chore(cli): limit CI env injection to NEXT_PUBLIC

brandonkachen · brandonkachen · commit 2d4372d3954b · 2025-10-17T10:56:08.000-07:00
diff --git a/.github/workflows/cli-release-build.yml b/.github/workflows/cli-release-build.yml
@@ -89,10 +89,14 @@ jobs:
           SECRETS_CONTEXT: ${{ toJSON(secrets) }}
         shell: bash
         run: |
-          VAR_NAMES=$(node scripts/generate-ci-env.js)
-          echo "$SECRETS_CONTEXT" | jq -r --argjson vars "$VAR_NAMES" '
-            to_entries | .[] | select(.key as $k | $vars | index($k)) | .key + "=" + .value
-          ' >> $GITHUB_ENV
+          VAR_NAMES=$(node scripts/generate-ci-env.js | jq '[.[] | select(startswith("NEXT_PUBLIC_"))]')
+          if [ "$VAR_NAMES" = "[]" ]; then
+            echo "No NEXT_PUBLIC_ variables detected from generate-ci-env.js"
+          else
+            echo "$SECRETS_CONTEXT" | jq -r --argjson vars "$VAR_NAMES" '
+              to_entries | .[] | select(.key as $k | $vars | index($k)) | .key + "=" + .value
+            ' >> $GITHUB_ENV
+          fi
           echo "CODEBUFF_GITHUB_ACTIONS=true" >> $GITHUB_ENV
           echo "CODEBUFF_GITHUB_TOKEN=${{ secrets.CODEBUFF_GITHUB_TOKEN }}" >> $GITHUB_ENV
 
