+		# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+		if [ ! -f config/initializers/secret_token.rb ]; then
+			echo >&2
+			echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
+			echo >&2
+			rake generate_secret_token
+		fi
 	fi
 
 	if [ "$1" != 'rake' -a -z "$REDMINE_NO_DB_MIGRATE" ]; then
diff --git a/6.0/trixie/docker-entrypoint.sh b/6.0/trixie/docker-entrypoint.sh
index f227e5f..b5e7597 100755
--- a/6.0/trixie/docker-entrypoint.sh
+++ b/6.0/trixie/docker-entrypoint.sh
@@ -156,11 +156,13 @@ if [ -n "$isLikelyRedmine" ]; then
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
 		unset SECRET_KEY_BASE
-	fi
-	# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
-	if [ -z "${SECRET_KEY_BASE:-}" ] && [ ! -f config/initializers/secret_token.rb ]; then
-		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
-		rake generate_secret_token
+		# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+		if [ ! -f config/initializers/secret_token.rb ]; then
+			echo >&2
+			echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
+			echo >&2
+			rake generate_secret_token
+		fi
 	fi
 
 	if [ "$1" != 'rake' -a -z "$REDMINE_NO_DB_MIGRATE" ]; then
diff --git a/6.1/alpine3.21/docker-entrypoint.sh b/6.1/alpine3.21/docker-entrypoint.sh
index f227e5f..b5e7597 100755
--- a/6.1/alpine3.21/docker-entrypoint.sh
+++ b/6.1/alpine3.21/docker-entrypoint.sh
@@ -156,11 +156,13 @@ if [ -n "$isLikelyRedmine" ]; then
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
 		unset SECRET_KEY_BASE
-	fi
-	# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
-	if [ -z "${SECRET_KEY_BASE:-}" ] && [ ! -f config/initializers/secret_token.rb ]; then
-		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
-		rake generate_secret_token
+		# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+		if [ ! -f config/initializers/secret_token.rb ]; then
+			echo >&2
+			echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
+			echo >&2
+			rake generate_secret_token
+		fi
 	fi
 
 	if [ "$1" != 'rake' -a -z "$REDMINE_NO_DB_MIGRATE" ]; then
diff --git a/6.1/alpine3.22/docker-entrypoint.sh b/6.1/alpine3.22/docker-entrypoint.sh
index f227e5f..b5e7597 100755
--- a/6.1/alpine3.22/docker-entrypoint.sh
+++ b/6.1/alpine3.22/docker-entrypoint.sh
@@ -156,11 +156,13 @@ if [ -n "$isLikelyRedmine" ]; then
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
 		unset SECRET_KEY_BASE
-	fi
-	# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
-	if [ -z "${SECRET_KEY_BASE:-}" ] && [ ! -f config/initializers/secret_token.rb ]; then
-		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
-		rake generate_secret_token
+		# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+		if [ ! -f config/initializers/secret_token.rb ]; then
+			echo >&2
+			echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
+			echo >&2
+			rake generate_secret_token
+		fi
 	fi
 
 	if [ "$1" != 'rake' -a -z "$REDMINE_NO_DB_MIGRATE" ]; then
diff --git a/6.1/bookworm/docker-entrypoint.sh b/6.1/bookworm/docker-entrypoint.sh
index f227e5f..b5e7597 100755
--- a/6.1/bookworm/docker-entrypoint.sh
+++ b/6.1/bookworm/docker-entrypoint.sh
@@ -156,11 +156,13 @@ if [ -n "$isLikelyRedmine" ]; then
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
 		unset SECRET_KEY_BASE
-	fi
-	# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
-	if [ -z "${SECRET_KEY_BASE:-}" ] && [ ! -f config/initializers/secret_token.rb ]; then
-		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
-		rake generate_secret_token
+		# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+		if [ ! -f config/initializers/secret_token.rb ]; then
+			echo >&2
+			echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
+			echo >&2
+			rake generate_secret_token
+		fi
 	fi
 
