Skip to content

chore(ci): Add cloud ci#1429

Merged
brendan-kellam merged 7 commits into
mainfrom
bkellam/upgrade-sentry
Jul 10, 2026
Merged

chore(ci): Add cloud ci#1429
brendan-kellam merged 7 commits into
mainfrom
bkellam/upgrade-sentry

Conversation

@brendan-kellam

@brendan-kellam brendan-kellam commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Note

Medium Risk
Changes production deploy plumbing (ECR push, env-gated builds) and Sentry auth/release wiring; misconfigured secrets or release mismatch could break error reporting or push wrong images, but scope is CI/Docker/observability rather than app auth or data paths.

Overview
Adds cloud production release automation: a reusable _build-cloud workflow that validates GitHub Environment Sentry/AWS settings, runs Prisma migration checks, assumes an ECR push role via OIDC, and builds/pushes linux/amd64 images to per-environment ECR with environment-scoped GHA cache. release-cloud-prod triggers on main, semver tags, or manual dispatch and tags images (main, SHA, semver/latest).

Docker/Sentry build pipeline stops passing the Sentry upload token as build args (SENTRY_SMUAT removed). Web and backend builds mount SENTRY_AUTH_TOKEN as a BuildKit secret so tokens are not baked into cache metadata. Cloud builds set SENTRY_RELEASE and NEXT_PUBLIC_BUILD_COMMIT_SHA to the commit SHA for distinct prod releases.

Runtime observability: backend Sentry release uses NEXT_PUBLIC_BUILD_COMMIT_SHA when present (aligned with uploaded source maps). Next.js Sentry plugin uses SENTRY_AUTH_TOKEN and explicit release name; client/server/edge configs add tracesSampleRate: 1.0; instrumentation-client.ts exports onRouterTransitionStart for App Router tracing; Sentry server/edge imports are corrected under src/.

Reviewed by Cursor Bugbot for commit ec42097. Bugbot is set up for automated code reviews on this repo. Configure here.

Summary by CodeRabbit

  • New Features

    • Added automated production Cloud image releases with environment-scoped configuration (main, version tags, and manual runs).
    • Introduced a reusable “Build Cloud Image” workflow to build and publish Docker images to ECR with consistent, per-environment tagging.
  • Improvements

    • Improved Sentry release/version alignment by using the build commit SHA when available.
    • Standardized Sentry performance tracing (including client navigation instrumentation) across web, server, and edge, with clearer initialization behavior.
  • Security

    • Updated Sentry upload/auth in builds to use BuildKit secret-based tokens instead of passing credentials via build arguments.

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4c269052-e8e9-43a2-96ea-c859e926c8fe

📥 Commits

Reviewing files that changed from the base of the PR and between 9743698 and ec42097.

📒 Files selected for processing (1)
  • .github/workflows/_build-cloud.yml

Walkthrough

Adds reusable and production-triggered cloud image publishing with AWS/ECR, BuildKit Sentry secrets, commit-aligned releases, and updated web/backend Sentry instrumentation.

Changes

Cloud release and Sentry integration

Layer / File(s) Summary
Reusable cloud image build pipeline
.github/workflows/_build-cloud.yml, .github/workflows/release-cloud-prod.yml
Adds environment-aware image building, AWS/ECR authentication, Docker metadata, caching, Sentry configuration validation, and production release triggers.
Sentry build-secret and release alignment
Dockerfile, packages/web/next.config.mjs, packages/backend/src/instrument.ts
Uses SENTRY_AUTH_TOKEN through BuildKit secrets and aligns backend Sentry releases with the resolved build commit.
Web runtime Sentry instrumentation
packages/web/src/instrumentation-client.ts, packages/web/src/instrumentation.ts, packages/web/src/sentry.*.config.ts
Adds full trace sampling, corrected runtime imports, disabled-initialization logging, and App Router transition instrumentation.

