chore: move dd api key to docker secrets and expose a RELEASE_VERSION env var to correctly map source maps to commits/deployments

Author: geclos

.github/workflows/build-and-push.yml

@@ -228,21 +228,21 @@ jobs:
             NEXT_SERVER_ACTIONS_ENCRYPTION_KEY=${{ secrets.NEXT_SERVER_ACTIONS_ENCRYPTION_KEY }}
             AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }}
             AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }}
+            DATADOG_API_KEY=${{ secrets.DATADOG_API_KEY }}
           build-args: |
             AWS_REGION=${{ vars.AWS_REGION }}
             BUILD_ID=${{ github.sha }}
+            DD_GIT_COMMIT_SHA=${{ github.sha }}
+            DD_GIT_REPOSITORY_URL=${{ github.server_url }}/${{ github.repository }}
+            NEXT_PUBLIC_DATADOG_APPLICATION_ID=${{ secrets.NEXT_PUBLIC_DATADOG_APPLICATION_ID }}
+            NEXT_PUBLIC_DATADOG_CLIENT_TOKEN=${{ secrets.NEXT_PUBLIC_DATADOG_CLIENT_TOKEN }}
+            NEXT_PUBLIC_DATADOG_SITE=${{ secrets.NEXT_PUBLIC_DATADOG_SITE }}
             NEXT_PUBLIC_DOCS_URL=${{ vars.NEXT_PUBLIC_DOCS_URL }}
             NEXT_PUBLIC_LATITUDE_CLOUD_PAYMENT_URL=${{ vars.NEXT_PUBLIC_LATITUDE_CLOUD_PAYMENT_URL }}
             NEXT_PUBLIC_POSTHOG_HOST=${{ secrets.NEXT_PUBLIC_POSTHOG_HOST }}
             NEXT_PUBLIC_POSTHOG_KEY=${{ secrets.NEXT_PUBLIC_POSTHOG_KEY }}
-            NEXT_PUBLIC_DATADOG_APPLICATION_ID=${{ secrets.NEXT_PUBLIC_DATADOG_APPLICATION_ID }}
-            NEXT_PUBLIC_DATADOG_CLIENT_TOKEN=${{ secrets.NEXT_PUBLIC_DATADOG_CLIENT_TOKEN }}
-            NEXT_PUBLIC_DATADOG_SITE=${{ secrets.NEXT_PUBLIC_DATADOG_SITE }}
-            DATADOG_API_KEY=${{ secrets.DATADOG_API_KEY }}
             S3_BUCKET=${{ vars.STATIC_ASSETS_S3_BUCKET }}
             STATIC_ASSETS_HOST=${{ vars.STATIC_ASSETS_HOST }}
-            DD_GIT_REPOSITORY_URL=${{ github.server_url }}/${{ github.repository }}
-            DD_GIT_COMMIT_SHA=${{ github.sha }}
 
   run-migrations:
     needs: [build-and-push-private]

apps/gateway/docker/Dockerfile

@@ -2,7 +2,6 @@ ARG PROJECT="@latitude-data/gateway"
 ARG PROJECT_PATH="apps/gateway"
 ARG DD_GIT_REPOSITORY_URL
 ARG DD_GIT_COMMIT_SHA
-ARG DATADOG_API_KEY
 
 FROM node:22-alpine AS alpine
 
@@ -48,9 +47,9 @@ FROM base AS builder
 
 ARG PROJECT
 ARG PROJECT_PATH
-ARG DATADOG_API_KEY
+ARG DD_GIT_COMMIT_SHA
 
-ENV DATADOG_API_KEY=$DATADOG_API_KEY
+ENV RELEASE_VERSION=${DD_GIT_COMMIT_SHA:-unknown}
 
 WORKDIR /app
 
@@ -71,13 +70,15 @@ RUN --mount=type=cache,id=pnpm,target=/pnpm/store \
   pnpm turbo build --filter="${PROJECT}..."
 
