feat(sentry): source-map upload + release/commit association#58
Merged
Conversation
…ation Make Sentry errors actionable: de-minify production stack traces and populate the Releases view with suspect-commit blaming. - Add @sentry/vite-plugin (web devDependency) — on each release it creates the Sentry release, associates the commit, and uploads source maps, all driven by SENTRY_AUTH_TOKEN / org syniron / project freightdesk. - vite.config: build.sourcemap 'hidden' (no sourceMappingURL in shipped JS) and sourcemaps.filesToDeleteAfterUpload so no .map is ever served. Fully gated on SENTRY_AUTH_TOKEN: absent → plugin disabled, no maps emitted, build still passes (PR/fork/local). - Dockerfile: SENTRY_AUTH_TOKEN as a BuildKit secret mount, never an ARG/ENV — the GHCR image is public, so a token in any layer would leak. SENTRY_RELEASE_COMMIT passed as a (non-secret) build-arg because the Docker context has no .git. - release.yml: pass the secret + commit SHA to the build step. - pnpm-workspace: allow @sentry/cli's build script (native binary, musl). - ADR 0014 records the BuildKit-secret design, the FSL-1.1 build-time-only footprint, and the forker-generic no-op property (per ADR 0001); ADR 0007's deferral note updated. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Makes Sentry errors actionable. Today errors are captured and tagged with the release, but stack traces are minified gibberish (
/assets/index-*.js:1:NNN) and the Releases view is empty. This adds, on each release:*.tsx:linetracesvia
@sentry/vite-plugin, driven bySENTRY_AUTH_TOKEN/ orgsyniron/ projectfreightdesk.The constraint that shapes the design
vite buildruns inside the Docker image build, and that image is public on GHCR. So:ARG/ENV— a token in any layer of a public image would leak. Mounted only for the buildRUN, never persisted.hidden(nosourceMappingURLin the JS), uploaded, then deleted viafilesToDeleteAfterUploadbefore the Caddy stage copiesdist. Verified:find /srv -name '*.map'is empty.image-build(no secret) and local builds disable the plugin entirely and emit no maps, so the build still passes. Keeps the repo forker-generic (ADR 0001)..git— the Docker context has no.git, so the commit SHA is passed as a non-secret build-arg (github.sha) intorelease.setCommits.Changes
web/package.json/ lockfile /pnpm-workspace.yaml— add@sentry/vite-plugin; allow@sentry/cli's native-binary build scriptweb/vite.config.ts— token-gated plugin +build.sourcemapDockerfile— BuildKit secret mount +SENTRY_RELEASE_COMMITarg.github/workflows/release.yml— pass the secret + commit SHA to the build stepdocs/adr/0014-*— records the secret-handling design, the FSL-1.1 build-time-only dependency footprint, and the forker-generic no-op property (per ADR 0001);docs/adr/0007deferral note updatedVerified locally
pnpm build(no token) → 0.mapfiles, nosourceMappingURLin JS, all 208 vitest tests passdocker build(no secret, mimics CIimage-build) → succeeds; final image/srvhas 0.mapfilesCreate the
SENTRY_AUTH_TOKENrepo secret (Settings → Secrets → Actions) — a Sentry token withproject:releases+ source-map write scopes. It's a repo secret (build-time), not aproductionEnvironment secret.Verify after merge + tag
Cut a tag (e.g.
v0.1.3): confirm the release appears in Sentry with its commit, trigger a client error and confirm the trace resolves to real*.tsx:line, and confirm no.mapis served from the public site.🤖 Generated with Claude Code