fix: update Sentry configuration in Docker builds

Improves Sentry integration in Docker builds by:
- Moving Sentry environment variables to build args
- Adding .env to dockerignore for security
- Properly passing Sentry configuration during build process

This change ensures better security practices and more reliable Sentry configuration in containerized environments.

Author: ccbikai

.dockerignore

@@ -4,3 +4,4 @@ dist
 .git
 .gitignore
 *.md
+.env

.github/workflows/docker.yml

@@ -50,9 +50,10 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-        env:
-          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
-          SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
+          build-args: |
+            SENTRY_DSN=${{ secrets.SENTRY_DSN }}
+            SENTRY_AUTH_TOKEN=${{ secrets.SENTRY_AUTH_TOKEN }}
+            SENTRY_PROJECT=${{ secrets.SENTRY_PROJECT }}
 
       # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see "[AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds)."
       - name: Generate artifact attestation

Dockerfile

@@ -15,6 +15,11 @@ RUN --mount=type=cache,id=pnpm,target=/pnpm/store pnpm install --frozen-lockfile
 
 FROM build-deps AS build
 COPY . .
+
+ARG SENTRY_DSN
+ARG SENTRY_AUTH_TOKEN
+ARG SENTRY_PROJECT
+
 RUN export $(cat .env.example) && \
     export DOCKER=true && \
     pnpm run build