 # Upload source maps to Datadog
-RUN if [ -n "$DATADOG_API_KEY" ]; then \
-  echo "Uploading gateway source maps to Datadog..."; \
-  cd apps/gateway && \
-  pnpm datadog:sourcemaps; \
-else \
-  echo "Skipping Datadog source map upload for gateway - missing required environment variables (DATADOG_API_KEY)"; \
-fi
+RUN --mount=type=secret,id=DATADOG_API_KEY \
+  if [ -s /run/secrets/DATADOG_API_KEY ]; then \
+    echo "Uploading gateway source maps to Datadog..."; \
+    export DATADOG_API_KEY="$(cat /run/secrets/DATADOG_API_KEY)" && \
+    cd apps/gateway && \
+    pnpm datadog:sourcemaps; \
+  else \
+    echo "Skipping Datadog source map upload for gateway - DATADOG_API_KEY secret not provided"; \
+  fi
 
 # Since `pnpm prune` doesn't handle recursive dependencies effectively,
 # we follow pnpm's recommended approach: remove node_modules entirely
@@ -104,6 +105,7 @@ ENV NODE_ENV=production
 ENV KEEP_ALIVE_TIMEOUT=601000
 ENV DD_GIT_REPOSITORY_URL=${DD_GIT_REPOSITORY_URL:-}
 ENV DD_GIT_COMMIT_SHA=${DD_GIT_COMMIT_SHA:-}
+ENV RELEASE_VERSION=${DD_GIT_COMMIT_SHA:-}
 
 EXPOSE $PORT
 

apps/gateway/package.json

@@ -12,7 +12,7 @@
     "tc": "tsc --noEmit",
     "test": "vitest --run",
     "test:watch": "vitest",
-    "datadog:sourcemaps": "datadog-ci sourcemaps upload dist --service=latitude-gateway --minified-path-prefix=/app/apps/gateway/dist"
+    "datadog:sourcemaps": "datadog-ci sourcemaps upload dist --service=latitude-llm-gateway --minified-path-prefix=/app/apps/gateway/dist --release-version=${RELEASE_VERSION:-unknown}"
   },
   "dependencies": {
     "@hono/node-server": "1.13.2",

apps/web/docker/Dockerfile

@@ -9,7 +9,6 @@ ARG S3_BUCKET
 ARG BUILD_ID
 ARG DD_GIT_REPOSITORY_URL
 ARG DD_GIT_COMMIT_SHA
-ARG DATADOK_API_KEY
 
 
 FROM node:22-alpine AS alpine
@@ -68,11 +67,9 @@ RUN turbo prune "${PROJECT}" --docker
 FROM base AS builder
 
 ARG AWS_REGION
-ARG S3_BUCKET
 
 ARG BUILD_ID
 
-ARG DATADOK_API_KEY
 ARG DD_GIT_COMMIT_SHA
 ARG DD_GIT_REPOSITORY_URL
 
@@ -92,7 +89,6 @@ ENV S3_BUCKET=${S3_BUCKET:-}
 
 ENV BUILD_ID=${BUILD_ID:-}
 
-ENV DATADOG_API_KEY=$DATADOG_API_KEY
 ENV DD_GIT_COMMIT_SHA=${DD_GIT_COMMIT_SHA:-}
 ENV DD_GIT_REPOSITORY_URL=${DD_GIT_REPOSITORY_URL:-}
 
@@ -105,6 +101,7 @@ ENV NEXT_PUBLIC_POSTHOG_HOST=$NEXT_PUBLIC_POSTHOG_HOST
 ENV NEXT_PUBLIC_POSTHOG_KEY=$NEXT_PUBLIC_POSTHOG_KEY
 
