From 254bed18d020bada77f865116d3d7aacdae08b9b Mon Sep 17 00:00:00 2001
From: Eric Gullickson <16152721+ericgullickson@users.noreply.github.com>
Date: Sun, 18 Jan 2026 19:20:29 -0600
Subject: [PATCH] fix: add Stripe secrets to CI/CD and build configuration
 (refs #55)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add VITE_STRIPE_PUBLISHABLE_KEY to frontend Dockerfile build args
- Add VITE_STRIPE_PUBLISHABLE_KEY to docker-compose.yml build args
- Add :ro flag to backend Stripe secret volume mounts for consistency
- Update inject-secrets.sh with STRIPE_SECRET_KEY and STRIPE_WEBHOOK_SECRET
- Add Stripe secrets to staging.yaml workflow (build arg + inject step)
- Add Stripe secrets to production.yaml workflow (inject step)

Requires STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET secrets and
VITE_STRIPE_PUBLISHABLE_KEY variable to be configured in Gitea.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .gitea/workflows/production.yaml | 2 ++
 .gitea/workflows/staging.yaml    | 3 +++
 docker-compose.yml               | 5 +++--
 frontend/Dockerfile              | 4 +++-
 scripts/inject-secrets.sh        | 6 ++++++
 5 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/.gitea/workflows/production.yaml b/.gitea/workflows/production.yaml
index 56f2334..76dc966 100644
--- a/.gitea/workflows/production.yaml
+++ b/.gitea/workflows/production.yaml
@@ -119,6 +119,8 @@ jobs:
           GOOGLE_MAPS_MAP_ID: ${{ secrets.GOOGLE_MAPS_MAP_ID }}
           CF_DNS_API_TOKEN: ${{ secrets.CF_DNS_API_TOKEN }}
           RESEND_API_KEY: ${{ secrets.RESEND_API_KEY }}
+          STRIPE_SECRET_KEY: ${{ secrets.STRIPE_SECRET_KEY }}
+          STRIPE_WEBHOOK_SECRET: ${{ secrets.STRIPE_WEBHOOK_SECRET }}
 
       - name: Initialize data directories
         run: |
diff --git a/.gitea/workflows/staging.yaml b/.gitea/workflows/staging.yaml
index fec55b3..c66c04f 100644
--- a/.gitea/workflows/staging.yaml
+++ b/.gitea/workflows/staging.yaml
@@ -67,6 +67,7 @@ jobs:
             --build-arg VITE_AUTH0_CLIENT_ID=${{ vars.VITE_AUTH0_CLIENT_ID }} \
             --build-arg VITE_AUTH0_AUDIENCE=${{ vars.VITE_AUTH0_AUDIENCE }} \
             --build-arg VITE_API_BASE_URL=/api \
+            --build-arg VITE_STRIPE_PUBLISHABLE_KEY=${{ vars.VITE_STRIPE_PUBLISHABLE_KEY }} \
             --cache-from $REGISTRY/egullickson/frontend:latest \
             -t ${{ steps.tags.outputs.frontend_image }} \
             -t $REGISTRY/egullickson/frontend:latest \
@@ -112,6 +113,8 @@ jobs:
           GOOGLE_MAPS_MAP_ID: ${{ secrets.GOOGLE_MAPS_MAP_ID }}
           CF_DNS_API_TOKEN: ${{ secrets.CF_DNS_API_TOKEN }}
           RESEND_API_KEY: ${{ secrets.RESEND_API_KEY }}
+          STRIPE_SECRET_KEY: ${{ secrets.STRIPE_SECRET_KEY }}
+          STRIPE_WEBHOOK_SECRET: ${{ secrets.STRIPE_WEBHOOK_SECRET }}
 
