fix(sentry): include Rust source bundles, align release tag, add deploy markers

[CodeGhost21]

Summary

• sentry-cli upload-dif now runs with --include-sources, so Rust panics in Sentry render surrounding source lines instead of bare function names — the symptom flagged in [Observability] Configure Sentry release tracking and source maps #405's latest comment.
• Rust DIFs and the canonical release name now match the tag the frontend + core actually emit (openhuman@<version>+<sha>); previously they landed on openhuman@<version>, a different release no event ever referenced.
• release.yml now emits a sentry-cli releases deploys ... new marker per environment, satisfying [Observability] Configure Sentry release tracking and source maps #405's "release page links commits/deploys" criterion.
• scripts/ci-secrets.example.json and docs/sentry.md document the secret + vars the workflow already references and the new troubleshooting paths.

Problem

Issue #405 already had most of the Sentry release wiring in place (frontend Sentry.init with release/environment, @sentry/vite-plugin source-map upload, Rust sentry::init with matching release tag, CI secrets threaded through the Tauri build step). Three small but load-bearing gaps were left in scripts/upload_sentry_symbols.sh + release.yml:

1. Rust source context was missing. sentry-cli upload-dif was called without --include-sources. Sentry had the DIFs to symbolicate frame addresses but no .src.zip bundle to render surrounding code — exactly the "missing source code" symptom called out by @Al629176.
2. Release tag mismatch. The script hard-coded release_name=\"openhuman@\${version}\", but every event the frontend (SENTRY_RELEASE) and core (build_release_tag()) emit is openhuman@<version>+<sha>. DIFs were attaching to a different release than events.
3. No deploy markers. releases new + set-commits + finalize were called, but never releases deploys ... new, so the Sentry release page never showed env-tagged deploys.

Solution

scripts/upload_sentry_symbols.sh

• Honor SENTRY_RELEASE from env (falls back to openhuman@<version> for local invocations so the CLI still works without CI env).
• Add --include-sources to the upload-dif arg array. The CI runs from the workspace checkout, so the source paths embedded in DIFs resolve and .src.zip is bundled correctly.
• After releases finalize, if SENTRY_ENVIRONMENT is set, run sentry-cli releases deploys \"\$release_name\" new -e \"\$SENTRY_ENVIRONMENT\". Skipped silently when unset.

.github/workflows/release.yml (the symbols-upload step at L545–570)

• Pass SENTRY_RELEASE: openhuman@<version>+<sha> (matches the canonical tag the Vite step at L520–522 already uses).
• Pass SENTRY_ENVIRONMENT derived from inputs.build_target (staging / production) so deploy markers land on the right env.

scripts/ci-secrets.example.json — add the Sentry secret + vars the workflow references but the example didn't list (SENTRY_AUTH_TOKEN, SENTRY_ORG, SENTRY_PROJECT, SENTRY_PROJECT_FRONTEND, OPENHUMAN_CORE_SENTRY_DSN, OPENHUMAN_REACT_SENTRY_DSN).

docs/sentry.md — new "Rust debug symbols + source context" section documenting the upload-script lifecycle; refreshed CI configuration tables with the new env vars and SENTRY_PROJECT for Rust DIFs; added verification steps (Rust source context renders, deploy markers visible) and troubleshooting bullets for the failure modes above.

The script is idempotent on re-run: releases new uses || true, set-commits uses --ignore-missing, and releases deploys new deduplicates per (release, env). Re-running CI on the same SHA is safe.

Submission Checklist

• Unit tests — N/A: this PR only touches a bash deploy script, a YAML workflow, a JSON example, and a markdown doc. No application logic changed.
• E2E / integration — Verified locally with a sentry-cli stub that the script (a) resolves release_name from SENTRY_RELEASE when set and falls back to openhuman@<version> otherwise, (b) passes --include-sources to upload-dif, (c) emits the releases deploys ... new -e <env> call when SENTRY_ENVIRONMENT is set and skips it cleanly otherwise. Full end-to-end validation needs a staging release to confirm .src.zip artifacts attach to the canonical release in Sentry — see "Verification runbook" in docs/sentry.md.
• N/A — see above.
• Doc comments — Inline comments added in upload_sentry_symbols.sh for the three changes (release-name fallback, --include-sources, deploy marker), and in release.yml for the new env vars.
• Inline comments — As above; comments cover why, not what.

Impact

• CI: Each per-target Rust upload step now also bundles a .src.zip. Modest extra upload size (Rust source tree is small in practice) and one extra sentry-cli API call per matrix target for the deploy marker.
• Sentry: Going forward, Rust panic events on staging/production releases render full source context instead of function + 0xNNN. Frontend behavior unchanged. Release pages will show deploy markers per env.
• No runtime impact on the shipped app — these are CI-only changes plus a docs refresh.
• Backwards-compatible for local script invocations (SENTRY_RELEASE and SENTRY_ENVIRONMENT are optional).

