Open lucas-zimerman opened 3 months ago
Good catch! I agree that whatever file we create that contains a secret should be .gitignore'd. This is in line with our SDK wizard specification.
Are you interested in opening a PR for this? cc @krystofwoldrich thoughts?
Sure thing, I could open a PR for it.
Also for more context, when pushing a project with sentry.properties on github an application emailed me with the following message
Let's do it, thanks!
I've just tried the new Sentry integration with "@sentry/react-native": "5.26.0"
and the integration wizard.
if I .gitignore
sentry.properties
then the build will fail on CI with:
Sentry Source Maps upload will include the release name and dist.
Sentry-CLI arguments: [/bitrise/src/packages/mobile/node_modules/@sentry/cli/bin/sentry-cli, react-native, gradle, --bundle, /bitrise/src/packages/mobile/android/app/build/generated/assets/createBundleP4hStagingReleaseJsAndAssets/index.android.bundle, --sourcemap, /bitrise/src/packages/mobile/android/app/build/generated/sourcemaps/react/p4hStagingRelease/index.android.bundle.map, --release, uk.co.pets4homes.staging@3.67.0+574175233, --dist, 574175233]
WARN 2024-08-01 15:27:53.022331510 +00:00 Failed to find file referenced by SENTRY_PROPERTIES (/bitrise/src/packages/mobile/android/sentry.properties)
error: A project slug is required (provide with --project)
so far I've removed the auth token from the file and checked it in Git. I think this is not a good strategy to keep both the auth token (security sensitive but optional info) and some Sentry project identifiers (not so sensitive, but required) in the same file, then the file cannot be ignored that easily and then some other developer can accidentally Git push the auth token if they login on their machine and don't check their Git diff.
@zubko I'm lacking a bit of context in ReactNative land but I agree that having all paramers in one file isn't ideal. IIRC we discussed this before @krystofwoldrich do you remember specifics?
Generally, the Sentry CLI also works with the SENTRY_AUTH_TOKEN
environment variable so depending on your setup you can declare this env variable, for example in a .env
file. Again, I'm not an RN expert, so Krystof knows more here.
Thank you @zubko for the message, as @Lms24 mentioned we are aware of this, and will improve the experience in the future.
The best is to set SENTRY_AUTH_TOKEN
env, but we can't do that automatically in the wizard due to security. Sadly the .env
files behave differently across the RN build environments Xcode, Gradle, Expo...
Environment
What version are you running 3.23.1
Steps to Reproduce
I have opened this issue to discuss if it's ideal or not to add sentry.properties to git ignore since it contains an authentication token.
After running the wizard and building the app, I noticed that sentry.property was created under both iOS/Android and that no git ignore rule was applied for it, so users could commit it without noticing it.
This file contains the user auth token:
Expected Result
This file should be included on gitignore and sentry.properties not tracked by git.
What you thought would happen.
Actual Result
sentry.properties is tracked by git.