From 3c49b33dad06ddf4ebbf3d803db29973a521323f Mon Sep 17 00:00:00 2001
From: Dhruwang <dhruwangjariwala18@gmail.com>
Date: Thu, 7 May 2026 16:56:55 +0530
Subject: [PATCH] feat: make HUB_API_KEY required and add to Docker build
 secrets

Hub is mandatory in v5, so HUB_API_KEY should fail fast at startup
if not configured.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/actions/build-and-push-docker/action.yml      |  2 ++
 .github/workflows/build-and-push-ecr.yml              |  1 +
 .github/workflows/docker-build-validation.yml         |  1 +
 .../workflows/release-docker-github-experimental.yml  |  1 +
 .github/workflows/release-docker-github.yml           |  1 +
 apps/web/Dockerfile                                   |  1 +
 apps/web/lib/env.ts                                   |  2 +-
 apps/web/scripts/docker/read-secrets.sh               | 11 +++++++++++
 8 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/.github/actions/build-and-push-docker/action.yml b/.github/actions/build-and-push-docker/action.yml
index a21be706bc..3029221df5 100644
--- a/.github/actions/build-and-push-docker/action.yml
+++ b/.github/actions/build-and-push-docker/action.yml
@@ -285,6 +285,7 @@ runs:
           encryption_key=${{ env.DUMMY_ENCRYPTION_KEY }}
           redis_url=${{ env.DUMMY_REDIS_URL }}
           hub_api_url=${{ env.DUMMY_HUB_API_URL }}
+          hub_api_key=${{ env.DUMMY_HUB_API_KEY }}
           cubejs_api_url=${{ env.DUMMY_CUBEJS_API_URL }}
           cubejs_api_secret=${{ env.DUMMY_CUBEJS_API_SECRET }}
           sentry_auth_token=${{ env.SENTRY_AUTH_TOKEN }}
@@ -295,6 +296,7 @@ runs:
         DUMMY_ENCRYPTION_KEY: ${{ env.DUMMY_ENCRYPTION_KEY }}
         DUMMY_REDIS_URL: ${{ env.DUMMY_REDIS_URL }}
         DUMMY_HUB_API_URL: ${{ env.DUMMY_HUB_API_URL }}
+        DUMMY_HUB_API_KEY: ${{ env.DUMMY_HUB_API_KEY }}
         DUMMY_CUBEJS_API_URL: ${{ env.DUMMY_CUBEJS_API_URL }}
         DUMMY_CUBEJS_API_SECRET: ${{ env.DUMMY_CUBEJS_API_SECRET }}
         SENTRY_AUTH_TOKEN: ${{ env.SENTRY_AUTH_TOKEN }}
diff --git a/.github/workflows/build-and-push-ecr.yml b/.github/workflows/build-and-push-ecr.yml
index 50ebf054fb..492c9e105e 100644
--- a/.github/workflows/build-and-push-ecr.yml
+++ b/.github/workflows/build-and-push-ecr.yml
@@ -92,6 +92,7 @@ jobs:
           DUMMY_ENCRYPTION_KEY: ${{ secrets.DUMMY_ENCRYPTION_KEY }}
           DUMMY_REDIS_URL: ${{ secrets.DUMMY_REDIS_URL }}
           DUMMY_HUB_API_URL: ${{ secrets.DUMMY_HUB_API_URL }}
+          DUMMY_HUB_API_KEY: ${{ secrets.DUMMY_HUB_API_KEY }}
           DUMMY_CUBEJS_API_URL: ${{ secrets.DUMMY_CUBEJS_API_URL }}
           DUMMY_CUBEJS_API_SECRET: ${{ secrets.DUMMY_CUBEJS_API_SECRET }}
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
diff --git a/.github/workflows/docker-build-validation.yml b/.github/workflows/docker-build-validation.yml
index 025ca826fc..72a5c23748 100644
--- a/.github/workflows/docker-build-validation.yml
+++ b/.github/workflows/docker-build-validation.yml
@@ -74,6 +74,7 @@ jobs:
             encryption_key=${{ secrets.DUMMY_ENCRYPTION_KEY }}
             redis_url=redis://localhost:6379
             hub_api_url=http://localhost:4000
+            hub_api_key=build-time-placeholder
             cubejs_api_url=http://localhost:4000
             cubejs_api_secret=build-time-placeholder
 
