make clear that config/secrets.yml passes through ERB and therefore supports ENV

railties/lib/rails/generators/rails/app/templates/config/secrets.yml

@@ -16,5 +16,11 @@ development:
 test:
   secret_key_base: <%= app_secret %>
 
+# This YAML file is processed by ERB first (as others). In particular the
+# production environment can set the secret via an environment variable
+# this way:
+#
+#   secret_key_base: <%%= ENV['SECRET_KEY_BASE'] %>
+#
 production:
   secret_key_base: <%= app_secret %>