From 3396a79445f773abd148c25ff4852a9757562824 Mon Sep 17 00:00:00 2001
From: ianshaloom <naimoolsha@gmail.com>
Date: Sun, 8 Mar 2026 15:50:09 +0300
Subject: [PATCH] fix(storefront): pass NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY at
 build time

Stripe publishable key must be baked into the client bundle. Added ARG/ENV
to storefront Dockerfile and --build-arg in the workflow build step, sourced
from STAGING_NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY secret.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .gitea/workflows/deploy-staging.yml | 2 ++
 apps/storefront/Dockerfile          | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/.gitea/workflows/deploy-staging.yml b/.gitea/workflows/deploy-staging.yml
index dec22d3..fd0359e 100644
--- a/.gitea/workflows/deploy-staging.yml
+++ b/.gitea/workflows/deploy-staging.yml
@@ -124,6 +124,7 @@ jobs:
           NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME: ${{ secrets.STAGING_NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME }}
           NEXT_PUBLIC_CLOUDINARY_API_KEY: ${{ secrets.STAGING_NEXT_PUBLIC_CLOUDINARY_API_KEY }}
           NEXT_PUBLIC_IMAGE_PROCESSING_API_URL: ${{ secrets.STAGING_NEXT_PUBLIC_IMAGE_PROCESSING_API_URL }}
+          NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY: ${{ secrets.STAGING_NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY }}
         run: |
           SHORT_SHA="${GITHUB_SHA::7}"
           IMAGE="${{ secrets.STAGING_REGISTRY }}/${{ matrix.app }}"
@@ -146,6 +147,7 @@ jobs:
               -f apps/storefront/Dockerfile \
               --build-arg NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY="$CLERK_KEY" \
               --build-arg NEXT_PUBLIC_CONVEX_URL="$NEXT_PUBLIC_CONVEX_URL" \
+              --build-arg NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY="$NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY" \
               --load \
               -t "${IMAGE}:staging" \
               ./out
diff --git a/apps/storefront/Dockerfile b/apps/storefront/Dockerfile
index ae6359d..9edab12 100644
--- a/apps/storefront/Dockerfile
+++ b/apps/storefront/Dockerfile
@@ -44,8 +44,10 @@ COPY full/ .
 # which is stripped by the workflow before being forwarded here as build args.
 ARG NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY
 ARG NEXT_PUBLIC_CONVEX_URL
+ARG NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY
 ENV NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=$NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY \
     NEXT_PUBLIC_CONVEX_URL=$NEXT_PUBLIC_CONVEX_URL \
+    NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=$NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY \
     NEXT_TELEMETRY_DISABLED=1
 
 RUN npx turbo build --filter=storefront