Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .env.example
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,5 @@ TEMPLATE_URL=https://templating.api.zesty.io/
ALGOLIA_APPID=
ALGOLIA_APIKEY=
ALGOLIA_INDEX=
SENTRY_AUTH_TOKEN=

2 changes: 2 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ jobs:
node-version: [20]
runs-on: ${{ matrix.os }}
needs: install-dependencies
env:
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
Comment thread
finnar-bin marked this conversation as resolved.
Comment thread
finnar-bin marked this conversation as resolved.
Comment thread
finnar-bin marked this conversation as resolved.

steps:
- name: ✅ Checkout code
Expand Down
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -38,3 +38,6 @@ cypress.json
cypress/integration/__image_snapshots__
.vercel
.idea

# Sentry Config File
.env.sentry-build-plugin
5 changes: 4 additions & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM node:18.18.2-alpine3.17
FROM node:18.20.4-alpine3.20
Comment thread
finnar-bin marked this conversation as resolved.

WORKDIR /usr/src/app

Expand All @@ -14,6 +14,9 @@ ENV HOST=0.0.0.0
ENV PORT=8080
ENV NEXT_TELEMETRY_DISABLED=1

ARG SENTRY_AUTH_TOKEN
ENV SENTRY_AUTH_TOKEN=$SENTRY_AUTH_TOKEN
Comment on lines +17 to +18

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Secret persists in the runtime image.

ENV SENTRY_AUTH_TOKEN=… writes the token into the image's environment layer, so it remains:

  1. Visible via docker inspect / docker history on anyone who can pull the image
  2. Set as process.env.SENTRY_AUTH_TOKEN inside the running container at npm start

The token only needs to exist for the npm run build step. Either inline it on the RUN line, or (better) use a BuildKit secret mount so it never lands in any layer:

Suggested change
ARG SENTRY_AUTH_TOKEN
ENV SENTRY_AUTH_TOKEN=$SENTRY_AUTH_TOKEN
ARG SENTRY_AUTH_TOKEN
RUN --mount=type=secret,id=sentry_auth_token,env=SENTRY_AUTH_TOKEN npm run build

(cloudbuild.yaml would then mount the secret via --secret id=sentry_auth_token,env=SENTRY_AUTH_TOKEN instead of --build-arg.)

Lower-effort alternative if you'd rather not touch the cloudbuild files:

ARG SENTRY_AUTH_TOKEN
RUN SENTRY_AUTH_TOKEN=$SENTRY_AUTH_TOKEN npm run build

This keeps the token scoped to that single RUN, so it isn't baked into the image config.


RUN npm run build

CMD [ "npm", "start" ]
9 changes: 9 additions & 0 deletions cloudbuild.yaml
Original file line number Diff line number Diff line change
@@ -1,11 +1,20 @@
availableSecrets:
secretManager:
- versionName: projects/$PROJECT_ID/secrets/sentry-auth-token/versions/latest
env: SENTRY_AUTH_TOKEN

steps:
- name: gcr.io/cloud-builders/docker
secretEnv:
- SENTRY_AUTH_TOKEN
args:
- build
- '--cache-from'
- '$_GCR_HOSTNAME/$PROJECT_ID/$REPO_NAME/$_SERVICE_NAME:latest'
- '-t'
- '$_GCR_HOSTNAME/$PROJECT_ID/$REPO_NAME/$_SERVICE_NAME:$COMMIT_SHA'
- '--build-arg'
- 'SENTRY_AUTH_TOKEN=$$SENTRY_AUTH_TOKEN'
- .
- '-f'
- Dockerfile
Expand Down
9 changes: 9 additions & 0 deletions cloudbuildProduction.yaml
Original file line number Diff line number Diff line change
@@ -1,10 +1,19 @@
availableSecrets:
secretManager:
- versionName: projects/$PROJECT_ID/secrets/sentry-auth-token/versions/latest
env: SENTRY_AUTH_TOKEN

steps:
- name: gcr.io/cloud-builders/docker
secretEnv:
- SENTRY_AUTH_TOKEN
args:
- build
- '--no-cache'
- '-t'
- '$_GCR_HOSTNAME/$PROJECT_ID/$REPO_NAME/$_SERVICE_NAME:$COMMIT_SHA'
- '--build-arg'
- 'SENTRY_AUTH_TOKEN=$$SENTRY_AUTH_TOKEN'
- .
- '-f'
- Dockerfile
Expand Down
35 changes: 34 additions & 1 deletion next.config.js
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
const zestyConfig = require('./zesty.config.json');
const { docsRedirects } = require('./src/config/redirects');
const { withSentryConfig } = require('@sentry/nextjs');

module.exports = {
const nextConfig = {
trailingSlash: true,
env: {
zesty: zestyConfig,
Expand All @@ -20,3 +21,35 @@ module.exports = {
return [...docsRedirects];
},
};

module.exports = withSentryConfig(nextConfig, {
// For all available options, see:
// https://www.npmjs.com/package/@sentry/webpack-plugin#options

org: 'zestyio',
project: 'website-accounts',

// Only print logs for uploading source maps in CI
silent: !process.env.CI,

// For all available options, see:
// https://docs.sentry.io/platforms/javascript/guides/nextjs/manual-setup/

// Upload a larger set of source maps for prettier stack traces (increases build time)
widenClientFileUpload: true,

// Uncomment to route browser requests to Sentry through a Next.js rewrite to circumvent ad-blockers.
// This can increase your server load as well as your hosting bill.
// Note: Check that the configured route will not match with your Next.js middleware, otherwise reporting of client-
// side errors will fail.
// tunnelRoute: "/monitoring",

// Automatically tree-shake Sentry logger statements to reduce bundle size
disableLogger: true,

// Enables automatic instrumentation of Vercel Cron Monitors. (Does not yet work with App Router route handlers.)
// See the following for more information:
// https://docs.sentry.io/product/crons/
// https://vercel.com/docs/cron-jobs
automaticVercelMonitors: true,
Comment thread
finnar-bin marked this conversation as resolved.
Comment thread
finnar-bin marked this conversation as resolved.
Comment thread
finnar-bin marked this conversation as resolved.
Comment thread
finnar-bin marked this conversation as resolved.
});
Loading
Loading