 ENV STATIC_ASSETS_HOST=${STATIC_ASSETS_HOST:-}
+ENV RELEASE_VERSION=${DD_GIT_COMMIT_SHA:-unknown}
 
 WORKDIR /app
 
@@ -135,6 +132,7 @@ RUN --mount=type=cache,id=pnpm,target=/pnpm/store \
   AWS_REGION=$AWS_REGION && \
   S3_BUCKET=$S3_BUCKET && \
   BUILD_ID=$BUILD_ID && \
+  RELEASE_VERSION=$RELEASE_VERSION && \
   STATIC_ASSETS_HOST=$STATIC_ASSETS_HOST && \
   if [ -n "$STATIC_ASSETS_HOST" ] && [ -n "$BUILD_ID" ]; then NEXT_PUBLIC_STATIC_ASSETS_URL="https://$STATIC_ASSETS_HOST/static-assets/$BUILD_ID"; fi && \
   NODE_OPTIONS="--max-old-space-size=8192" && \
@@ -161,13 +159,15 @@ else \
 fi
 
 # Upload source maps to Datadog
-RUN if [ -n "$DATADOG_API_KEY" ]; then \
-  echo "Uploading source maps to Datadog..."; \
-  cd apps/web && \
-  pnpm datadog:sourcemaps; \
-else \
-  echo "Skipping Datadog source map upload - missing required environment variables (DATADOG_API_KEY)"; \
-fi
+RUN --mount=type=secret,id=DATADOG_API_KEY \
+  if [ -s /run/secrets/DATADOG_API_KEY ]; then \
+    echo "Uploading source maps to Datadog..."; \
+    export DATADOG_API_KEY="$(cat /run/secrets/DATADOG_API_KEY)" && \
+    cd apps/web && \
+    pnpm datadog:sourcemaps; \
+  else \
+    echo "Skipping Datadog source map upload - DATADOG_API_KEY secret not provided"; \
+  fi
 
 RUN --mount=type=cache,id=pnpm,target=/pnpm/store pnpm prune --prod --no-optional
 
@@ -185,6 +185,7 @@ ENV NODE_ENV=production
 ENV PORT=8080
 ENV DD_GIT_REPOSITORY_URL=${DD_GIT_REPOSITORY_URL:-}
 ENV DD_GIT_COMMIT_SHA=${DD_GIT_COMMIT_SHA:-}
+ENV RELEASE_VERSION=${DD_GIT_COMMIT_SHA:-}
 
 WORKDIR /app
 

apps/web/package.json

@@ -15,7 +15,7 @@
     "tc": "tsc --noEmit",
     "test": "TZ=UTC vitest --run",
     "test:watch": "TZ=UTC vitest",
-    "datadog:sourcemaps": "datadog-ci sourcemaps upload .next/static --service=latitude-web --minified-path-prefix=/_next/static"
+    "datadog:sourcemaps": "datadog-ci sourcemaps upload .next/static --service=latitude-llm-web --minified-path-prefix=/_next/static --release-version=${RELEASE_VERSION:-unknown}"
   },
   "dependencies": {
     "@aws-sdk/client-s3": "3.850.0",

apps/web/src/envClient.ts

@@ -15,6 +15,7 @@ export const envClient = createEnv({
     NEXT_PUBLIC_DATADOG_CLIENT_TOKEN: z.string().optional(),
     NEXT_PUBLIC_DATADOG_SITE: z.string().optional(),
     NEXT_PUBLIC_NODE_ENV: z.string().optional(),
+    NEXT_PUBLIC_RELEASE_VERSION: z.string().optional(),
   },
   runtimeEnv: {
     NEXT_PUBLIC_LATITUDE_CLOUD_PAYMENT_URL:
@@ -32,5 +33,6 @@ export const envClient = createEnv({
     NEXT_PUBLIC_DATADOG_SITE:
       process.env.NEXT_PUBLIC_DATADOG_SITE ?? 'datadoghq.eu',
     NEXT_PUBLIC_NODE_ENV: process.env.NODE_ENV ?? 'development',
+    NEXT_PUBLIC_RELEASE_VERSION: process.env.RELEASE_VERSION ?? '',
   },
 })

