Symfony version(s) affected

6.4.x, 7.x

Description

Secrets are being decrypted even though .env.local.* exists. Same symptom as #52146, but for different reasons.

How to reproduce

Can reproduce it easily by following the same steps, only actually more easily reproducible:

1. composer create-project symfony/skeleton new_project/
2. ./bin/console secrets:generate-keys
3. ./bin/console secrets:set BLACK
4. ./bin/console secrets:decrypt-to-local
5. var_dump or error_log inside of the file config/secrets/dev/dev.decrypt.private.php (this file should not be used because the secrets have been decrypted to local)
6. run ./bin/console and note that the error_log or var_dump is echo to screen. This should not happen.

Possible Solution

It appears related to the introduction of APP_RUNTIME_MODE. If you explicitly define this in .env, you can avoid the secret decrypting. However, if you want the default behavior of APP_RUNTIME_MODE to be null, so that runtime_mode is dynamically calculated, this gets a little confusing on how to accomplish this. Shouldn't be required to understand this parameter just to get secrets to work properly.

Additional Context

Seems like secret decryption is rather "fragile", perhaps it should be made less brittle in that any ENV var not found will force the entire secrets list to be decrypted...