From bf2ecfe7a0fc6661b2b89f767c162de8c82d6cb7 Mon Sep 17 00:00:00 2001
From: ccbikai <ccbikai@gmail.com>
Date: Tue, 15 Oct 2024 21:11:47 +0800
Subject: [PATCH] refactor: improve security by moving Sentry secrets to
 environment variables

To enhance security, Sentry authentication tokens and project IDs are now passed as environment variables instead of being exposed in the workflow configuration. This change reduces the risk of sensitive information leakage during the build process. Additionally, the example environment file has been updated to comment out the Sentry-related variables, further protecting against accidental exposure.
---
 .env.example                 | 4 ++--
 .github/workflows/docker.yml | 6 +++---
 Dockerfile                   | 1 -
 3 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/.env.example b/.env.example
index 1fb25d0..855fb2a 100644
--- a/.env.example
+++ b/.env.example
@@ -17,9 +17,9 @@ HEADER_INJECT=HEADER_INJECT
 NO_FOLLOW=false
 NO_INDEX=false
 
-SENTRY_AUTH_TOKEN=
+#SENTRY_AUTH_TOKEN=
 SENTRY_DSN=
-SENTRY_PROJECT=
+#SENTRY_PROJECT=
 
 TELEGRAM_HOST=telegram.dog
 STATIC_PROXY=""
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 283fc29..f16f6b5 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -50,9 +50,9 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          secrets: |
-            SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-            SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
+        env:
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
 
       # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see "[AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds)."
       - name: Generate artifact attestation
diff --git a/Dockerfile b/Dockerfile
index 7689ee4..7046c85 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -16,7 +16,6 @@ RUN --mount=type=cache,id=pnpm,target=/pnpm/store pnpm install --frozen-lockfile
 FROM build-deps AS build
 COPY . .
 RUN export $(cat .env.example) && \
-    export $(cat /run/secrets) && \
     export DOCKER=true && \
     pnpm run build