will-zzz · will-zzz · Apr 10, 2026 · Apr 10, 2026
diff --git a/.env.production.example b/.env.production.example
@@ -20,3 +20,8 @@ SQS_QUEUE_URL=https://sqs.us-east-1.amazonaws.com/123456789012/cardboardforge-pr
 JWT_SECRET=use-a-long-random-string-matching-prod-if-needed
 
 PORT=3001
+
+# Not read by ECS at runtime. Use when building the API image locally so the SPA includes Google sign-in:
+#   docker build -f api/Dockerfile --build-arg VITE_GOOGLE_CLIENT_ID=your-id.apps.googleusercontent.com .
+# CI uses the repository secret `VITE_GOOGLE_CLIENT_ID` for deploy builds (see infra/DEPLOY_CI.md).
+# VITE_GOOGLE_CLIENT_ID=
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -156,7 +156,8 @@ jobs:
           ECR_API: ${{ secrets.ECR_API_REPOSITORY_URL }}
         run: |
           IMG="${ECR_API}:${{ github.sha }}"
-          docker build -f api/Dockerfile -t "$IMG" -t "$ECR_API:latest" .
+          docker build -f api/Dockerfile -t "$IMG" -t "$ECR_API:latest" \
+            --build-arg "VITE_GOOGLE_CLIENT_ID=${{ secrets.VITE_GOOGLE_CLIENT_ID }}" .
           docker run --rm -w /app/api "$IMG" \
             node --input-type=module -e "await import('cors'); console.log('cors ok');"
           docker push "$IMG"

diff --git a/api/Dockerfile b/api/Dockerfile
@@ -14,6 +14,9 @@ WORKDIR /app/api
 ENV DATABASE_URL="postgresql://placeholder:placeholder@localhost:5432/placeholder"
 RUN pnpm exec prisma generate && pnpm run build
 WORKDIR /app
+# Baked into the SPA at build time (OAuth 2.0 Web client ID from Google Cloud Console).
+ARG VITE_GOOGLE_CLIENT_ID=
+ENV VITE_GOOGLE_CLIENT_ID=$VITE_GOOGLE_CLIENT_ID
 RUN pnpm --filter frontend build
 
 FROM node:20-alpine AS production

diff --git a/infra/DEPLOY_CI.md b/infra/DEPLOY_CI.md
@@ -32,6 +32,7 @@ Create these in **Settings → Secrets and variables → Actions** (repository s
 | `ECS_CLUSTER_NAME` | `terraform output -raw ecs_cluster_name` |
 | `ECS_API_SERVICE_NAME` | `terraform output -raw ecs_api_service_name` |
 | `ECS_WORKER_SERVICE_NAME` | `terraform output -raw ecs_worker_service_name` |
+| `VITE_GOOGLE_CLIENT_ID` | OAuth 2.0 **Web** client ID from [Google Cloud Console](https://console.cloud.google.com/apis/credentials) (same value as local `frontend/.env.local`). Baked into the SPA when the API image is built. Add your production site URL under **Authorized JavaScript origins**. |
 
 Use a dedicated IAM user with least privilege: ECR push to both repos, `ecs:UpdateService` / `DescribeServices` on the cluster services.