Estimated code review effort: 4 (Complex) | ~45 minutes

Sequence Diagram(s)

sequenceDiagram
  participant ReleaseWorkflow
  participant BuildCloudWorkflow
  participant AWS
  participant ECR
  participant Buildx
  ReleaseWorkflow->>BuildCloudWorkflow: call with production inputs and Docker tags
  BuildCloudWorkflow->>AWS: assume ECR role through OIDC
  BuildCloudWorkflow->>ECR: authenticate
  BuildCloudWorkflow->>Buildx: build linux/amd64 image with Sentry secret
  Buildx->>ECR: push tagged image
Loading

Possibly related PRs

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise and accurately reflects the main change: adding cloud CI workflows for building and publishing images.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch bkellam/upgrade-sentry

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

brendan-kellam and others added 3 commits July 9, 2026 17:19
Adds a reusable cloud image build workflow, parameterized on a GitHub
Environment, that bakes the environment's Sentry DSNs into the image,
uploads source maps, and pushes linux/amd64 to sourcebot-<env> in ECR
via OIDC. Wires it up for prod on pushes to main and v*.*.* tags.

Passes the Sentry auth token as a BuildKit secret rather than a build
arg, since cache-to: mode=max exports intermediate stage layers (and
their metadata) to the repo-scoped Actions cache. Drops sentry-cli
login, which writes the token back to a .sentryclirc in the layer and
is redundant now that the token is exposed under the name sentry-cli
reads natively.

Reports the build commit SHA as the backend's Sentry release so events
match the release its source maps are uploaded under. Previously the
backend reported SOURCEBOT_VERSION, which only coincided with
SENTRY_RELEASE on tagged builds.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Renames sentry.client.config.ts to instrumentation-client.ts, which
Next.js loads itself. The old file was only wired in by @sentry/nextjs'
webpack plugin, which never runs: next build defaults to Turbopack in
Next 16, and next.config.mjs defines a turbopack block, so Next's
"webpack config with no turbopack config" guard passes silently. Client
errors, replays and spans were therefore never reported in production.

Exports onRouterTransitionStart so App Router client-side navigations
are instrumented as spans; Next only reads that export from
instrumentation-client.ts.

Sets tracesSampleRate on client, server and edge. Tracing is off unless
this option is present at all, since hasSpansEnabled() checks for
non-nullish. Sampling every trace for now to get a read on span volume
before tuning the rate down.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@brendan-kellam brendan-kellam changed the title chore(ci): Upgrade sentry chore(ci): Add cloud ci Jul 10, 2026
@brendan-kellam brendan-kellam marked this pull request as ready for review July 10, 2026 02:18
@github-actions

Copy link
Copy Markdown
Contributor

@brendan-kellam your pull request is missing a changelog!

Comment thread Dockerfile

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (2)
packages/web/src/instrumentation-client.ts (1)

16-27: 🚀 Performance & Scalability | 🔵 Trivial

Consider lowering tracesSampleRate for production traffic.

tracesSampleRate: 1.0 is now set across all three runtimes (client, edge, server), meaning 100% of transactions are captured. This is fine for initial rollout and low-traffic environments, but in production with meaningful volume it can significantly increase Sentry ingestion costs and add overhead. Consider making this configurable via env var (e.g., SENTRY_TRACES_SAMPLE_RATE) with a lower default (e.g., 0.1) once instrumentation is validated.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/web/src/instrumentation-client.ts` around lines 16 - 27, Make traces
sampling configurable across the client, edge, and server Sentry initialization
paths instead of hardcoding 1.0. Use the SENTRY_TRACES_SAMPLE_RATE environment
variable with a production-safe default such as 0.1, parse and validate the
value, and apply the shared setting wherever tracesSampleRate is configured.
.github/workflows/release-cloud-prod.yml (1)

42-51: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Consider passing only the required secret instead of secrets: inherit.

_build-cloud.yml only consumes secrets.SENTRY_AUTH_TOKEN, but secrets: inherit exposes every repo/environment secret to the called workflow (zizmor secrets-inherit). Scoping to just the token reduces blast radius. This requires declaring the secret in the reusable workflow's workflow_call.secrets block.

