From e996f4485f557aaed23220a0f53267b68f6870d0 Mon Sep 17 00:00:00 2001
From: Ethan Swan <ethanpswan@gmail.com>
Date: Sun, 8 Feb 2026 08:37:10 -0600
Subject: [PATCH] Use GCP Secret Manager for Sentry auth token in Cloud Build

Replace trigger substitution variable with availableSecrets to
pull the token directly from Secret Manager at build time.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 cloudbuild.yaml | 57 +++++++++++++++++++++++++------------------------
 1 file changed, 29 insertions(+), 28 deletions(-)

diff --git a/cloudbuild.yaml b/cloudbuild.yaml
index 1648ad4..419821c 100644
--- a/cloudbuild.yaml
+++ b/cloudbuild.yaml
@@ -7,41 +7,42 @@ substitutions:
   _SENTRY_ORG: 'forecasting'
   _SENTRY_PROJECT: 'forecasting-app'
 
+availableSecrets:
+  secretManager:
+    - versionName: projects/ethans-services/secrets/forecasting_sentry_auth_token/versions/latest
+      env: 'SENTRY_AUTH_TOKEN'
+
 steps:
   # Build prod image
   - name: 'gcr.io/cloud-builders/docker'
+    entrypoint: 'bash'
     args:
-      - 'build'
-      - '--build-arg'
-      - 'NEXT_PUBLIC_IDP_BASE_URL=${_NEXT_PUBLIC_IDP_BASE_URL_PROD}'
-      - '--build-arg'
-      - 'SENTRY_ORG=${_SENTRY_ORG}'
-      - '--build-arg'
-      - 'SENTRY_PROJECT=${_SENTRY_PROJECT}'
-      - '--build-arg'
-      - 'SENTRY_AUTH_TOKEN=${_SENTRY_AUTH_TOKEN}'
-      - '-t'
-      - 'us-central1-docker.pkg.dev/ethans-services/containers/forecasting:${SHORT_SHA}-prod'
-      - '-t'
-      - 'us-central1-docker.pkg.dev/ethans-services/containers/forecasting:prod'
-      - '.'
+      - '-c'
+      - |
+        docker build \
+          --build-arg NEXT_PUBLIC_IDP_BASE_URL=${_NEXT_PUBLIC_IDP_BASE_URL_PROD} \
+          --build-arg SENTRY_ORG=${_SENTRY_ORG} \
+          --build-arg SENTRY_PROJECT=${_SENTRY_PROJECT} \
+          --build-arg SENTRY_AUTH_TOKEN=$$SENTRY_AUTH_TOKEN \
+          -t us-central1-docker.pkg.dev/ethans-services/containers/forecasting:${SHORT_SHA}-prod \
+          -t us-central1-docker.pkg.dev/ethans-services/containers/forecasting:prod \
+          .
+    secretEnv: ['SENTRY_AUTH_TOKEN']
   # Build staging image
   - name: 'gcr.io/cloud-builders/docker'
+    entrypoint: 'bash'
     args:
-      - 'build'
-      - '--build-arg'
-      - 'NEXT_PUBLIC_IDP_BASE_URL=${_NEXT_PUBLIC_IDP_BASE_URL_STAGING}'
-      - '--build-arg'
-      - 'SENTRY_ORG=${_SENTRY_ORG}'
-      - '--build-arg'
-      - 'SENTRY_PROJECT=${_SENTRY_PROJECT}'
-      - '--build-arg'
-      - 'SENTRY_AUTH_TOKEN=${_SENTRY_AUTH_TOKEN}'
-      - '-t'
-      - 'us-central1-docker.pkg.dev/ethans-services/containers/forecasting:${SHORT_SHA}-staging'
-      - '-t'
-      - 'us-central1-docker.pkg.dev/ethans-services/containers/forecasting:staging'
-      - '.'
+      - '-c'
+      - |
+        docker build \
+          --build-arg NEXT_PUBLIC_IDP_BASE_URL=${_NEXT_PUBLIC_IDP_BASE_URL_STAGING} \
+          --build-arg SENTRY_ORG=${_SENTRY_ORG} \
+          --build-arg SENTRY_PROJECT=${_SENTRY_PROJECT} \
+          --build-arg SENTRY_AUTH_TOKEN=$$SENTRY_AUTH_TOKEN \
+          -t us-central1-docker.pkg.dev/ethans-services/containers/forecasting:${SHORT_SHA}-staging \
+          -t us-central1-docker.pkg.dev/ethans-services/containers/forecasting:staging \
+          .
+    secretEnv: ['SENTRY_AUTH_TOKEN']
   # Push all tags
   - name: 'gcr.io/cloud-builders/docker'
     args: