From 13b1d7fd8efe8e5a050aba58e4fca91f011170d9 Mon Sep 17 00:00:00 2001
From: ccbikai <ccbikai@gmail.com>
Date: Sat, 23 Nov 2024 18:25:40 +0800
Subject: [PATCH] fix: update Sentry configuration in Docker builds

Improves Sentry integration in Docker builds by:
- Moving Sentry environment variables to build args
- Adding .env to dockerignore for security
- Properly passing Sentry configuration during build process

This change ensures better security practices and more reliable Sentry configuration in containerized environments.
---
 .dockerignore                | 1 +
 .github/workflows/docker.yml | 7 ++++---
 Dockerfile                   | 5 +++++
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/.dockerignore b/.dockerignore
index 9295ed9..beca940 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -4,3 +4,4 @@ dist
 .git
 .gitignore
 *.md
+.env
\ No newline at end of file
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index f16f6b5..5a74990 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -50,9 +50,10 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-        env:
-          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
+          build-args: |
+            SENTRY_DSN=${{ secrets.SENTRY_DSN }}
+            SENTRY_AUTH_TOKEN=${{ secrets.SENTRY_AUTH_TOKEN }}
+            SENTRY_PROJECT=${{ secrets.SENTRY_PROJECT }}
 
       # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see "[AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds)."
       - name: Generate artifact attestation
diff --git a/Dockerfile b/Dockerfile
index 7046c85..6cede12 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -15,6 +15,11 @@ RUN --mount=type=cache,id=pnpm,target=/pnpm/store pnpm install --frozen-lockfile
 
 FROM build-deps AS build
 COPY . .
+
+ARG SENTRY_DSN
+ARG SENTRY_AUTH_TOKEN
+ARG SENTRY_PROJECT
+
 RUN export $(cat .env.example) && \
     export DOCKER=true && \
     pnpm run build