🔒 Proposed change (coordinated across both files)

In _build-cloud.yml:

 on:
   workflow_call:
     inputs:
       ...
+    secrets:
+      SENTRY_AUTH_TOKEN:
+        required: true

In release-cloud-prod.yml:

-    secrets: inherit
+    secrets:
+      SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-cloud-prod.yml around lines 42 - 51, Replace broad
secrets inheritance in the release workflow with an explicit SENTRY_AUTH_TOKEN
secret mapping, and declare that secret under the reusable _build-cloud.yml
workflow_call.secrets block as required or optional according to current usage.
Update the called workflow invocation to pass only secrets.SENTRY_AUTH_TOKEN
while preserving existing build inputs.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/_build-cloud.yml:
- Around line 90-91: Bind inputs.environment and the resolved SHA to step-level
env variables in the workflow’s validate and Summarize steps, then reference
those variables inside each run script instead of embedding GitHub expressions
directly. Update the affected error message and all SHA/environment usages,
including the symbols ENVIRONMENT and COMMIT_SHA, while preserving existing
behavior.
- Around line 56-61: Add persist-credentials: false to the actions/checkout@v4
configuration in the repository checkout step, alongside ref, submodules, and
fetch-depth, so the GITHUB_TOKEN is not stored in the workspace Git
configuration.

---

Nitpick comments:
In @.github/workflows/release-cloud-prod.yml:
- Around line 42-51: Replace broad secrets inheritance in the release workflow
with an explicit SENTRY_AUTH_TOKEN secret mapping, and declare that secret under
the reusable _build-cloud.yml workflow_call.secrets block as required or
optional according to current usage. Update the called workflow invocation to
pass only secrets.SENTRY_AUTH_TOKEN while preserving existing build inputs.

In `@packages/web/src/instrumentation-client.ts`:
- Around line 16-27: Make traces sampling configurable across the client, edge,
and server Sentry initialization paths instead of hardcoding 1.0. Use the
SENTRY_TRACES_SAMPLE_RATE environment variable with a production-safe default
such as 0.1, parse and validate the value, and apply the shared setting wherever
tracesSampleRate is configured.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 383df57e-cd49-4aec-92c4-c7b42b4c42e1

📥 Commits

Reviewing files that changed from the base of the PR and between afe17e6 and efade0f.

📒 Files selected for processing (9)
  • .github/workflows/_build-cloud.yml
  • .github/workflows/release-cloud-prod.yml
  • Dockerfile
  • packages/backend/src/instrument.ts
  • packages/web/next.config.mjs
  • packages/web/src/instrumentation-client.ts
  • packages/web/src/instrumentation.ts
  • packages/web/src/sentry.edge.config.ts
  • packages/web/src/sentry.server.config.ts

Comment thread .github/workflows/_build-cloud.yml
Comment thread .github/workflows/_build-cloud.yml Outdated

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using high effort and found 3 potential issues.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit ca52435. Configure here.

Comment thread .github/workflows/_build-cloud.yml
Comment thread packages/web/src/instrumentation-client.ts
Comment thread .github/workflows/release-cloud-prod.yml
brendan-kellam and others added 2 commits July 9, 2026 19:36
Sets persist-credentials: false on checkout. Nothing after it talks to
the remote (only git rev-parse HEAD, which is local), so there is no
reason to leave GITHUB_TOKEN in the workspace's .git/config.

Binds inputs.environment and the resolved commit SHA to step-level env
vars rather than interpolating them into run: scripts, where GitHub
substitutes them into the shell source before bash parses it. This
workflow is reusable and its environment input is caller-supplied.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
_build.yml runs this check, but that is a separate workflow run triggered
by the same push to main — it cannot gate the cloud build. Without it here,
a commit whose migrations drift from schema.prisma reddens the OSS build
while still publishing an image to ECR, which is what prod actually runs.

Placed before the AWS credentials step so a drifted commit never assumes
the ECR push role. base-ref is omitted, so the drift check runs
unconditionally, the PR-only ordering check is skipped, and the action
never reaches for the git remote (compatible with persist-credentials: false).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@brendan-kellam brendan-kellam merged commit febaf43 into main Jul 10, 2026
8 checks passed
@brendan-kellam brendan-kellam deleted the bkellam/upgrade-sentry branch July 10, 2026 02:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant