chore(docker): migrate trustlab to bake and make app images env-neutral

.github/workflows/bake-and-push.yml

@@ -8,8 +8,11 @@ permissions:
 # Replaces build-docker-image.yml for apps migrated to docker-bake.hcl.
 #
 # Callers pass app-specific build args via the `set` input using GitHub Variables
-# (vars.*) for NEXT_PUBLIC_* values — these are public by design and belong in
-# vars, not secrets. Sentry secrets are declared explicitly below.
+# i.e. public config that is safe to expose in workflow logs. Secrets that
+# are genuinely needed at build time (e.g. Sentry source map upload credentials,
+# DB access if the framework initialises at build) are declared explicitly below.
+# Everything else (APP_URL, SMTP_PASS, PAYLOAD_CORS, etc.) belongs in runtime
+# config (e.g. Dokku config:set) and should never be passed here.
 
 on:
   workflow_call:
@@ -44,17 +47,19 @@ on:
         description: >
           Extra bake --set overrides (newline-separated target.field=value pairs).
           Use this to inject app-specific build args, e.g.:
-            techlabblog.args.NEXT_PUBLIC_APP_URL=${{ vars.TECHLABBLOG_APP_URL }}
-          Note: GitHub Variables (vars.*) are available here; secrets are not —
-          pass truly secret build args via the declared secrets inputs below.
+            techlabblog.args.SENTRY_DSN=${{ vars.TECHLABBLOG_SENTRY_DSN }}
+          Note: GitHub Variables are available here; secrets are not. Pass
+                truly secret build args via the declared secrets inputs below.
+    # Mark required: false so apps without optional secrets can use this workflow.
     secrets:
+      DATABASE_URL:
+        required: false
       DOCKER_HUB_USERNAME:
         required: true
       DOCKER_HUB_ACCESS_TOKEN:
         required: true
-      # Sentry secrets: sourced from env by BuildKit secret mounts in Dockerfiles
-      # (--mount=type=secret,id=sentry_auth_token,env=SENTRY_AUTH_TOKEN).
-      # Mark required: false so apps without Sentry can use this workflow too.
+      PAYLOAD_SECRET:
+        required: false
       SENTRY_AUTH_TOKEN:
         required: false
       SENTRY_ORG:
@@ -93,9 +98,8 @@ jobs:
           BASE_TAG: ${{ inputs.base_tag }}
           GIT_REVISION: ${{ github.sha }}
           BUILD_DATE: ${{ steps.meta.outputs.date }}
-          # Sentry secrets: exposed to BuildKit as secret mounts (not build args).
-          # See --mount=type=secret,id=sentry_auth_token,env=SENTRY_AUTH_TOKEN
-          # in app Dockerfiles.
+          DATABASE_URL: ${{ secrets.DATABASE_URL }}
+          PAYLOAD_SECRET: ${{ secrets.PAYLOAD_SECRET }}
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
           SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
           SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}

.github/workflows/build-docker-image.yml

@@ -21,7 +21,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        node-version: [20.16]
+        node-version: [24]
         os: [ubuntu-latest]
 
     steps:

.github/workflows/charterafrica-deploy-dev.yml

@@ -25,7 +25,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        node-version: [20.16]
+        node-version: [24]
         os: [ubuntu-latest]
     steps:
       - name: Checkout

.github/workflows/charterafrica-deploy-prod.yml

@@ -23,7 +23,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        node-version: [20.16]
+        node-version: [24]
         os: [ubuntu-latest]
     steps:
       - name: Checkout

.github/workflows/ci.yml

@@ -24,7 +24,7 @@ jobs:
       TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
     strategy:
       matrix:
-        node-version: [20.16]
+        node-version: [24]
         os: [ubuntu-latest]
     steps:
       - name: Checkout

.github/workflows/civicsignalblog-deploy-prod.yml

@@ -24,7 +24,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        node-version: [20.16]
+        node-version: [24]
         os: [ubuntu-latest]
     steps:
       - name: Checkout

.github/workflows/climatemappedafrica-deploy-dev.yml

@@ -26,7 +26,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        node-version: [20.16]
+        node-version: [24]
         os: [ubuntu-latest]
     steps:
       - name: Cloning repo

.github/workflows/codeforafrica-deploy-dev.yml

@@ -27,7 +27,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        node-version: [20.16]
+        node-version: [24]
         os: [ubuntu-latest]
     steps:
       - name: Cloning repo

.github/workflows/codeforafrica-deploy-prod.yml

@@ -25,7 +25,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        node-version: [20.16]
+        node-version: [24]
         os: [ubuntu-latest]
     steps:
       - name: Checkout

.github/workflows/codeforafrica-deploy-review-app.yml

@@ -29,7 +29,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        node-version: [20.16]
+        node-version: [24]
         os: [ubuntu-latest]
 
     # Temporarily disable the deployment of review apps until we've reviewed all apps

.github/workflows/dependabot_lint_format.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        node-version: [20.16]
+        node-version: [24]
         os: [ubuntu-latest]
     if: ${{ github.actor == 'dependabot[bot]' }}
     steps:

.github/workflows/pesayetu-deploy-prod.yml

@@ -27,7 +27,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        node-version: [20.16]
+        node-version: [24]
         os: [ubuntu-latest]
     steps:
       - name: Cloning repo

.github/workflows/push-to-dokku.yml

@@ -11,10 +11,14 @@ on:
         required: true
         type: string
         description: "The name of the image to push"
+    secrets:
+      SSH_PRIVATE_KEY:
+        required: true
 
 jobs:
   push:
     runs-on: ubuntu-latest
+    permissions: {}
 
     steps:
       - name: Push

.github/workflows/release-prod.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        node-version: [20.16]
+        node-version: [24]
         os: [ubuntu-latest]
     steps:
       - name: Checkout

.github/workflows/roboshield-deploy-dev.yml

@@ -28,7 +28,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        node-version: [20.16]
+        node-version: [24]
         os: [ubuntu-latest]
     steps:
       - name: Checkout

.github/workflows/roboshield-deploy-prod.yml

@@ -24,7 +24,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        node-version: [20.16]
+        node-version: [24]
         os: [ubuntu-latest]
     steps:
       - name: Checkout

.github/workflows/techlabblog-deploy-dev.yml

@@ -29,7 +29,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        node-version: [20.16]
+        node-version: [24]
         os: [ubuntu-latest]
     steps:
       - name: Checkout

.github/workflows/techlabblog.yml

@@ -6,7 +6,7 @@ on:
       - main
     paths:
       - "apps/techlabblog/**"
-      - "docker/apps/techlabblog.Dockerfile"
+      - "docker/apps/techlabblog/**"
       - "docker/base.Dockerfile"
       - "docker-bake.hcl"
       - ".github/workflows/techlabblog.yml"
@@ -26,7 +26,11 @@ jobs:
   # The prod deploy is gated on this: every push triggers a build, but only
   # a version bump triggers a prod deploy.
   version-check:
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        node-version: [24]
+        os: [ubuntu-latest]
     permissions:
       contents: read
     outputs:
@@ -41,7 +45,7 @@ jobs:
       # https://github.com/EndBug/version-check#github-workflow
       - uses: actions/setup-node@v4
         with:
-          node-version: lts/*
+          node-version: ${{ matrix.node-version }}
 
       - name: Check if version is bumped
         id: check
@@ -61,13 +65,8 @@ jobs:
   #   codeforafrica/techlabblog:<version>  — version bump only (immutable, for releases)
   #   codeforafrica/techlabblog:latest     — version bump only (mutable, for convenience)
   #
-  # NEXT_PUBLIC_* vars are baked into the JS bundle at build time and cannot
-  # be changed by restarting the container. Configure them as GitHub Variables
-  # (Settings > Variables > Actions) rather than secrets since they are public
-  # by definition (they ship to the browser).
-  #
   # Required GitHub Variables:
-  #   TECHLABBLOG_SENTRY_DSN    — public Sentry DSN (safe to use vars, not secrets)
+  #   TECHLABBLOG_SENTRY_DSN
   #
   # Required GitHub Secrets (for Sentry source map upload during build):
   #   SENTRY_AUTH_TOKEN, SENTRY_ORG, TECHLABBLOG_SENTRY_PROJECT
@@ -85,7 +84,8 @@ jobs:
       tag: ${{ github.sha }}
       # base_tag: v3
       set: |
-        techlabblog.args.NEXT_PUBLIC_SENTRY_DSN=${{ vars.TECHLABBLOG_SENTRY_DSN }}
+        techlabblog.args.SENTRY_DSN=${{ vars.TECHLABBLOG_SENTRY_DSN }}
+        techlabblog.args.SENTRY_ENVIRONMENT=production
         ${{ needs.version-check.outputs.changed == 'true' && format('techlabblog.tags[]=codeforafrica/techlabblog:{0}', needs.version-check.outputs.version) || '' }}
         ${{ needs.version-check.outputs.changed == 'true' && 'techlabblog.tags[]=codeforafrica/techlabblog:latest' || '' }}
     secrets:
@@ -106,7 +106,8 @@ jobs:
     with:
       git_remote_url: "ssh://azureuser@ui-1.dev.codeforafrica.org/techlabblog-ui"
       deploy_docker_image: "codeforafrica/techlabblog:${{ github.sha }}"
-    secrets: inherit
+    secrets:
+      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
 
   # Deploys to production when the package.json version is bumped.
   # Both version-check and build must pass before this job runs.
@@ -118,4 +119,5 @@ jobs:
     with:
       git_remote_url: "ssh://dokku@ui-2.prod.codeforafrica.org/techlabblog-ui"
       deploy_docker_image: "codeforafrica/techlabblog:${{ needs.version-check.outputs.version }}"
-    secrets: inherit
+    secrets:
+      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}

.github/workflows/trustlab-deploy-dev.yml

@@ -26,7 +26,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        node-version: [20.16]
+        node-version: [24]
         os: [ubuntu-latest]
     steps:
       - name: Checkout

.github/workflows/trustlab-deploy-prod.yml

@@ -26,7 +26,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        node-version: [24.11]
+        node-version: [24]
         os: [ubuntu-latest]
     steps:
       - name: Checkout

.github/workflows/trustlab.yml

@@ -0,0 +1,92 @@
+name: TrustLab
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "apps/trustlab/**"
+      - "docker/apps/trustlab/**"
+      - "docker/base.Dockerfile"
+      - "docker-bake.hcl"
+      - "scripts/revalidate.mjs"
+      - ".github/workflows/trustlab.yml"
+      - ".github/workflows/bake-and-push.yml"
+
+permissions:
+  contents: read
+
+concurrency:
+  group: "${{ github.workflow }} @ ${{ github.ref }}"
+  cancel-in-progress: true
+
+jobs:
+  version-check:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        node-version: [24]
+        os: [ubuntu-latest]
+    permissions:
+      contents: read
+    outputs:
+      changed: ${{ steps.check.outputs.changed }}
+      version: ${{ steps.check.outputs.version }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+
+      - name: Check if version is bumped
+        id: check
+        uses: EndBug/version-check@v2
+        with:
+          diff-search: true
+          file-name: apps/trustlab/package.json
+
+  # Build and push image on every push.
+  build:
+    needs: version-check
+    permissions:
+      contents: read
+    uses: ./.github/workflows/bake-and-push.yml
+    with:
+      target: trustlab
+      tag: ${{ github.sha }}
+      set: |
+        ${{ needs.version-check.outputs.changed == 'true' && format('trustlab.tags[]=codeforafrica/trustlab:{0}', needs.version-check.outputs.version) || '' }}
+        ${{ needs.version-check.outputs.changed == 'true' && 'trustlab.tags[]=codeforafrica/trustlab:latest' || '' }}
+    secrets:
+      DOCKER_HUB_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }}
+      DOCKER_HUB_ACCESS_TOKEN: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+      DATABASE_URL: ${{ secrets.TRUSTLAB_MONGO_URL }}
+      PAYLOAD_SECRET: ${{ secrets.TRUSTLAB_PAYLOAD_SECRET }}
+      # We need these sentry vars at build time to send source maps.
+      SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
+      SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
+      SENTRY_PROJECT: ${{ secrets.TRUSTLAB_SENTRY_PROJECT }}
+
+  deploy-dev:
+    needs: build
+    permissions: {}
+    uses: ./.github/workflows/push-to-dokku.yml
+    with:
+      git_remote_url: "ssh://azureuser@ui-1.dev.codeforafrica.org/trustlab-ui"
+      deploy_docker_image: "codeforafrica/trustlab:${{ github.sha }}"
+    secrets:
+      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+
+  deploy-prod:
+    needs: [version-check, build]
+    if: needs.version-check.outputs.changed == 'true'
+    permissions: {}
+    uses: ./.github/workflows/push-to-dokku.yml
+    with:
+      git_remote_url: "ssh://dokku@ui-2.prod.codeforafrica.org/trustlab-ui"
+      deploy_docker_image: "codeforafrica/trustlab:${{ needs.version-check.outputs.version }}"
+    secrets:
+      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}

.github/workflows/twoopstracker-deploy-prod.yml

@@ -29,7 +29,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        node-version: [20.16]
+        node-version: [24]
         os: [ubuntu-latest]
 
     steps: