chore(ci): Add cloud ci#1429
Conversation
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
WalkthroughAdds reusable and production-triggered cloud image publishing with AWS/ECR, BuildKit Sentry secrets, commit-aligned releases, and updated web/backend Sentry instrumentation. ChangesCloud release and Sentry integration
Estimated code review effort: 4 (Complex) | ~45 minutes Sequence Diagram(s)sequenceDiagram
participant ReleaseWorkflow
participant BuildCloudWorkflow
participant AWS
participant ECR
participant Buildx
ReleaseWorkflow->>BuildCloudWorkflow: call with production inputs and Docker tags
BuildCloudWorkflow->>AWS: assume ECR role through OIDC
BuildCloudWorkflow->>ECR: authenticate
BuildCloudWorkflow->>Buildx: build linux/amd64 image with Sentry secret
Buildx->>ECR: push tagged image
Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Adds a reusable cloud image build workflow, parameterized on a GitHub Environment, that bakes the environment's Sentry DSNs into the image, uploads source maps, and pushes linux/amd64 to sourcebot-<env> in ECR via OIDC. Wires it up for prod on pushes to main and v*.*.* tags. Passes the Sentry auth token as a BuildKit secret rather than a build arg, since cache-to: mode=max exports intermediate stage layers (and their metadata) to the repo-scoped Actions cache. Drops sentry-cli login, which writes the token back to a .sentryclirc in the layer and is redundant now that the token is exposed under the name sentry-cli reads natively. Reports the build commit SHA as the backend's Sentry release so events match the release its source maps are uploaded under. Previously the backend reported SOURCEBOT_VERSION, which only coincided with SENTRY_RELEASE on tagged builds. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Renames sentry.client.config.ts to instrumentation-client.ts, which Next.js loads itself. The old file was only wired in by @sentry/nextjs' webpack plugin, which never runs: next build defaults to Turbopack in Next 16, and next.config.mjs defines a turbopack block, so Next's "webpack config with no turbopack config" guard passes silently. Client errors, replays and spans were therefore never reported in production. Exports onRouterTransitionStart so App Router client-side navigations are instrumented as spans; Next only reads that export from instrumentation-client.ts. Sets tracesSampleRate on client, server and edge. Tracing is off unless this option is present at all, since hasSpansEnabled() checks for non-nullish. Sampling every trace for now to get a read on span volume before tuning the rate down. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
@brendan-kellam your pull request is missing a changelog! |
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (2)
packages/web/src/instrumentation-client.ts (1)
16-27: 🚀 Performance & Scalability | 🔵 TrivialConsider lowering
tracesSampleRatefor production traffic.
tracesSampleRate: 1.0is now set across all three runtimes (client, edge, server), meaning 100% of transactions are captured. This is fine for initial rollout and low-traffic environments, but in production with meaningful volume it can significantly increase Sentry ingestion costs and add overhead. Consider making this configurable via env var (e.g.,SENTRY_TRACES_SAMPLE_RATE) with a lower default (e.g.,0.1) once instrumentation is validated.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@packages/web/src/instrumentation-client.ts` around lines 16 - 27, Make traces sampling configurable across the client, edge, and server Sentry initialization paths instead of hardcoding 1.0. Use the SENTRY_TRACES_SAMPLE_RATE environment variable with a production-safe default such as 0.1, parse and validate the value, and apply the shared setting wherever tracesSampleRate is configured..github/workflows/release-cloud-prod.yml (1)
42-51: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winConsider passing only the required secret instead of
secrets: inherit.
_build-cloud.ymlonly consumessecrets.SENTRY_AUTH_TOKEN, butsecrets: inheritexposes every repo/environment secret to the called workflow (zizmorsecrets-inherit). Scoping to just the token reduces blast radius. This requires declaring the secret in the reusable workflow'sworkflow_call.secretsblock.🔒 Proposed change (coordinated across both files)
In
_build-cloud.yml:on: workflow_call: inputs: ... + secrets: + SENTRY_AUTH_TOKEN: + required: trueIn
release-cloud-prod.yml:- secrets: inherit + secrets: + SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/release-cloud-prod.yml around lines 42 - 51, Replace broad secrets inheritance in the release workflow with an explicit SENTRY_AUTH_TOKEN secret mapping, and declare that secret under the reusable _build-cloud.yml workflow_call.secrets block as required or optional according to current usage. Update the called workflow invocation to pass only secrets.SENTRY_AUTH_TOKEN while preserving existing build inputs.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/_build-cloud.yml:
- Around line 90-91: Bind inputs.environment and the resolved SHA to step-level
env variables in the workflow’s validate and Summarize steps, then reference
those variables inside each run script instead of embedding GitHub expressions
directly. Update the affected error message and all SHA/environment usages,
including the symbols ENVIRONMENT and COMMIT_SHA, while preserving existing
behavior.