diff --git a/.github/workflows/release-docker-github-experimental.yml b/.github/workflows/release-docker-github-experimental.yml
index 9166ee39af..3538b892d3 100644
--- a/.github/workflows/release-docker-github-experimental.yml
+++ b/.github/workflows/release-docker-github-experimental.yml
@@ -48,6 +48,7 @@ jobs:
           DUMMY_ENCRYPTION_KEY: ${{ secrets.DUMMY_ENCRYPTION_KEY }}
           DUMMY_REDIS_URL: ${{ secrets.DUMMY_REDIS_URL }}
           DUMMY_HUB_API_URL: ${{ secrets.DUMMY_HUB_API_URL }}
+          DUMMY_HUB_API_KEY: ${{ secrets.DUMMY_HUB_API_KEY }}
           DUMMY_CUBEJS_API_URL: ${{ secrets.DUMMY_CUBEJS_API_URL }}
           DUMMY_CUBEJS_API_SECRET: ${{ secrets.DUMMY_CUBEJS_API_SECRET }}
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
diff --git a/.github/workflows/release-docker-github.yml b/.github/workflows/release-docker-github.yml
index dec3007874..f14dec4317 100644
--- a/.github/workflows/release-docker-github.yml
+++ b/.github/workflows/release-docker-github.yml
@@ -106,6 +106,7 @@ jobs:
           DUMMY_ENCRYPTION_KEY: ${{ secrets.DUMMY_ENCRYPTION_KEY }}
           DUMMY_REDIS_URL: ${{ secrets.DUMMY_REDIS_URL }}
           DUMMY_HUB_API_URL: ${{ secrets.DUMMY_HUB_API_URL }}
+          DUMMY_HUB_API_KEY: ${{ secrets.DUMMY_HUB_API_KEY }}
           DUMMY_CUBEJS_API_URL: ${{ secrets.DUMMY_CUBEJS_API_URL }}
           DUMMY_CUBEJS_API_SECRET: ${{ secrets.DUMMY_CUBEJS_API_SECRET }}
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
diff --git a/apps/web/Dockerfile b/apps/web/Dockerfile
index bc0da17c74..7c92eecc6f 100644
--- a/apps/web/Dockerfile
+++ b/apps/web/Dockerfile
@@ -67,6 +67,7 @@ RUN --mount=type=secret,id=database_url \
     --mount=type=secret,id=encryption_key \
     --mount=type=secret,id=redis_url \
     --mount=type=secret,id=hub_api_url \
+    --mount=type=secret,id=hub_api_key \
     --mount=type=secret,id=cubejs_api_url \
     --mount=type=secret,id=cubejs_api_secret \
     --mount=type=secret,id=sentry_auth_token \
diff --git a/apps/web/lib/env.ts b/apps/web/lib/env.ts
index 28d337dbbd..739c77d8e8 100644
--- a/apps/web/lib/env.ts
+++ b/apps/web/lib/env.ts
@@ -197,7 +197,7 @@ const parsedEnv = createEnv({
     HTTP_PROXY: z.url().optional(),
     HTTPS_PROXY: z.url().optional(),
     HUB_API_URL: z.url(),
-    HUB_API_KEY: z.string().optional(),
+    HUB_API_KEY: z.string().trim().min(1),
     IMPRINT_URL: z
       .url()
       .optional()
diff --git a/apps/web/scripts/docker/read-secrets.sh b/apps/web/scripts/docker/read-secrets.sh
index f16ca8f267..00919f9fc6 100644
--- a/apps/web/scripts/docker/read-secrets.sh
+++ b/apps/web/scripts/docker/read-secrets.sh
@@ -8,6 +8,7 @@ DEFAULT_DATABASE_URL="postgresql://test:test@localhost:5432/formbricks"
 DEFAULT_ENCRYPTION_KEY="0123456789abcdef0123456789abcdef"
 DEFAULT_REDIS_URL="redis://localhost:6379"
 DEFAULT_HUB_API_URL="http://localhost:4000"
+DEFAULT_HUB_API_KEY="build-time-placeholder"
 DEFAULT_CUBEJS_API_URL="http://localhost:4000"
 DEFAULT_CUBEJS_API_SECRET="build-time-placeholder"
 
@@ -47,6 +48,15 @@ if [ -z "${HUB_API_URL:-}" ]; then
 fi
 export HUB_API_URL
 
+if [ -f "/run/secrets/hub_api_key" ]; then
+  IFS= read -r HUB_API_KEY < /run/secrets/hub_api_key || true
+fi
+if [ -z "${HUB_API_KEY:-}" ]; then
+  HUB_API_KEY="${DEFAULT_HUB_API_KEY}"
+  echo "⚠️  HUB_API_KEY secret not found or empty. Using build-time fallback value."
+fi
+export HUB_API_KEY
+
 if [ -f "/run/secrets/cubejs_api_url" ]; then
   IFS= read -r CUBEJS_API_URL < /run/secrets/cubejs_api_url || true
 fi
@@ -99,6 +109,7 @@ echo "  DATABASE_URL: $([ -n "${DATABASE_URL:-}" ] && printf '[SET]' || printf '
 echo "  ENCRYPTION_KEY: $([ -n "${ENCRYPTION_KEY:-}" ] && printf '[SET]' || printf '[NOT SET]')"
 echo "  REDIS_URL: $([ -n "${REDIS_URL:-}" ] && printf '[SET]' || printf '[NOT SET]')"
 echo "  HUB_API_URL: $([ -n "${HUB_API_URL:-}" ] && printf '[SET]' || printf '[NOT SET]')"
+echo "  HUB_API_KEY: $([ -n "${HUB_API_KEY:-}" ] && printf '[SET]' || printf '[NOT SET]')"
 echo "  CUBEJS_API_URL: $([ -n "${CUBEJS_API_URL:-}" ] && printf '[SET]' || printf '[NOT SET]')"
 echo "  CUBEJS_API_SECRET: $([ -n "${CUBEJS_API_SECRET:-}" ] && printf '[SET]' || printf '[NOT SET]')"
 echo "  SENTRY_AUTH_TOKEN: $([ -n "${SENTRY_AUTH_TOKEN:-}" ] && printf '[SET]' || printf '[NOT SET]')"