BLOG-261 Fix Supply Sentry auth token to frontend build to enable log and sourcemap uploads #265

squid · 2026-04-04T17:06:45+08:00

squid commented

2026-04-04 17:06:45 +08:00

Description

Summary

This resolves the issue where Sentry logs and source maps were failing to upload during the deployment pipeline (BLOG-261). The core problem was that the frontend build environment lacked the necessary authentication credentials to communicate with the Sentry API. I've updated the deployment workflow to pass the SENTRY_AUTH_TOKEN from our CI secrets into the Docker build context, and updated the frontend Dockerfile to securely mount and utilize this token during the build phase. A minor descriptive adjustment was also made to our pre-commit config.

Key Changes

.gitea/workflows/deployment.yaml: Injected the SENTRY_AUTH_TOKEN into the build container's secrets configuration.
frontend/Dockerfile: Configured secure secret mounting (--mount=type=secret) to read SENTRY_AUTH_TOKEN and expose it as an environment variable specifically during the pnpm run build execution.
.pre-commit-config.yaml: Renamed the frontend-lint hook from "frontend lint" to "frontend lint & check" to better reflect its underlying script behavior.

Testing/Review Notes

Trigger a deployment build in the CI/CD pipeline to test the workflow changes.
Check the build logs for the frontend container; verify that the Sentry plugin successfully detects the token and uploads the sourcemaps/releases without throwing an authentication error.
Ensure no token leakage occurs in the standard CI output logs or the final compiled Docker image layers.

Package Changes

No response

Screenshots

No response

Reference

Resolves #261.

Checklist

A milestone is set
The related issuse has been linked to this branch

### Description #### Summary This resolves the issue where Sentry logs and source maps were failing to upload during the deployment pipeline (BLOG-261). The core problem was that the frontend build environment lacked the necessary authentication credentials to communicate with the Sentry API. I've updated the deployment workflow to pass the `SENTRY_AUTH_TOKEN` from our CI secrets into the Docker build context, and updated the frontend Dockerfile to securely mount and utilize this token during the build phase. A minor descriptive adjustment was also made to our pre-commit config. #### Key Changes * **`.gitea/workflows/deployment.yaml`**: Injected the `SENTRY_AUTH_TOKEN` into the build container's secrets configuration. * **`frontend/Dockerfile`**: Configured secure secret mounting (`--mount=type=secret`) to read `SENTRY_AUTH_TOKEN` and expose it as an environment variable specifically during the `pnpm run build` execution. * **`.pre-commit-config.yaml`**: Renamed the `frontend-lint` hook from "frontend lint" to "frontend lint & check" to better reflect its underlying script behavior. #### Testing/Review Notes * Trigger a deployment build in the CI/CD pipeline to test the workflow changes. * Check the build logs for the frontend container; verify that the Sentry plugin successfully detects the token and uploads the sourcemaps/releases without throwing an authentication error. * Ensure no token leakage occurs in the standard CI output logs or the final compiled Docker image layers. ### Package Changes _No response_ ### Screenshots _No response_ ### Reference Resolves #261. ### Checklist - [x] A milestone is set - [x] The related issuse has been linked to this branch

squid added this to the 0.7 milestone 2026-04-04 17:06:45 +08:00

squid added 1 commit 2026-04-04 17:06:45 +08:00

BLOG-261 fix: Sentry logs not being sent by adding SENTRY_AUTH_TOKEN to build process

Frontend CI / build (push) Successful in 1m18s

Details

Auto Comment On PR / add_improve_comment (pull_request) Successful in 13s

Details

PR Title Check / pr-title-check (pull_request) Successful in 15s

Details

9cd957d14f

bot commented

2026-04-04 17:06:48 +08:00

/improve

bot commented

2026-04-04 17:06:52 +08:00

PR Code Suggestions ✨

Category	Suggestion	Impact
Possible issue	Conditionally set secret environment variable The current command sets `SENTRY_AUTH_TOKEN` to an empty string if the secret is not available, which can cause Sentry tooling to fail as an empty token is often treated as an invalid value. It is safer to only set the environment variable if the secret file exists, ensuring the build can proceed without Sentry features when the token is not supplied. frontend/Dockerfile [15-17] `RUN --mount=type=secret,id=SENTRY_AUTH_TOKEN \ - SENTRY_AUTH_TOKEN="$(cat /run/secrets/SENTRY_AUTH_TOKEN 2>/dev/null \|\| true)" \ - pnpm run build + /bin/sh -c ' \ + if [ -f /run/secrets/SENTRY_AUTH_TOKEN ]; then \ + export SENTRY_AUTH_TOKEN=$(cat /run/secrets/SENTRY_AUTH_TOKEN); \ + fi; \ + pnpm run build \ + '` Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies a potential issue where setting `SENTRY_AUTH_TOKEN` to an empty string could cause the build to fail if Sentry tooling treats it as an invalid token. The proposed change to only set the variable if the secret file exists makes the build process more robust, especially for local builds where the secret might not be present.	Medium

## PR Code Suggestions ✨  <table><thead><tr><td><strong>Category</strong></td><td align=left><strong>Suggestion                                                                                                                                    </strong></td><td align=center><strong>Impact</strong></td></tr><tbody><tr><td rowspan=1>Possible issue</td> <td> <details><summary>Conditionally set secret environment variable</summary> ___ **The current command sets <code>SENTRY_AUTH_TOKEN</code> to an empty string if the secret is not <br>available, which can cause Sentry tooling to fail as an empty token is often treated <br>as an invalid value. It is safer to only set the environment variable if the secret <br>file exists, ensuring the build can proceed without Sentry features when the token <br>is not supplied.** [frontend/Dockerfile [15-17]](https://git.squidspirit.com/squid/blog/src/branch/BLOG-261_fix_sentry_logs_are_not_sent/frontend/Dockerfile#L15-L17) ```diff RUN --mount=type=secret,id=SENTRY_AUTH_TOKEN \ - SENTRY_AUTH_TOKEN="$(cat /run/secrets/SENTRY_AUTH_TOKEN 2>/dev/null || true)" \ - pnpm run build + /bin/sh -c ' \ + if [ -f /run/secrets/SENTRY_AUTH_TOKEN ]; then \ + export SENTRY_AUTH_TOKEN=$(cat /run/secrets/SENTRY_AUTH_TOKEN); \ + fi; \ + pnpm run build \ + ' ``` <details><summary>Suggestion importance[1-10]: 7</summary> __ Why: The suggestion correctly identifies a potential issue where setting `SENTRY_AUTH_TOKEN` to an empty string could cause the build to fail if Sentry tooling treats it as an invalid token. The proposed change to only set the variable if the secret file exists makes the build process more robust, especially for local builds where the secret might not be present. </details></details></td><td align=center>Medium </td></tr></tr></tbody></table>

squid added 1 commit 2026-04-04 17:07:04 +08:00

Merge branch 'main' into BLOG-261_fix_sentry_logs_are_not_sent

PR Title Check / pr-title-check (pull_request) Successful in 13s

Details

Frontend CI / build (push) Successful in 1m19s

Details

a432561b5b

squid merged commit d506254955 into main

2026-04-04 17:11:02 +08:00

squid deleted branch BLOG-261_fix_sentry_logs_are_not_sent

2026-04-04 17:11:02 +08:00

squid referenced this issue from a commit