refactor: improve security by moving Sentry secrets to environment variables

To enhance security, Sentry authentication tokens and project IDs are now passed as environment variables instead of being exposed in the workflow configuration. This change reduces the risk of sensitive information leakage during the build process. Additionally, the example environment file has been updated to comment out the Sentry-related variables, further protecting against accidental exposure.
2026-05-13 23:16:46 +00:00 · 2024-10-15 21:11:47 +08:00
parent a44eeb76eb
commit bf2ecfe7a0
3 changed files with 5 additions and 6 deletions
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -50,9 +50,9 @@ jobs:
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
-          secrets: |
-            SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-            SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
+        env:
+          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}

      # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see "[AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds)."
      - name: Generate artifact attestation