From 7cd3372c7ec184947d96a935d002f92470f5858c Mon Sep 17 00:00:00 2001
From: Julian Tabel <juliantabel.jt@gmail.com>
Date: Sat, 21 Mar 2026 12:07:53 +0100
Subject: [PATCH] feat: add Supabase auth config to production Docker setup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Pass SUPABASE_JWT_SECRET to backend in docker-compose.prod.yml
- Add build args (VITE_API_URL, VITE_SUPABASE_URL, VITE_SUPABASE_ANON_KEY)
  to Dockerfile.prod so Vite inlines them at build time
- Pass build args from secrets in deploy workflow
- Add build section to frontend service in docker-compose.prod.yml

No GoTrue container needed in prod — Supabase Cloud hosts the auth
service. The backend only needs the JWT secret to verify tokens.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/deploy.yml | 3 +++
 docker-compose.prod.yml      | 8 ++++++++
 frontend/Dockerfile.prod     | 5 +++++
 3 files changed, 16 insertions(+)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 8896cad..415d5f1 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -28,6 +28,9 @@ jobs:
       - name: Build and push frontend image
         run: |
           docker build --platform linux/amd64 \
+            --build-arg VITE_API_URL=${{ secrets.VITE_API_URL }} \
+            --build-arg VITE_SUPABASE_URL=${{ secrets.VITE_SUPABASE_URL }} \
+            --build-arg VITE_SUPABASE_ANON_KEY=${{ secrets.VITE_SUPABASE_ANON_KEY }} \
             -t gitea.nerdboden.de/thefurya/nuzlocke-tracker-frontend:latest \
             -f frontend/Dockerfile.prod ./frontend
           docker push gitea.nerdboden.de/thefurya/nuzlocke-tracker-frontend:latest
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 17cdbe2..87a51b7 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -6,6 +6,7 @@ services:
     environment:
       - DEBUG=false
       - DATABASE_URL=postgresql://postgres:${POSTGRES_PASSWORD}@db:5432/nuzlocke
+      - SUPABASE_JWT_SECRET=${SUPABASE_JWT_SECRET}
     depends_on:
       db:
         condition: service_healthy
@@ -13,6 +14,13 @@ services:
 
   frontend:
     image: gitea.nerdboden.de/thefurya/nuzlocke-tracker-frontend:latest
+    build:
+      context: ./frontend
+      dockerfile: Dockerfile.prod
+      args:
+        - VITE_API_URL=${VITE_API_URL}
+        - VITE_SUPABASE_URL=${VITE_SUPABASE_URL}
+        - VITE_SUPABASE_ANON_KEY=${VITE_SUPABASE_ANON_KEY}
     ports:
       - "9080:80"
     depends_on:
diff --git a/frontend/Dockerfile.prod b/frontend/Dockerfile.prod
index 20ac482..7b27c3d 100644
--- a/frontend/Dockerfile.prod
+++ b/frontend/Dockerfile.prod
@@ -8,6 +8,11 @@ COPY package*.json ./
 RUN npm ci
 
 COPY . .
+
+ARG VITE_API_URL
+ARG VITE_SUPABASE_URL
+ARG VITE_SUPABASE_ANON_KEY
+
 RUN npm run build
 
 # Stage 2: Serve