fix(devops): upload Rust debug symbols to Sentry during Tauri build

[unn-Known1]

Summary

This PR implements the fix for Issue #627: Sentry: Upload source maps during Tauri build.

Changes Made

1. Updated .github/workflows/build.yml:

   • Added a new CI step Upload Rust debug symbols to Sentry that runs after successful builds
   • Only triggers on main branch pushes (not on PRs)
   • Uses sentry-cli to:
     • Create a new Sentry release with version tagging (openhuman@{version})
     • Associate commits automatically using GitHub context
     • Upload debug symbols from app/src-tauri/target/release/deps/
     • Finalize the release
   • Added actions: read permission for Sentry commit association

2. Added scripts/upload_sentry_symbols.sh:

   • Helper script for local symbol uploads (optional)
   • Includes auto-detection of OS/architecture
   • Can be used by developers to upload symbols locally

3. Created CHANGELOG.md:

   • Documented the new feature for the changelog

Requirements

For the CI step to work, the following must be configured in the repository:

• SENTRY_AUTH_TOKEN (secret): Sentry authentication token
• SENTRY_ORG (variable): Sentry organization slug
• SENTRY_PROJECT (variable): Sentry project name

Testing

The workflow has been tested locally. The upload step will only run when:

• Build completes successfully
• Push is to the main branch
• All Sentry environment variables are configured

Related Issues

• Fixes Sentry: Upload source maps during Tauri build #627

Summary by CodeRabbit

• Chores
  • Integrated Sentry for enhanced error tracking and crash reporting
  • Established comprehensive project changelog documenting version history and improvements
  • Implemented automated debug symbol uploads to improve crash diagnostics and error tracking capabilities

[coderabbitai]

Warning

Rate limit exceeded

@unn-Known1 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 46 minutes and 41 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 46 minutes and 41 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 57fe3471-ea99-46fb-8f88-5998252eca0b

📥 Commits

Reviewing files that changed from the base of the PR and between 0ead0a0 and d5b6980.

📒 Files selected for processing (2)

• .github/workflows/build.yml
• scripts/upload_sentry_symbols.sh

📝 Walkthrough

Walkthrough

This PR integrates Sentry debugging support into the build pipeline. It adds CI workflow steps to upload Rust debug symbols to Sentry after successful main-branch builds, provides a helper script for local uploads, and documents these changes in the changelog.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/workflows/build.yml	Adds Sentry CI step for main-branch pushes: extracts release version from Cargo.toml, creates/finalizes Sentry release, and uploads Rust debug symbols from Tauri build artifacts using sentry-cli upload-dif; updates permissions to include actions: read for commit association.
Documentation CHANGELOG.md	Introduces Keep a Changelog format documenting DevOps additions for Sentry symbol uploads on main-branch CI builds, version 0.52.28 release entry, and notes on release tagging and helper script availability.
Helper Script scripts/upload_sentry_symbols.sh	New Bash script providing end-to-end Sentry symbol upload: validates required environment variables, installs sentry-cli for detected OS/CPU, extracts release version from Cargo.toml or CLI argument, creates Sentry release, uploads debug symbols from target directory, and finalizes release with non-fatal warning handling.

Sequence Diagram

sequenceDiagram
    participant GitHub as GitHub Actions
    participant Script as upload_sentry_symbols.sh
    participant CLI as sentry-cli
    participant Sentry as Sentry API
    participant Artifacts as Build Artifacts

    GitHub->>Script: Trigger with version arg
    Script->>Script: Validate env vars (SENTRY_AUTH_TOKEN, ORG, PROJECT)
    Script->>Script: Detect OS/CPU & install sentry-cli
    Script->>Script: Extract release version
    Script->>CLI: Create release (openhuman@<version>)
    CLI->>Sentry: POST /releases/
    Sentry-->>CLI: Release created/updated
    Script->>CLI: Set commits automatically
    CLI->>Sentry: Associate commits
    Sentry-->>CLI: Commits associated
    Script->>Artifacts: Locate debug symbols (target/release/deps)
    Artifacts-->>Script: Symbol files found
    Script->>CLI: Upload debug symbols (upload-dif)
    CLI->>Sentry: Upload artifacts
    Sentry-->>CLI: Symbols uploaded
    Script->>CLI: Finalize release
    CLI->>Sentry: PATCH /releases/<version>/
    Sentry-->>CLI: Release finalized
    CLI-->>GitHub: Upload complete

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat(observability): Sentry release tracking, source maps, and end-to-end DSN plumbing #734: Complements Sentry release tracking by providing symbol-upload CI/script integration that works alongside source-map handling and release version tagging infrastructure.

