workaround to continue using plaintext config/secrets.yml

app/controllers/playback_controller.rb

@@ -57,7 +57,7 @@ def create_cookie
       'sub' => resource_path,
       'exp' => expires,
     }
-    secret = Rails.application.secret_key_base
+    secret = Rails.configuration.secrets.secret_key_base
     token = JWT.encode(payload, secret, 'HS256')
 
     cookies[cookie_name] = {
@@ -74,7 +74,7 @@ def verify_cookie
     raise RecordingNotFoundError if cookie.blank?
 
     resource_path = "/#{@playback_format.format}/#{@recording.record_id}"
-    secret = Rails.application.secret_key_base
+    secret = Rails.configuration.secrets.secret_key_base
     JWT.decode(
       cookie,
       secret,

config/application.rb

@@ -168,5 +168,8 @@ class Application < Rails::Application
 
     # Restore default serializer from Rails defaults < 7.1
     config.active_record.default_column_serializer = YAML
+
+    # continue using config/secrets.yml for secrets
+    config.secrets = config_for(:secrets)
   end
 end