       - name: Initialize data directories
         run: |
diff --git a/docker-compose.yml b/docker-compose.yml
index e16608c..7c021ee 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -53,6 +53,7 @@ services:
         VITE_AUTH0_CLIENT_ID: ${VITE_AUTH0_CLIENT_ID:-yspR8zdnSxmV8wFIghHynQ08iXAPoQJ3}
         VITE_AUTH0_AUDIENCE: ${VITE_AUTH0_AUDIENCE:-https://api.motovaultpro.com}
         VITE_API_BASE_URL: ${VITE_API_BASE_URL:-/api}
+        VITE_STRIPE_PUBLISHABLE_KEY: ${VITE_STRIPE_PUBLISHABLE_KEY:-}
     container_name: mvp-frontend
     restart: unless-stopped
     environment:
@@ -121,8 +122,8 @@ services:
       - ./secrets/app/resend-api-key.txt:/run/secrets/resend-api-key:ro
       - ./secrets/app/auth0-management-client-id.txt:/run/secrets/auth0-management-client-id:ro
       - ./secrets/app/auth0-management-client-secret.txt:/run/secrets/auth0-management-client-secret:ro
-      - ./secrets/app/stripe-secret-key.txt:/run/secrets/stripe-secret-key
-      - ./secrets/app/stripe-webhook-secret.txt:/run/secrets/stripe-webhook-secret
+      - ./secrets/app/stripe-secret-key.txt:/run/secrets/stripe-secret-key:ro
+      - ./secrets/app/stripe-webhook-secret.txt:/run/secrets/stripe-webhook-secret:ro
       # Filesystem storage for documents
       - ./data/documents:/app/data/documents
       # Filesystem storage for backups
diff --git a/frontend/Dockerfile b/frontend/Dockerfile
index 1a401cc..622d081 100644
--- a/frontend/Dockerfile
+++ b/frontend/Dockerfile
@@ -19,15 +19,17 @@ FROM deps AS build
 
 # Accept build arguments for environment variables
 ARG VITE_AUTH0_DOMAIN
-ARG VITE_AUTH0_CLIENT_ID  
+ARG VITE_AUTH0_CLIENT_ID
 ARG VITE_AUTH0_AUDIENCE
 ARG VITE_API_BASE_URL
+ARG VITE_STRIPE_PUBLISHABLE_KEY
 
 # Set environment variables from build args
 ENV VITE_AUTH0_DOMAIN=$VITE_AUTH0_DOMAIN
 ENV VITE_AUTH0_CLIENT_ID=$VITE_AUTH0_CLIENT_ID
 ENV VITE_AUTH0_AUDIENCE=$VITE_AUTH0_AUDIENCE
 ENV VITE_API_BASE_URL=$VITE_API_BASE_URL
+ENV VITE_STRIPE_PUBLISHABLE_KEY=$VITE_STRIPE_PUBLISHABLE_KEY
 
 COPY . .
 RUN npm run build
diff --git a/scripts/inject-secrets.sh b/scripts/inject-secrets.sh
index 410fdf1..9081b4b 100755
--- a/scripts/inject-secrets.sh
+++ b/scripts/inject-secrets.sh
@@ -15,6 +15,8 @@
 #   - GOOGLE_MAPS_MAP_ID
 #   - CF_DNS_API_TOKEN
 #   - RESEND_API_KEY
+#   - STRIPE_SECRET_KEY
+#   - STRIPE_WEBHOOK_SECRET
 
 set -euo pipefail
 
@@ -32,6 +34,8 @@ SECRET_FILES=(
     "google-maps-map-id.txt"
     "cloudflare-dns-token.txt"
     "resend-api-key.txt"
+    "stripe-secret-key.txt"
+    "stripe-webhook-secret.txt"
 )
 
 echo "Injecting secrets..."
@@ -99,6 +103,8 @@ inject_secret "GOOGLE_MAPS_API_KEY" "google-maps-api-key.txt" || FAILED=1
 inject_secret "GOOGLE_MAPS_MAP_ID" "google-maps-map-id.txt" || FAILED=1
 inject_secret "CF_DNS_API_TOKEN" "cloudflare-dns-token.txt" || FAILED=1
 inject_secret "RESEND_API_KEY" "resend-api-key.txt" || FAILED=1
+inject_secret "STRIPE_SECRET_KEY" "stripe-secret-key.txt" || FAILED=1
+inject_secret "STRIPE_WEBHOOK_SECRET" "stripe-webhook-secret.txt" || FAILED=1
 
 if [ $FAILED -eq 1 ]; then
     echo ""