apps/web/src/instrumentation-client.ts

@@ -12,7 +12,7 @@ if (
     applicationId: envClient.NEXT_PUBLIC_DATADOG_APPLICATION_ID,
     clientToken: envClient.NEXT_PUBLIC_DATADOG_CLIENT_TOKEN,
     site: (envClient.NEXT_PUBLIC_DATADOG_SITE as Site) || 'datadoghq.com',
-    service: 'latitude-web',
+    service: 'latitude-llm-web',
     env: envClient.NEXT_PUBLIC_NODE_ENV || 'development',
     version: '1.0.0',
     sessionSampleRate: 100,

apps/web/src/instrumentation.ts

@@ -4,7 +4,7 @@ export async function register() {
     const { envClient } = await import('./envClient')
 
     tracer.init({
-      service: 'latitude-web',
+      service: 'latitude-llm-web',
       env: envClient.NEXT_PUBLIC_NODE_ENV || 'development',
       version: process.env.npm_package_version || '1.0.0',
       logInjection: true,

apps/workers/docker/Dockerfile

@@ -1,6 +1,5 @@
 ARG PROJECT="@latitude-data/workers"
 ARG PROJECT_PATH="apps/workers"
-ARG DATADOG_API_KEY
 ARG DD_GIT_REPOSITORY_URL
 ARG DD_GIT_COMMIT_SHA
 
@@ -36,9 +35,9 @@ FROM base AS builder
 
 ARG PROJECT
 ARG PROJECT_PATH
-ARG DATADOG_API_KEY
+ARG DD_GIT_COMMIT_SHA
 
-ENV DATADOG_API_KEY=$DATADOG_API_KEY
+ENV RELEASE_VERSION=${DD_GIT_COMMIT_SHA:-unknown}
 
 WORKDIR /app
 
@@ -59,13 +58,15 @@ RUN --mount=type=cache,id=pnpm,target=/pnpm/store \
   pnpm turbo build --filter="${PROJECT}..."
 
 # Upload source maps to Datadog
-RUN if [ -n "$DATADOG_API_KEY" ]; then \
-  echo "Uploading workers source maps to Datadog..."; \
-  cd apps/workers && \
-  pnpm datadog:sourcemaps; \
-else \
-  echo "Skipping Datadog source map upload for workers - missing required environment variables (DATADOG_API_KEY)"; \
-fi
+RUN --mount=type=secret,id=DATADOG_API_KEY \
+  if [ -s /run/secrets/DATADOG_API_KEY ]; then \
+    echo "Uploading workers source maps to Datadog..."; \
+    export DATADOG_API_KEY="$(cat /run/secrets/DATADOG_API_KEY)" && \
+    cd apps/workers && \
+    pnpm datadog:sourcemaps; \
+  else \
+    echo "Skipping Datadog source map upload for workers - DATADOG_API_KEY secret not provided"; \
+  fi
 
 # Since `pnpm prune` doesn't handle recursive dependencies effectively,
 # we follow pnpm's recommended approach: remove node_modules entirely
@@ -88,6 +89,7 @@ ENV PORT=$PORT
 ENV NODE_ENV=production
 ENV DD_GIT_REPOSITORY_URL=${DD_GIT_REPOSITORY_URL:-}
 ENV DD_GIT_COMMIT_SHA=${DD_GIT_COMMIT_SHA:-}
+ENV RELEASE_VERSION=${DD_GIT_COMMIT_SHA:-}
 
 EXPOSE $PORT
 

apps/workers/package.json

@@ -11,7 +11,7 @@
     "lint": "eslint src/",
     "start": "node -r module-alias/register ./dist --env=production",
     "tc": "tsc --noEmit",
-    "datadog:sourcemaps": "datadog-ci sourcemaps upload dist --service=latitude-workers --minified-path-prefix=/app/apps/workers/dist"
+    "datadog:sourcemaps": "datadog-ci sourcemaps upload dist --service=latitude-llm-workers --minified-path-prefix=/app/apps/workers/dist --release-version=${RELEASE_VERSION:-unknown}"
   },
   "dependencies": {
     "@bull-board/api": "6.10.1",