feat: add FARO_API_KEY build secret for source-map upload#286
Merged
Conversation
Wires a new optional FARO_API_KEY through the reusable workflow chain so
service repos can upload Grafana Faro source maps during their Docker
build, mirroring the existing SENTRY_AUTH_TOKEN plumbing exactly:
- `deploy-generic-v2.yml`: declare FARO_API_KEY as an optional secret
input and forward it to the build component.
- `component-build.yml`: declare FARO_API_KEY as an optional secret
input and inject it into the `docker/build-push-action` secrets list
so the Dockerfile can mount it as a BuildKit secret.
Each downstream Dockerfile decides whether to consume it via
`--mount=type=secret,id=FARO_API_KEY,required=false` — repos that
haven't onboarded Faro see no behavior change because the secret is
optional and the Docker mount is `required=false`.
Caller-side usage in service repos:
```yaml
secrets:
# ... existing entries ...
FARO_API_KEY: ${{ secrets.FARO_API_KEY }}
```
First consumer is `monorepo-typescript`'s frontend-hub deploy, which
uses `@grafana/faro-rollup-plugin` in its Vite build.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
maoanran
approved these changes
May 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Wires a new optional
FARO_API_KEYthrough the reusable workflow chain so service repos can upload Grafana Faro source maps during their Docker build. Mirrors the existingSENTRY_AUTH_TOKENplumbing exactly — no behavior change for callers that don't pass the new secret.deploy-generic-v2.yml— declareFARO_API_KEYas an optional secret input and forward it to the build component (4 lines).component-build.yml— declareFARO_API_KEYas an optional secret input and inject it into thedocker/build-push-actionsecrets list (4 lines).Each downstream Dockerfile decides whether to consume it via
--mount=type=secret,id=FARO_API_KEY,required=false. Repos that haven't onboarded Faro see no change — the secret is optional and the Docker mount isrequired=false.Caller-side usage
In a service repo's deploy workflow:
First consumer is
monorepo-typescript'sfrontend-hubdeploy, which uses@grafana/faro-rollup-pluginin its Vite build to upload source maps so Faro errors symbolicate to readable source lines in Grafana Cloud Frontend Observability.Test plan
monorepo-typescript(e.g.deploy-hub-staging.yml) without settingFARO_API_KEY→ build passes, no behavior change (confirms optional path)FARO_API_KEYset → Faro source maps appear in Grafana Cloud's Frontend Observability app for theHubapp, errors symbolicate to real source lines🤖 Generated with Claude Code