 	if [ "$1" != 'rake' -a -z "$REDMINE_NO_DB_MIGRATE" ]; then
diff --git a/6.1/trixie/docker-entrypoint.sh b/6.1/trixie/docker-entrypoint.sh
index f227e5f..b5e7597 100755
--- a/6.1/trixie/docker-entrypoint.sh
+++ b/6.1/trixie/docker-entrypoint.sh
@@ -156,11 +156,13 @@ if [ -n "$isLikelyRedmine" ]; then
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
 		unset SECRET_KEY_BASE
-	fi
-	# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
-	if [ -z "${SECRET_KEY_BASE:-}" ] && [ ! -f config/initializers/secret_token.rb ]; then
-		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
-		rake generate_secret_token
+		# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+		if [ ! -f config/initializers/secret_token.rb ]; then
+			echo >&2
+			echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
+			echo >&2
+			rake generate_secret_token
+		fi
 	fi
 
 	if [ "$1" != 'rake' -a -z "$REDMINE_NO_DB_MIGRATE" ]; then
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index f227e5f..b5e7597 100755
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -156,11 +156,13 @@ if [ -n "$isLikelyRedmine" ]; then
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
 		unset SECRET_KEY_BASE
-	fi
-	# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
-	if [ -z "${SECRET_KEY_BASE:-}" ] && [ ! -f config/initializers/secret_token.rb ]; then
-		echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
-		rake generate_secret_token
+		# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+		if [ ! -f config/initializers/secret_token.rb ]; then
+			echo >&2
+			echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
+			echo >&2
+			rake generate_secret_token
+		fi
 	fi
 
 	if [ "$1" != 'rake' -a -z "$REDMINE_NO_DB_MIGRATE" ]; then

From 6c7c2dee6792c7fcb4990b6f29f2f7743682c740 Mon Sep 17 00:00:00 2001
From: Tianon Gravi <admwiggin@gmail.com>
Date: Wed, 8 Oct 2025 15:09:17 -0700
Subject: [PATCH 4/4] ![no more](https://i.ytimg.com/vi/BpfNmY-DFzE/hq720.jpg)

