Inject Koios JWT at build time from a GH Actions secret.

Crypto2099 · Crypto2099 · commit d6c3e834d3c7 · 2026-05-20T15:29:32.000-07:00
The Koios JWT is still public — it ends up in the JS bundle by design — but hard-coding it in `src/plugins/vue-cardano.js` *and* `src/App.vue` meant every rotation was a two-file source edit plus a release. Wire it through a build-time env var so the next rotation is a Settings → Secrets edit and a redeploy.

Updates include:

- Both `koios_key` declarations now read `process.env.VUE_APP_KOIOS_JWT` (the Vue CLI convention — webpack's DefinePlugin inlines `VUE_APP_*` vars into the client bundle at build time), falling back to a hard-coded default so `npm run serve` keeps working with no `.env.local` setup. The fallback has been refreshed to the JWT issued today (the previous embedded token expired in Jan 2026); future rotations only need to update the GitHub secret.
- `.github/workflows/deploy.yaml` and `.github/workflows/ci.yaml` now forward `secrets.KOIOS_JWT` into the `npm run build` step as `VUE_APP_KOIOS_JWT`. CI builds against the same secret so PR builds match production. When the secret isn't set in a fork's CI, the fallback kicks in and the build still passes.
- `.env.example` documents the variable for anyone running locally who wants to point at a different Koios project without touching source.
diff --git a/.env.example b/.env.example
@@ -0,0 +1,7 @@
+# Copy to .env.local and fill in to override build-time defaults.
+# Any var prefixed with VUE_APP_ is inlined into the client bundle.
+
+# Koios API JWT (https://koios.rest/). Bundled into the JS — treated as public.
+# Production builds inject this from the KOIOS_JWT GitHub Actions secret;
+# leave unset to use the fallback embedded in src/plugins/vue-cardano.js.
+VUE_APP_KOIOS_JWT=
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -21,6 +21,7 @@ jobs:
         run: npm run build
         env:
           NODE_OPTIONS: --max-old-space-size=4096
+          VUE_APP_KOIOS_JWT: ${{ secrets.KOIOS_JWT }}
       # Once smoke tests exist (modernization task A4), add:
       # - run: npx playwright install --with-deps
       # - run: npm run test:e2e
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
@@ -20,6 +20,7 @@ jobs:
         run: npm run build
         env:
           NODE_OPTIONS: --max-old-space-size=4096
+          VUE_APP_KOIOS_JWT: ${{ secrets.KOIOS_JWT }}
       - uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
diff --git a/src/App.vue b/src/App.vue
@@ -398,8 +398,11 @@ import axios from "axios";
 import stringify from "fast-safe-stringify";
 import version from "./version.json";
 
+// Injected at build time via VUE_APP_KOIOS_JWT (see deploy.yaml / ci.yaml).
+// Fallback keeps `npm run serve` working without an .env.local override.
 const koios_key =
-  "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZGRyIjoic3Rha2UxdXk1Nm5uN3c1OGRyNWsyOG1mcnhnaHBuZ25uNHo0N2pkcGdwOW1ldXZncDdrNXFtaHljbnAiLCJleHAiOjE3Njk1Mjg1MDAsInRpZXIiOjEsInByb2pJRCI6IlVuRnJhY2tJdCJ9.GrdvIKjkdDDFENR5a7Kypzt79UbuknjFAgq3SRv0oPw";
+  process.env.VUE_APP_KOIOS_JWT ||
+  "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZGRyIjoic3Rha2UxdTlxdDV2dWo3OHdoZm1zMzhjc2Q3NzVraGV0OGd1cWV0M3hsODJsaG1rbXl0cHEya3R6aGMiLCJleHAiOjE4MTA4NDQwMTAsInRpZXIiOjEsInByb2pJRCI6InVuZnJhY2suaXQifQ.rvAHYjwdN8XQVS_JO68QxsHwO8hYj6j6MHLAiNcxtVg";
 
 class Paginate {
   constructor(page, limit) {
diff --git a/src/plugins/vue-cardano.js b/src/plugins/vue-cardano.js
@@ -3,8 +3,11 @@ import { Buffer } from "buffer";
 import * as CSL from "@emurgo/cardano-serialization-lib-asmjs";
 import axios from "axios";
 
+// Injected at build time via VUE_APP_KOIOS_JWT (see deploy.yaml / ci.yaml).
+// Fallback keeps `npm run serve` working without an .env.local override.
 const koios_key =
-  "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZGRyIjoic3Rha2UxdXk1Nm5uN3c1OGRyNWsyOG1mcnhnaHBuZ25uNHo0N2pkcGdwOW1ldXZncDdrNXFtaHljbnAiLCJleHAiOjE3Njk1Mjg1MDAsInRpZXIiOjEsInByb2pJRCI6IlVuRnJhY2tJdCJ9.GrdvIKjkdDDFENR5a7Kypzt79UbuknjFAgq3SRv0oPw";
+  process.env.VUE_APP_KOIOS_JWT ||
+  "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZGRyIjoic3Rha2UxdTlxdDV2dWo3OHdoZm1zMzhjc2Q3NzVraGV0OGd1cWV0M3hsODJsaG1rbXl0cHEya3R6aGMiLCJleHAiOjE4MTA4NDQwMTAsInRpZXIiOjEsInByb2pJRCI6InVuZnJhY2suaXQifQ.rvAHYjwdN8XQVS_JO68QxsHwO8hYj6j6MHLAiNcxtVg";
 
 const defaultOptions = {
   retries: 10,
