chore(release): 8.0.6 [skip ci]

## [8.0.6](https://github.com/mediacms-io/mediacms/compare/v8.0.5...v8.0.6) (2026-05-11)

### Bug Fixes

* better place secret key settings ([4f11add](https://github.com/mediacms-io/mediacms/commit/4f11addcfd6657e7e63eed0570b1d4d9bca75698))

.gitignore

@@ -37,3 +37,5 @@ frontend-tools/chapters-editor/client/public/videos/sample-video.mp3
 static/chapters_editor/videos/sample-video.mp3
 static/video_editor/videos/sample-video.mp3
 templates/todo-MS4.md
+.secret_key
+.secret_key.lock

CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## [8.0.6](https://github.com/mediacms-io/mediacms/compare/v8.0.5...v8.0.6) (2026-05-11)
+
+### Bug Fixes
+
+* better place secret key settings ([4f11add](https://github.com/mediacms-io/mediacms/commit/4f11addcfd6657e7e63eed0570b1d4d9bca75698))
+
+## [8.0.5](https://github.com/mediacms-io/mediacms/compare/v8.0.4...v8.0.5) (2026-05-11)
+
+### Bug Fixes
+
+* add secret key to gitignore ([b6da9c4](https://github.com/mediacms-io/mediacms/commit/b6da9c4662b3fba234b8dc69700ffa44fced7482))
+
 ## [8.0.4](https://github.com/mediacms-io/mediacms/compare/v8.0.3...v8.0.4) (2026-05-11)
 
 ### Bug Fixes

cms/settings.py

@@ -1,7 +1,6 @@
 import os
 
 from celery.schedules import crontab
-from django.core.management.utils import get_random_secret_key
 from django.utils.translation import gettext_lazy as _
 
 DEBUG = False
@@ -172,30 +171,19 @@ REST_FRAMEWORK = {
 }
 
 
-# Set the SECRET_KEY env var in production. If unset, a fresh random key is
+# In docker, deploy/docker/entrypoint.sh ensures the SECRET_KEY env var is
-# generated or read from a .secret_key file to ensure all workers share the same key.
+# set (generating .secret_key once on first start if needed). Outside docker,
-def get_secret_key():
+# either set SECRET_KEY in the environment or create a .secret_key file at the
-    key = os.getenv('SECRET_KEY')
+# project root, e.g.:
-    if key:
+#   python -c 'from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())' > .secret_key
-        return key
+SECRET_KEY = os.getenv('SECRET_KEY')
-
+if not SECRET_KEY:
-    base_dir = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+    _secret_path = os.path.join(os.path.dirname(os.path.dirname(os.path.abspath(__file__))), '.secret_key')
-    secret_path = os.path.join(base_dir, '.secret_key')
+    if os.path.exists(_secret_path):
-
+        with open(_secret_path) as _f:
-    if os.path.exists(secret_path):
+            SECRET_KEY = _f.read().strip()
-        with open(secret_path) as f:
+if not SECRET_KEY:
-            return f.read().strip()
+    raise RuntimeError("SECRET_KEY is not set. Set the SECRET_KEY env var or create a .secret_key file at the project root.")
-
-    key = get_random_secret_key()
-    try:
-        with open(secret_path, 'w') as f:
-            f.write(key)
-    except Exception:
-        pass
-    return key
-
-
-SECRET_KEY = get_secret_key()
 
 TEMP_DIRECTORY = "/tmp"  # Don't use a temp directory inside BASE_DIR!!!
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))

cms/version.py

@@ -1 +1 @@
-VERSION = "8.0.4"
+VERSION = "8.0.6"

deploy/docker/entrypoint.sh

@@ -35,4 +35,29 @@ find /home/mediacms.io/mediacms ! \( -path "*.git*" -o -name "package-lock.json"
 
 chmod +x /home/mediacms.io/mediacms/deploy/docker/start.sh /home/mediacms.io/mediacms/deploy/docker/prestart.sh
 
+# Generate or read SECRET_KEY once, shared across all containers via the
+# host-mounted project volume. Atomic create-or-read so parallel container
+# starts (web + celery_worker + celery_beat + migrations) can't race.
+# Uses `mkdir` as the lock primitive (POSIX-atomic, no dependency on flock).
+SECRET_KEY_FILE="${SECRET_KEY_FILE:-/home/mediacms.io/mediacms/.secret_key}"
+SECRET_KEY_LOCK="${SECRET_KEY_FILE}.lock"
+
+if [ -z "${SECRET_KEY:-}" ]; then
+    if [ ! -s "$SECRET_KEY_FILE" ]; then
+        # Spin-acquire the lock. mkdir is atomic; first caller wins, others retry.
+        while ! mkdir "$SECRET_KEY_LOCK" 2>/dev/null; do
+            sleep 0.2
+        done
+        # Re-check inside the lock: another container may have just written it.
+        if [ ! -s "$SECRET_KEY_FILE" ]; then
+            python -c 'from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())' > "$SECRET_KEY_FILE"
+            chown www-data:www-data "$SECRET_KEY_FILE"
+            chmod 600 "$SECRET_KEY_FILE"
+            echo "entrypoint.sh: generated new SECRET_KEY at $SECRET_KEY_FILE"
+        fi
+        rmdir "$SECRET_KEY_LOCK"
+    fi
+    export SECRET_KEY="$(cat "$SECRET_KEY_FILE")"
+fi
+
 exec "$@"

package.json

@@ -1,6 +1,6 @@
 {
   "name": "mediacms",
-  "version": "8.0.4",
+  "version": "8.0.6",
   "devDependencies": {
     "@semantic-release/changelog": "^6.0.3",
     "@semantic-release/git": "^10.0.1",