Related

• Refs: [Observability] Configure Sentry release tracking and source maps #405
• Related: Pass Sentry environment variables into the release GitHub workflow #626 (env vars in release workflow), Sentry: Upload source maps during Tauri build #627 (source maps during Tauri build, already closed)

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Consistent Sentry release naming including a short commit identifier for clearer error grouping
  • Optional environment-aware deploy markers to surface staging/production status

• Documentation

  • Expanded Sentry setup and troubleshooting, including Rust symbol/source uploads and verification steps
  • Updated example CI secrets/vars to reflect Sentry configuration needs

• Chores

  • CI and upload tooling improved to include Rust sources with debug symbols for better symbolication

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d56625af-4dac-43d5-b54b-8e890c9190cc

📥 Commits

Reviewing files that changed from the base of the PR and between bfe7b22 and 141be82.

📒 Files selected for processing (1)

• .github/workflows/release.yml

---

📝 Walkthrough

Walkthrough

CI release workflow now computes a 12-char short_sha, uses it in canonical SENTRY_RELEASE strings for frontend and Rust symbol uploads, sets SENTRY_ENVIRONMENT for Rust uploads, updates the symbol-upload script to include sources and optionally create deploy markers, and documents required Sentry secrets/vars.

Changes

Cohort / File(s)	Summary
Workflow .github/workflows/release.yml	Add short_sha output; propagate needs.prepare-build.outputs.short_sha into SENTRY_RELEASE for Vite and Rust symbol steps; add SENTRY_ENVIRONMENT to Rust debug-symbol upload step.
Upload script scripts/upload_sentry_symbols.sh	Use provided SENTRY_RELEASE as canonical release name when present; add --include-sources to uploads; finalize release and conditionally create deploy marker when SENTRY_ENVIRONMENT is set; log deploy-marker failures as warnings.
Documentation docs/sentry.md	Document Rust debug-symbol and source uploads, sentry-cli workflow (create/set commits/upload DIFs with sources/finalize/deploy), required CI secrets/vars, verification and troubleshooting notes.
CI secrets example scripts/ci-secrets.example.json	Add example Sentry-related secrets/vars: SENTRY_AUTH_TOKEN, SENTRY_ORG, SENTRY_PROJECT, SENTRY_PROJECT_FRONTEND, OPENHUMAN_CORE_SENTRY_DSN, OPENHUMAN_REACT_SENTRY_DSN.

Sequence Diagram(s)

sequenceDiagram
    participant GH as GitHub Actions
    participant Script as upload_sentry_symbols.sh
    participant CLI as sentry-cli
    participant SentryAPI as Sentry API

    GH->>GH: prepare-build -> compute `short_sha`
    GH->>GH: set env `SENTRY_RELEASE = openhuman@<version>+<short_sha>`
    GH->>Script: invoke upload step (env: SENTRY_RELEASE, SENTRY_ENVIRONMENT?)
    Script->>CLI: sentry-cli releases new / set-commits (release = SENTRY_RELEASE)
    Script->>CLI: sentry-cli upload-dif --include-sources
    CLI->>SentryAPI: POST /releases, /releases/{rel}/commits, /projects/.../debug-files
    Script->>CLI: sentry-cli releases finalize
    alt SENTRY_ENVIRONMENT is set
        Script->>CLI: sentry-cli releases deploys new -e SENTRY_ENVIRONMENT
        CLI->>SentryAPI: POST /releases/{rel}/deploys
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• ci: parallelize rust tests, dedupe typecheck/clippy/sentry across workflows #895: Changes the Sentry Rust debug-symbol upload flow and introduced the symbol-upload step this PR augments.
• feat(observability): Sentry release tracking, source maps, and end-to-end DSN plumbing #734: Adjusts release workflow Sentry wiring and release naming; overlaps with short-sha and SENTRY_RELEASE propagation.
• fix(release): sign CEF inner dylibs so macOS notarization passes #951: Edits Sentry environment/release settings in the release workflow; touches the same CI variables.

Suggested reviewers

• senamakel

Poem

🐰
Hop, I compute the tiny SHA,
Packages, symbols find their way.
Sources bundled, deploys marked true,
Sentry sings when panics ensue.
Debugging hops along anew.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and specifically describes the three main changes: including Rust source bundles, aligning release tags, and adding deploy markers—all of which are accurately reflected in the changeset across CI workflows, scripts, and documentation.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Around line 554-559: The SENTRY_RELEASE environment value currently uses the
full 40-char SHA (needs.prepare-build.outputs.sha) which mismatches truncated
12-char SHAs used elsewhere; update the SENTRY_RELEASE assignment so the SHA is
truncated to 12 characters (e.g., replace uses of
needs.prepare-build.outputs.sha with a 12-char slice/substring like
.substring(0,12) or .slice(0,12)) so SENTRY_RELEASE (the SENTRY_RELEASE
variable) matches the frontend and Rust truncation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f7c7b872-ebeb-4d89-b384-8ed47d406a96

📥 Commits

Reviewing files that changed from the base of the PR and between 69495d4 and bfe7b22.

📒 Files selected for processing (4)

• .github/workflows/release.yml
• docs/sentry.md
• scripts/ci-secrets.example.json
• scripts/upload_sentry_symbols.sh

[graycyrus]

Three real gaps addressed cleanly — the --include-sources fix and the release-tag alignment are the load-bearing changes and both look correct. A few things worth fixing before merge.

