From d86c07aaffaee1dfca92dbabd71a0c37b9aafc6c Mon Sep 17 00:00:00 2001
From: jasonford <jason.ford@sentry.io>
Date: Thu, 15 Jan 2026 09:47:33 -0600
Subject: [PATCH 1/3] feat: Inject runtime configuration for GH_APP in NGINX
 startup script

---
 docker/start-nginx.sh | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docker/start-nginx.sh b/docker/start-nginx.sh
index fa7cbb86ef..83701e5ba8 100644
--- a/docker/start-nginx.sh
+++ b/docker/start-nginx.sh
@@ -32,6 +32,12 @@ then
     sed -i -r "s/[a-zA-Z]+\.BBS_URL/\"${BBS_SCHEME_BASE}:\/\/${BBS_BASE}\"/g" /var/www/app/gazebo/assets/*.js
   fi
 
+  # Inject runtime config via window.configEnv
+  if [[ -n "${CODECOV_GH_APP}" ]]; then
+    echo "Setting GH_APP to ${CODECOV_GH_APP}"
+    sed -i 's|<head>|<head><script>window.configEnv=window.configEnv||{};window.configEnv.GH_APP="'"${CODECOV_GH_APP}"'";</script>|' /var/www/app/gazebo/index.html
+  fi
+
   export DOLLAR='$'
   if [ "$CODECOV_FRONTEND_IPV6_DISABLED" ]; then
     echo 'Codecov frontend ipv6 disabled'

From 70f590c8c12abba01f4e545d84f209c3b9f83a63 Mon Sep 17 00:00:00 2001
From: jasonford <jason.ford@sentry.io>
Date: Thu, 15 Jan 2026 09:57:13 -0600
Subject: [PATCH 2/3] feat: Base64 encode GH_APP in NGINX startup script for
 safer injection

---
 docker/start-nginx.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/docker/start-nginx.sh b/docker/start-nginx.sh
index 83701e5ba8..267ed6457a 100644
--- a/docker/start-nginx.sh
+++ b/docker/start-nginx.sh
@@ -35,7 +35,9 @@ then
   # Inject runtime config via window.configEnv
   if [[ -n "${CODECOV_GH_APP}" ]]; then
     echo "Setting GH_APP to ${CODECOV_GH_APP}"
-    sed -i 's|<head>|<head><script>window.configEnv=window.configEnv||{};window.configEnv.GH_APP="'"${CODECOV_GH_APP}"'";</script>|' /var/www/app/gazebo/index.html
+    # Base64 encode to safely handle all special characters (sed, JS, HTML)
+    ENCODED_GH_APP=$(printf '%s' "${CODECOV_GH_APP}" | base64 | tr -d '\n')
+    sed -i 's#<head>#<head><script>window.configEnv=window.configEnv||{};window.configEnv.GH_APP=atob("'"${ENCODED_GH_APP}"'");</script>#' /var/www/app/gazebo/index.html
   fi
 
   export DOLLAR='$'

From fb8f75a3d218c9da2d79f0ba7a0ba760a23bf8bd Mon Sep 17 00:00:00 2001
From: jasonford <jason.ford@sentry.io>
Date: Thu, 15 Jan 2026 10:06:08 -0600
Subject: [PATCH 3/3] feat: Make GH_APP injection idempotent in NGINX startup
 script

---
 docker/start-nginx.sh | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/docker/start-nginx.sh b/docker/start-nginx.sh
index 267ed6457a..72d582122f 100644
--- a/docker/start-nginx.sh
+++ b/docker/start-nginx.sh
@@ -34,10 +34,15 @@ then
 
   # Inject runtime config via window.configEnv
   if [[ -n "${CODECOV_GH_APP}" ]]; then
-    echo "Setting GH_APP to ${CODECOV_GH_APP}"
-    # Base64 encode to safely handle all special characters (sed, JS, HTML)
-    ENCODED_GH_APP=$(printf '%s' "${CODECOV_GH_APP}" | base64 | tr -d '\n')
-    sed -i 's#<head>#<head><script>window.configEnv=window.configEnv||{};window.configEnv.GH_APP=atob("'"${ENCODED_GH_APP}"'");</script>#' /var/www/app/gazebo/index.html
+    # Only inject if not already present (makes this idempotent across container restarts)
+    if ! grep -q 'window.configEnv.GH_APP' /var/www/app/gazebo/index.html; then
+      echo "Setting GH_APP to ${CODECOV_GH_APP}"
+      # Base64 encode to safely handle all special characters (sed, JS, HTML)
+      ENCODED_GH_APP=$(printf '%s' "${CODECOV_GH_APP}" | base64 | tr -d '\n')
+      sed -i 's#<head>#<head><script>window.configEnv=window.configEnv||{};window.configEnv.GH_APP=atob("'"${ENCODED_GH_APP}"'");</script>#' /var/www/app/gazebo/index.html
+    else
+      echo "GH_APP already configured, skipping injection"
+    fi
   fi
 
   export DOLLAR='$'