chore(youtube-auth): load client_id/secret from env at build time#100
Merged
ImpulseB23 merged 5 commits intomainfrom Apr 21, 2026
Merged
chore(youtube-auth): load client_id/secret from env at build time#100ImpulseB23 merged 5 commits intomainfrom
ImpulseB23 merged 5 commits intomainfrom
Conversation
Replaces hard-coded REPLACE_ME placeholders for GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET with option_env! lookups so production credentials are injected via env vars at build time and never committed. Falls back to the same placeholders when the env vars are unset, preserving the existing 'invalid_client' failure mode for unconfigured builds. build.rs now declares rerun-if-env-changed for both vars so cached builds don't bake in stale values.
github-actions
Bot
added
rust
There was a problem hiding this comment.
Pull request overview
Updates the YouTube OAuth configuration flow so production client_id / client_secret are injected via environment variables at Rust compile time (instead of hard-coded placeholders), aligning with the repo’s goal of keeping credentials out of source control while still allowing unconfigured builds to fail with invalid_client.
Changes:
- Load
GOOGLE_CLIENT_ID/GOOGLE_CLIENT_SECRETviaoption_env!with placeholder fallbacks. - Add
cargo:rerun-if-env-changedentries inbuild.rsto avoid stale cached builds. - Wire secrets into the GitHub Actions release workflow and ignore downloaded Google client secret JSON files.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| apps/desktop/src-tauri/src/youtube_auth/mod.rs | Switches OAuth constants to compile-time env lookups with placeholder fallback. |
| apps/desktop/src-tauri/build.rs | Ensures Cargo rebuilds when YouTube OAuth env vars change. |
| .gitignore | Prevents accidental commits of Google OAuth client secret JSON downloads. |
| .github/workflows/release.yml | Injects YouTube OAuth env vars into the release build step. |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replaces hard-coded
REPLACE_MEplaceholders forGOOGLE_CLIENT_IDandGOOGLE_CLIENT_SECRETwithoption_env!lookups so production credentials are injected via env vars at build time and never land in the repo. Falls back to the same placeholders when unset, preserving theinvalid_clientfailure mode for unconfigured builds.build.rsdeclaresrerun-if-env-changedfor both vars so cached builds don't bake in stale values.release.ymlunder thetauri-actionstep so release builds get the real credentials.AuthManagerBuilderwith mock values..gitignoreforclient_secret_*.jsondownloads from the GCP console.After merge, a
v*tag cut by release-please will produce binaries that complete the YouTube loopback flow against the real Desktop OAuth client.