The deploy marker fires once per invocation of upload_sentry_symbols.sh, but the loop in release.yml calls the script twice per matrix target (once for the core deps dir, once for the tauri deps dir). On a 3-platform matrix that's up to 6 deploy records for one release. The idempotency claim in the script comment and doc is also wrong: sentry-cli releases deploys new creates a new entry every call — it does not deduplicate by (release, env). Separately, ci-secrets.example.json now has both the old key (OPENHUMAN_SENTRY_DSN) and the new replacement (OPENHUMAN_CORE_SENTRY_DSN) without any annotation, which will confuse whoever provisions the secrets next.

[graycyrus]

[major] The comment says this is idempotent for the same (release, env) pair, but sentry-cli releases deploys new creates a new deploy record on every call — the Sentry API assigns a unique deploy ID each time and does not skip existing entries for the same env name. More importantly, the calling loop in release.yml runs this script twice per matrix target (once for target/${MATRIX_TARGET}/release/deps, once for app/src-tauri/target/${MATRIX_TARGET}/release/deps), so a 3-platform matrix produces up to 6 deploy entries for one release from a single CI run.

The deploy marker should fire exactly once per release, not once per deps directory. Simplest fix: remove the deploy block from upload_symbols() and move it into the workflow after the loop finishes:

# In the 'run' block of the upload step, after the for-loop:
if [[ -n "${SENTRY_ENVIRONMENT:-}" ]]; then
  echo "==> Recording deploy marker for ${SENTRY_ENVIRONMENT}"
  sentry-cli releases deploys "${SENTRY_RELEASE}" new \
    -e "${SENTRY_ENVIRONMENT}" || echo "[WARN] deploy marker failed (non-fatal)"
fi

And drop the deploy block from upload_symbols() entirely.

[graycyrus]

[major] The file now has both OPENHUMAN_SENTRY_DSN (the old key, kept from before this PR) and the new OPENHUMAN_CORE_SENTRY_DSN added below. These refer to the same underlying secret — release.yml at line 479 reads vars.OPENHUMAN_CORE_SENTRY_DSN and passes it as the env var OPENHUMAN_SENTRY_DSN into the cargo build. Having both in the example will cause a fresh provisioner to set both, only one of which matters.

The stale OPENHUMAN_SENTRY_DSN and VITE_SENTRY_DSN entries should be removed (superseded by OPENHUMAN_CORE_SENTRY_DSN and OPENHUMAN_REACT_SENTRY_DSN respectively), or at least annotated with a comment explaining the alias so the duplication is intentional.

[senamakel]

@CodeGhost21 bro pls reolsve these comments

[senamakel]

@CodeGhost21 pls resolve the git conflicts

[CodeGhost21]

Superseded by #1067 — opening a fresh PR straight off current main rather than untangling the merge noise on this branch.

This branch was originally forked from an older main. Mid-review I tried to bring it up to date by merging feat/sentry-per-project-dsns, but that branch was itself stale relative to current main, so the result ended up missing ~25 PRs of newer work (battery throttle, scheduler gate, in-process core change, etc.). The diff against current main showed legitimate Sentry additions tangled with unrelated rollbacks of starship-battery, iana-time-zone, etc. — not the right shape to merge.

#1067 is built directly on current main and contains only the surgical Sentry changes:

• debug-images feature on the sentry crate (the missing-source-context fix from your latest comment, @Al629176)
• [profile.release] DWARF emission so symbol upload has something to ship
• short_sha (12 chars) used everywhere SENTRY_RELEASE is constructed (your finding, @coderabbitai)
• Dedicated Record Sentry deploy marker step instead of inside the upload script (your finding, @graycyrus — the script can run multiple times in a release lifecycle and sentry-cli releases deploys new doesn't dedupe by release+env)
• scripts/ci-secrets.example.json updated to the per-surface vars release.yml actually reads now (your finding, @graycyrus)
• --log-level=warn (sentry-cli 3.x compat)
• docs/sentry.md rewritten

Closing this in favor of #1067.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@CodeGhost21 — understood, thanks for the clear write-up. Glad the short_sha (12-char) finding and the other review items were useful and are all folded into #1067. The rationale for a clean branch off current main (avoiding the tangled rollbacks of unrelated crates) makes complete sense — that's exactly the right call.

I'll go ahead and resolve my open comments on this PR since the work is continuing in #1067.

[resolve]

---

🧠 Learnings used

Learnt from: sanil-23
Repo: tinyhumansai/openhuman PR: 276
File: Cargo.toml:130-131
Timestamp: 2026-04-02T14:48:16.390Z
Learning: In `Cargo.toml` of tinyhumansai/openhuman, the `[patch.crates-io]` entry for `whisper-rs-sys` intentionally uses `branch = "main"` (pointing to `https://github.com/tinyhumansai/whisper-rs-sys.git`) rather than a pinned `rev`. The maintainer (sanil-23) owns the fork and considers the risk acceptable. Do not flag this as an issue in future reviews.