---
 5.1/alpine3.21/docker-entrypoint.sh | 2 +-
 5.1/alpine3.22/docker-entrypoint.sh | 2 +-
 5.1/bookworm/docker-entrypoint.sh   | 2 +-
 5.1/trixie/docker-entrypoint.sh     | 2 +-
 6.0/alpine3.21/docker-entrypoint.sh | 2 +-
 6.0/alpine3.22/docker-entrypoint.sh | 2 +-
 6.0/bookworm/docker-entrypoint.sh   | 2 +-
 6.0/trixie/docker-entrypoint.sh     | 2 +-
 6.1/alpine3.21/docker-entrypoint.sh | 2 +-
 6.1/alpine3.22/docker-entrypoint.sh | 2 +-
 6.1/bookworm/docker-entrypoint.sh   | 2 +-
 6.1/trixie/docker-entrypoint.sh     | 2 +-
 docker-entrypoint.sh                | 2 +-
 13 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/5.1/alpine3.21/docker-entrypoint.sh b/5.1/alpine3.21/docker-entrypoint.sh
index b5e7597..f956052 100755
--- a/5.1/alpine3.21/docker-entrypoint.sh
+++ b/5.1/alpine3.21/docker-entrypoint.sh
@@ -156,7 +156,7 @@ if [ -n "$isLikelyRedmine" ]; then
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
 		unset SECRET_KEY_BASE
-		# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+		# generate SECRET_KEY_BASE in-file since it is not set or empty; this is not recommended unless the secret_token.rb is saved when container is recreated
 		if [ ! -f config/initializers/secret_token.rb ]; then
 			echo >&2
 			echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
diff --git a/5.1/alpine3.22/docker-entrypoint.sh b/5.1/alpine3.22/docker-entrypoint.sh
index b5e7597..f956052 100755
--- a/5.1/alpine3.22/docker-entrypoint.sh
+++ b/5.1/alpine3.22/docker-entrypoint.sh
@@ -156,7 +156,7 @@ if [ -n "$isLikelyRedmine" ]; then
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
 		unset SECRET_KEY_BASE
-		# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+		# generate SECRET_KEY_BASE in-file since it is not set or empty; this is not recommended unless the secret_token.rb is saved when container is recreated
 		if [ ! -f config/initializers/secret_token.rb ]; then
 			echo >&2
 			echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
diff --git a/5.1/bookworm/docker-entrypoint.sh b/5.1/bookworm/docker-entrypoint.sh
index b5e7597..f956052 100755
--- a/5.1/bookworm/docker-entrypoint.sh
+++ b/5.1/bookworm/docker-entrypoint.sh
@@ -156,7 +156,7 @@ if [ -n "$isLikelyRedmine" ]; then
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
 		unset SECRET_KEY_BASE
-		# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+		# generate SECRET_KEY_BASE in-file since it is not set or empty; this is not recommended unless the secret_token.rb is saved when container is recreated
 		if [ ! -f config/initializers/secret_token.rb ]; then
 			echo >&2
 			echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
diff --git a/5.1/trixie/docker-entrypoint.sh b/5.1/trixie/docker-entrypoint.sh
index b5e7597..f956052 100755
--- a/5.1/trixie/docker-entrypoint.sh
+++ b/5.1/trixie/docker-entrypoint.sh
@@ -156,7 +156,7 @@ if [ -n "$isLikelyRedmine" ]; then
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
 		unset SECRET_KEY_BASE
-		# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+		# generate SECRET_KEY_BASE in-file since it is not set or empty; this is not recommended unless the secret_token.rb is saved when container is recreated
 		if [ ! -f config/initializers/secret_token.rb ]; then
 			echo >&2
 			echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
diff --git a/6.0/alpine3.21/docker-entrypoint.sh b/6.0/alpine3.21/docker-entrypoint.sh
index b5e7597..f956052 100755
--- a/6.0/alpine3.21/docker-entrypoint.sh
+++ b/6.0/alpine3.21/docker-entrypoint.sh
@@ -156,7 +156,7 @@ if [ -n "$isLikelyRedmine" ]; then
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
 		unset SECRET_KEY_BASE
-		# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+		# generate SECRET_KEY_BASE in-file since it is not set or empty; this is not recommended unless the secret_token.rb is saved when container is recreated
 		if [ ! -f config/initializers/secret_token.rb ]; then
 			echo >&2
 			echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
diff --git a/6.0/alpine3.22/docker-entrypoint.sh b/6.0/alpine3.22/docker-entrypoint.sh
index b5e7597..f956052 100755
--- a/6.0/alpine3.22/docker-entrypoint.sh
+++ b/6.0/alpine3.22/docker-entrypoint.sh
@@ -156,7 +156,7 @@ if [ -n "$isLikelyRedmine" ]; then
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
 		unset SECRET_KEY_BASE
-		# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+		# generate SECRET_KEY_BASE in-file since it is not set or empty; this is not recommended unless the secret_token.rb is saved when container is recreated
 		if [ ! -f config/initializers/secret_token.rb ]; then
 			echo >&2
 			echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
diff --git a/6.0/bookworm/docker-entrypoint.sh b/6.0/bookworm/docker-entrypoint.sh
index b5e7597..f956052 100755