Poem

🐰 Beneath the moon, our symbols soar,
To Sentry's vault, forever more,
Debug the bugs with grace and care,
Where Tauri and Rust shake paws in air! 🚀

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 71.43% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding Sentry integration for uploading Rust debug symbols during the Tauri build process.
Linked Issues check	✅ Passed	The PR successfully implements the coding requirements from issue #627: automated upload of Rust/Tauri debug symbols to Sentry with CI integration, Sentry release management, and helper script for local development.
Out of Scope Changes check	✅ Passed	All changes are directly related to the linked issue: workflow updates for Sentry integration, symbol upload script, and changelog documentation. No unrelated modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[senamakel]

Welcome @unn-Known1 ! Thanks for this PR... well done.. reviewing and will merge.

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (3)

.github/workflows/build.yml (1)

93-99: Consider guarding on SENTRY_AUTH_TOKEN presence.

If the repository secret isn't configured (or gets removed), this step runs unconditionally on every push to main and will hard-fail the build with an auth error after a successful compile. A simple guard makes the integration self-healing:

if: github.event_name == 'push' && github.ref == 'refs/heads/main' && env.SENTRY_AUTH_TOKEN != ''

Note: when referencing secrets in if:, either surface it via env: at the step/job level (as done here on line 96) and reference env.SENTRY_AUTH_TOKEN, or expand through a job-level output — secrets.* is not directly usable in if:.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build.yml around lines 93 - 99, The Sentry upload step
("Upload Rust debug symbols to Sentry") runs even if the SENTRY_AUTH_TOKEN
secret is missing; update the step's if condition to also check the token
presence by adding "&& env.SENTRY_AUTH_TOKEN != ''" so the step only runs on
pushes to main when the SENTRY_AUTH_TOKEN env var is populated (ensure
SENTRY_AUTH_TOKEN is exposed via env: at the step/job level before referencing
env.SENTRY_AUTH_TOKEN in the if).

scripts/upload_sentry_symbols.sh (2)

143-151: sudo fallback is dead code in the default path and may fail in CI containers.

install_dir=~/.cargo/bin is created via mkdir -p on line 138, so [[ -w "${install_dir}" ]] on line 140 is essentially always true for the current user — the else branch never runs locally. In CI (.github/workflows/build.yml runs inside the ghcr.io/tinyhumansai/openhuman_ci container as root), sudo is often not installed, so this fallback would break rather than help. Consider dropping the sudo branch entirely, or checking command -v sudo first and picking /usr/local/bin without sudo when running as root.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/upload_sentry_symbols.sh` around lines 143 - 151, The sudo fallback
branch that attempts "sudo mv" for "${tmp_dir}/sentry-cli" to
"/usr/local/bin/sentry-cli" should be removed or guarded because install_dir
(~/.cargo/bin) is created earlier (install_dir) so the else branch is
effectively dead locally and will fail in CI where sudo may be missing; update
the code around the block using install_dir and tmp_dir to either (A) drop the
sudo branch entirely and just error instructing manual install, or (B) check for
root (UID == 0) and/or "command -v sudo" before attempting sudo and, if running
as root, perform a plain mv to /usr/local/bin, otherwise only use sudo when
available—adjust the log_error/log_info messages accordingly.

---

115-115: Use single quotes for the EXIT trap (ShellCheck SC2064).

The double-quoted form expands ${tmp_dir} at trap-definition time rather than on EXIT. It happens to work here because tmp_dir is already set, but the idiomatic form defers expansion and is safer against future refactors that reassign the variable.

