lvl0/trove
1
0
Fork 0
Code Issues 11 Pull requests Projects Releases Packages Wiki Activity Actions

Rotate Livewire release_token per deploy for cache-busting #26

New issue
Open
opened 2026-04-26 11:53:40 +02:00 by myrmidex · 0 comments
myrmidex commented 2026-04-26 11:53:40 +02:00
Owner
Copy link

Context

config/livewire.php ships release_token => 'a' (Livewire's upstream default). This token is sent to clients and used to detect stale sessions after a deploy — when the token changes, Livewire prompts users to refresh. With a static token, the prompt never fires, so users on stale tabs hit cryptic Livewire errors after a deploy.

Acceptance

  • Edit config/livewire.php: 'release_token' => env('LIVEWIRE_RELEASE_TOKEN', 'a')
  • In docker/prod/start.sh, set LIVEWIRE_RELEASE_TOKEN from a build-time identifier (git SHA, image tag, or build timestamp). Pick whichever the prod build pipeline already exposes — IMAGE_TAG env var passed by Forgejo Actions is the cheapest if present.
  • Document the env var in the deploy README alongside APP_KEY, DB_*
  • Verify locally: tail Livewire's response headers and confirm the token differs between two builds

Notes

  • Falls back to 'a' in dev (no env var) — that's fine, dev users don't need cache-busting prompts.
  • Tied to deploy pipeline polish; reasonable to ship alongside other v0.2 deploy hardening.
## Context `config/livewire.php` ships `release_token => 'a'` (Livewire's upstream default). This token is sent to clients and used to detect stale sessions after a deploy — when the token changes, Livewire prompts users to refresh. With a static token, the prompt never fires, so users on stale tabs hit cryptic Livewire errors after a deploy. ## Acceptance - [ ] Edit `config/livewire.php`: `'release_token' => env('LIVEWIRE_RELEASE_TOKEN', 'a')` - [ ] In `docker/prod/start.sh`, set `LIVEWIRE_RELEASE_TOKEN` from a build-time identifier (git SHA, image tag, or build timestamp). Pick whichever the prod build pipeline already exposes — `IMAGE_TAG` env var passed by Forgejo Actions is the cheapest if present. - [ ] Document the env var in the deploy README alongside `APP_KEY`, `DB_*` - [ ] Verify locally: tail Livewire's response headers and confirm the token differs between two builds ## Notes - Falls back to `'a'` in dev (no env var) — that's fine, dev users don't need cache-busting prompts. - Tied to deploy pipeline polish; reasonable to ship alongside other v0.2 deploy hardening.
myrmidex added this to the v0.2 milestone 2026-04-26 11:53:40 +02:00
myrmidex self-assigned this 2026-04-26 11:53:40 +02:00
myrmidex modified the milestone from v0.2 to v0.3 2026-04-29 23:55:36 +02:00
myrmidex added the
enhancement
 label 2026-05-01 01:02:00 +02:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
v0.1.0
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
wontfix

This won't be fixed

No labels
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
v0.3
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
myrmidex
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: lvl0/trove#26
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?