--- a/6.0/bookworm/docker-entrypoint.sh
+++ b/6.0/bookworm/docker-entrypoint.sh
@@ -156,7 +156,7 @@ if [ -n "$isLikelyRedmine" ]; then
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
 		unset SECRET_KEY_BASE
-		# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+		# generate SECRET_KEY_BASE in-file since it is not set or empty; this is not recommended unless the secret_token.rb is saved when container is recreated
 		if [ ! -f config/initializers/secret_token.rb ]; then
 			echo >&2
 			echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
diff --git a/6.0/trixie/docker-entrypoint.sh b/6.0/trixie/docker-entrypoint.sh
index b5e7597..f956052 100755
--- a/6.0/trixie/docker-entrypoint.sh
+++ b/6.0/trixie/docker-entrypoint.sh
@@ -156,7 +156,7 @@ if [ -n "$isLikelyRedmine" ]; then
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
 		unset SECRET_KEY_BASE
-		# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+		# generate SECRET_KEY_BASE in-file since it is not set or empty; this is not recommended unless the secret_token.rb is saved when container is recreated
 		if [ ! -f config/initializers/secret_token.rb ]; then
 			echo >&2
 			echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
diff --git a/6.1/alpine3.21/docker-entrypoint.sh b/6.1/alpine3.21/docker-entrypoint.sh
index b5e7597..f956052 100755
--- a/6.1/alpine3.21/docker-entrypoint.sh
+++ b/6.1/alpine3.21/docker-entrypoint.sh
@@ -156,7 +156,7 @@ if [ -n "$isLikelyRedmine" ]; then
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
 		unset SECRET_KEY_BASE
-		# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+		# generate SECRET_KEY_BASE in-file since it is not set or empty; this is not recommended unless the secret_token.rb is saved when container is recreated
 		if [ ! -f config/initializers/secret_token.rb ]; then
 			echo >&2
 			echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
diff --git a/6.1/alpine3.22/docker-entrypoint.sh b/6.1/alpine3.22/docker-entrypoint.sh
index b5e7597..f956052 100755
--- a/6.1/alpine3.22/docker-entrypoint.sh
+++ b/6.1/alpine3.22/docker-entrypoint.sh
@@ -156,7 +156,7 @@ if [ -n "$isLikelyRedmine" ]; then
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
 		unset SECRET_KEY_BASE
-		# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+		# generate SECRET_KEY_BASE in-file since it is not set or empty; this is not recommended unless the secret_token.rb is saved when container is recreated
 		if [ ! -f config/initializers/secret_token.rb ]; then
 			echo >&2
 			echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
diff --git a/6.1/bookworm/docker-entrypoint.sh b/6.1/bookworm/docker-entrypoint.sh
index b5e7597..f956052 100755
--- a/6.1/bookworm/docker-entrypoint.sh
+++ b/6.1/bookworm/docker-entrypoint.sh
@@ -156,7 +156,7 @@ if [ -n "$isLikelyRedmine" ]; then
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
 		unset SECRET_KEY_BASE
-		# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+		# generate SECRET_KEY_BASE in-file since it is not set or empty; this is not recommended unless the secret_token.rb is saved when container is recreated
 		if [ ! -f config/initializers/secret_token.rb ]; then
 			echo >&2
 			echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
diff --git a/6.1/trixie/docker-entrypoint.sh b/6.1/trixie/docker-entrypoint.sh
index b5e7597..f956052 100755
--- a/6.1/trixie/docker-entrypoint.sh
+++ b/6.1/trixie/docker-entrypoint.sh
@@ -156,7 +156,7 @@ if [ -n "$isLikelyRedmine" ]; then
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
 		unset SECRET_KEY_BASE
-		# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+		# generate SECRET_KEY_BASE in-file since it is not set or empty; this is not recommended unless the secret_token.rb is saved when container is recreated
 		if [ ! -f config/initializers/secret_token.rb ]; then
 			echo >&2
 			echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index b5e7597..f956052 100755
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -156,7 +156,7 @@ if [ -n "$isLikelyRedmine" ]; then
 		# empty string is truthy in ruby and so masks the generated fallback config
 		# https://github.com/rails/rails/blob/1aa9987169213ce5ce43c20b2643bc64c235e792/railties/lib/rails/application.rb#L454
 		unset SECRET_KEY_BASE
-		# generate SECRET_KEY_BASE in-file if not set; this is not recommended unless the secret_token.rb is saved when container is recreated
+		# generate SECRET_KEY_BASE in-file since it is not set or empty; this is not recommended unless the secret_token.rb is saved when container is recreated
 		if [ ! -f config/initializers/secret_token.rb ]; then
 			echo >&2
 			echo >&2 'warning: no *SECRET_KEY_BASE set; running `rake generate_secret_token` to create one in "config/initializers/secret_token.rb"'