- Around line 56-61: Add persist-credentials: false to the actions/checkout@v4
configuration in the repository checkout step, alongside ref, submodules, and
fetch-depth, so the GITHUB_TOKEN is not stored in the workspace Git
configuration.
---
Nitpick comments:
In @.github/workflows/release-cloud-prod.yml:
- Around line 42-51: Replace broad secrets inheritance in the release workflow
with an explicit SENTRY_AUTH_TOKEN secret mapping, and declare that secret under
the reusable _build-cloud.yml workflow_call.secrets block as required or
optional according to current usage. Update the called workflow invocation to
pass only secrets.SENTRY_AUTH_TOKEN while preserving existing build inputs.
In `@packages/web/src/instrumentation-client.ts`:
- Around line 16-27: Make traces sampling configurable across the client, edge,
and server Sentry initialization paths instead of hardcoding 1.0. Use the
SENTRY_TRACES_SAMPLE_RATE environment variable with a production-safe default
such as 0.1, parse and validate the value, and apply the shared setting wherever
tracesSampleRate is configured.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 383df57e-cd49-4aec-92c4-c7b42b4c42e1
📒 Files selected for processing (9)
.github/workflows/_build-cloud.yml.github/workflows/release-cloud-prod.ymlDockerfilepackages/backend/src/instrument.tspackages/web/next.config.mjspackages/web/src/instrumentation-client.tspackages/web/src/instrumentation.tspackages/web/src/sentry.edge.config.tspackages/web/src/sentry.server.config.ts
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 3 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit ca52435. Configure here.
Sets persist-credentials: false on checkout. Nothing after it talks to the remote (only git rev-parse HEAD, which is local), so there is no reason to leave GITHUB_TOKEN in the workspace's .git/config. Binds inputs.environment and the resolved commit SHA to step-level env vars rather than interpolating them into run: scripts, where GitHub substitutes them into the shell source before bash parses it. This workflow is reusable and its environment input is caller-supplied. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
_build.yml runs this check, but that is a separate workflow run triggered by the same push to main — it cannot gate the cloud build. Without it here, a commit whose migrations drift from schema.prisma reddens the OSS build while still publishing an image to ECR, which is what prod actually runs. Placed before the AWS credentials step so a drifted commit never assumes the ECR push role. base-ref is omitted, so the drift check runs unconditionally, the PR-only ordering check is skipped, and the action never reaches for the git remote (compatible with persist-credentials: false). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Note
Medium Risk
Changes production deploy plumbing (ECR push, env-gated builds) and Sentry auth/release wiring; misconfigured secrets or release mismatch could break error reporting or push wrong images, but scope is CI/Docker/observability rather than app auth or data paths.
Overview
Adds cloud production release automation: a reusable
_build-cloudworkflow that validates GitHub Environment Sentry/AWS settings, runs Prisma migration checks, assumes an ECR push role via OIDC, and builds/pusheslinux/amd64images to per-environment ECR with environment-scoped GHA cache.release-cloud-prodtriggers onmain, semver tags, or manual dispatch and tags images (main, SHA, semver/latest).Docker/Sentry build pipeline stops passing the Sentry upload token as build args (
SENTRY_SMUATremoved). Web and backend builds mountSENTRY_AUTH_TOKENas a BuildKit secret so tokens are not baked into cache metadata. Cloud builds setSENTRY_RELEASEandNEXT_PUBLIC_BUILD_COMMIT_SHAto the commit SHA for distinct prod releases.Runtime observability: backend Sentry
releaseusesNEXT_PUBLIC_BUILD_COMMIT_SHAwhen present (aligned with uploaded source maps). Next.js Sentry plugin usesSENTRY_AUTH_TOKENand explicit release name; client/server/edge configs addtracesSampleRate: 1.0;instrumentation-client.tsexportsonRouterTransitionStartfor App Router tracing; Sentry server/edge imports are corrected undersrc/.Reviewed by Cursor Bugbot for commit ec42097. Bugbot is set up for automated code reviews on this repo. Configure here.
Summary by CodeRabbit
New Features
Improvements
Security