From 9f2e9afc63b382278ca507ed2d32aeb95239ded2 Mon Sep 17 00:00:00 2001 From: ianshaloom Date: Sun, 8 Mar 2026 14:45:31 +0300 Subject: [PATCH] fix(admin): pass missing Cloudinary and image-processing env vars MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit NEXT_PUBLIC_CLOUDINARY_API_KEY and NEXT_PUBLIC_IMAGE_PROCESSING_API_URL are NEXT_PUBLIC_* vars that must be baked in at build time — added as ARG/ENV in admin Dockerfile and as --build-arg in the workflow build step. CLOUDINARY_API_SECRET is a server-side secret — added to the deploy step's env block, written to /opt/staging/.env via printf, and exposed to the admin container via compose.yml environment block. Co-Authored-By: Claude Sonnet 4.6 --- .gitea/workflows/deploy-staging.yml | 9 +++++++-- apps/admin/Dockerfile | 4 ++++ deploy/staging/compose.yml | 1 + 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/.gitea/workflows/deploy-staging.yml b/.gitea/workflows/deploy-staging.yml index 1b5a282..dec22d3 100644 --- a/.gitea/workflows/deploy-staging.yml +++ b/.gitea/workflows/deploy-staging.yml @@ -122,6 +122,8 @@ jobs: ADMIN_CLERK_KEY: ${{ secrets.STAGING_ADMIN_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }} NEXT_PUBLIC_CONVEX_URL: ${{ secrets.STAGING_NEXT_PUBLIC_CONVEX_URL }} NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME: ${{ secrets.STAGING_NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME }} + NEXT_PUBLIC_CLOUDINARY_API_KEY: ${{ secrets.STAGING_NEXT_PUBLIC_CLOUDINARY_API_KEY }} + NEXT_PUBLIC_IMAGE_PROCESSING_API_URL: ${{ secrets.STAGING_NEXT_PUBLIC_IMAGE_PROCESSING_API_URL }} run: | SHORT_SHA="${GITHUB_SHA::7}" IMAGE="${{ secrets.STAGING_REGISTRY }}/${{ matrix.app }}" @@ -133,6 +135,8 @@ jobs: --build-arg NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY="$CLERK_KEY" \ --build-arg NEXT_PUBLIC_CONVEX_URL="$NEXT_PUBLIC_CONVEX_URL" \ --build-arg NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME="$NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME" \ + --build-arg NEXT_PUBLIC_CLOUDINARY_API_KEY="$NEXT_PUBLIC_CLOUDINARY_API_KEY" \ + --build-arg NEXT_PUBLIC_IMAGE_PROCESSING_API_URL="$NEXT_PUBLIC_IMAGE_PROCESSING_API_URL" \ --load \ -t "${IMAGE}:staging" \ ./out @@ -177,6 +181,7 @@ jobs: SSH_PORT: ${{ secrets.STAGING_SSH_PORT }} CLERK_SECRET_KEY: ${{ secrets.STAGING_STOREFRONT_CLERK_SECRET_KEY }} ADMIN_CLERK_SECRET_KEY: ${{ secrets.STAGING_ADMIN_CLERK_SECRET_KEY }} + CLOUDINARY_API_SECRET: ${{ secrets.STAGING_CLOUDINARY_API_SECRET }} run: | REGISTRY_HOST=$(echo "$REGISTRY" | cut -d'/' -f1) @@ -211,8 +216,8 @@ jobs: # Write runtime secrets to .env — variables expand on the runner before # being sent over SSH, so secrets never appear in VPS shell history. # printf keeps every line indented (no column-0 content) so YAML stays valid. - printf 'CLERK_SECRET_KEY=%s\nADMIN_CLERK_SECRET_KEY=%s\n' \ - "${CLERK_SECRET_KEY}" "${ADMIN_CLERK_SECRET_KEY}" \ + printf 'CLERK_SECRET_KEY=%s\nADMIN_CLERK_SECRET_KEY=%s\nCLOUDINARY_API_SECRET=%s\n' \ + "${CLERK_SECRET_KEY}" "${ADMIN_CLERK_SECRET_KEY}" "${CLOUDINARY_API_SECRET}" \ > /opt/staging/.env chmod 600 /opt/staging/.env diff --git a/apps/admin/Dockerfile b/apps/admin/Dockerfile index b0f1fc4..f024de1 100644 --- a/apps/admin/Dockerfile +++ b/apps/admin/Dockerfile @@ -34,9 +34,13 @@ COPY full/ . ARG NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY ARG NEXT_PUBLIC_CONVEX_URL ARG NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME +ARG NEXT_PUBLIC_CLOUDINARY_API_KEY +ARG NEXT_PUBLIC_IMAGE_PROCESSING_API_URL ENV NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=$NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY \ NEXT_PUBLIC_CONVEX_URL=$NEXT_PUBLIC_CONVEX_URL \ NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME=$NEXT_PUBLIC_CLOUDINARY_CLOUD_NAME \ + NEXT_PUBLIC_CLOUDINARY_API_KEY=$NEXT_PUBLIC_CLOUDINARY_API_KEY \ + NEXT_PUBLIC_IMAGE_PROCESSING_API_URL=$NEXT_PUBLIC_IMAGE_PROCESSING_API_URL \ NEXT_TELEMETRY_DISABLED=1 RUN npx turbo build --filter=admin diff --git a/deploy/staging/compose.yml b/deploy/staging/compose.yml index ce7018a..12f65e3 100644 --- a/deploy/staging/compose.yml +++ b/deploy/staging/compose.yml @@ -22,3 +22,4 @@ services: required: false environment: - CLERK_SECRET_KEY=${ADMIN_CLERK_SECRET_KEY} + - CLOUDINARY_API_SECRET