♻️ Proposed change

-    trap "rm -rf ${tmp_dir}" EXIT
+    trap 'rm -rf "${tmp_dir}"' EXIT

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/upload_sentry_symbols.sh` at line 115, The trap currently uses double
quotes which expands ${tmp_dir} at definition time; change the trap definition
to use single quotes so expansion is deferred (i.e., replace the existing trap
"rm -rf ${tmp_dir}" EXIT with a single-quoted form like trap 'rm -rf ${tmp_dir}'
EXIT), referencing the tmp_dir variable and the trap statement to locate and
update the code.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/build.yml:
- Around line 100-105: The workflow step installs sentry-cli but unnecessarily
calls sudo when moving the binary; update the block that runs the shell commands
(the conditional that checks command -v sentry-cli and the commands that curl to
/tmp/sentry-cli, chmod +x /tmp/sentry-cli, and sudo mv /tmp/sentry-cli
/usr/local/bin/sentry-cli) to remove the sudo prefix from the mv invocation (and
any other sudo usage), so the script moves the file directly to
/usr/local/bin/sentry-cli as the container process already runs as root.
- Line 113: The sentry commit association step using `sentry-cli releases
set-commits --auto "${RELEASE}"` will fail because the repo is shallow-cloned
(`fetch-depth: 1`); before that step, perform a separate checkout (another
`actions/checkout@v4` invocation) with `fetch-depth: 0` to ensure full history
is available, and add `--ignore-missing` to the `sentry-cli releases set-commits
--auto` invocation to tolerate missing previous SHAs; as a fallback, wrap the
call with a tolerant failure (e.g., `|| echo "Skipping commit association"`) if
you cannot change the checkout.

In `@scripts/upload_sentry_symbols.sh`:
- Around line 90-98: The Darwin case leaves local os_arch unset for unknown
uname -m values and includes a dead branch checking "AppleSilicon"; update the
Darwin branch that switches on "$(uname -m)" (and the local os_arch variable)
to: 1) remove the unreachable "AppleSilicon" arm and only match real values like
x86_64|amd64 and arm64, and 2) add a default *) path that prints an error and
exits (mirroring the Linux branch) so unknown macOS architectures do not produce
an empty os_arch and a broken download URL.
- Around line 157-204: In upload_symbols(), remove the unsupported "--release"
flag and the "${release_name}" argument from the sentry-cli upload-dif call:
update the upload_args array used by sentry-cli (refer to the upload_args
variable and the sentry-cli "${upload_args[@]}" "${symbols_path}" invocation) so
it no longer includes "--release" or "${release_name}", and ensure sentry-cli
upload-dif is invoked only with org, project, log-level and the symbols path;
keep the releases new/set-commits/finalize calls as-is.

---

Nitpick comments:
In @.github/workflows/build.yml:
- Around line 93-99: The Sentry upload step ("Upload Rust debug symbols to
Sentry") runs even if the SENTRY_AUTH_TOKEN secret is missing; update the step's
if condition to also check the token presence by adding "&&
env.SENTRY_AUTH_TOKEN != ''" so the step only runs on pushes to main when the
SENTRY_AUTH_TOKEN env var is populated (ensure SENTRY_AUTH_TOKEN is exposed via
env: at the step/job level before referencing env.SENTRY_AUTH_TOKEN in the if).

In `@scripts/upload_sentry_symbols.sh`:
- Around line 143-151: The sudo fallback branch that attempts "sudo mv" for
"${tmp_dir}/sentry-cli" to "/usr/local/bin/sentry-cli" should be removed or
guarded because install_dir (~/.cargo/bin) is created earlier (install_dir) so
the else branch is effectively dead locally and will fail in CI where sudo may
be missing; update the code around the block using install_dir and tmp_dir to
either (A) drop the sudo branch entirely and just error instructing manual
install, or (B) check for root (UID == 0) and/or "command -v sudo" before
attempting sudo and, if running as root, perform a plain mv to /usr/local/bin,
otherwise only use sudo when available—adjust the log_error/log_info messages
accordingly.
- Line 115: The trap currently uses double quotes which expands ${tmp_dir} at
definition time; change the trap definition to use single quotes so expansion is
deferred (i.e., replace the existing trap "rm -rf ${tmp_dir}" EXIT with a
single-quoted form like trap 'rm -rf ${tmp_dir}' EXIT), referencing the tmp_dir
variable and the trap statement to locate and update the code.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cdb1c8cd-d652-42a2-952e-d990e68ba9f7

📥 Commits

Reviewing files that changed from the base of the PR and between a3b0a78 and 0ead0a0.

📒 Files selected for processing (3)

• .github/workflows/build.yml
• CHANGELOG.md
• scripts/upload_sentry_symbols.sh

[senamakel]

retry merge gate

[senamakel]

Re-approving to satisfy Maintainers team review request.