fix(docker): allow MARBLE_WORKSPACE_KEY to be passed during build

[xandyxor]

This PR fixes the Docker build failure during the next build stage.
The Problem:
The Dockerfile previously used a hardcoded "build-placeholder" for MARBLE_WORKSPACE_KEY. Since Next.js performs static generation during build time, it attempts to fetch blog data. An invalid key results in a 404 Not Found error, causing the build to fail.
The Solution:

Added ARG MARBLE_WORKSPACE_KEY to the Dockerfile.

Changed ENV MARBLE_WORKSPACE_KEY to use the passed argument with a working default value.

Summary by CodeRabbit

• Chores
  • Updated internal build configuration for improved environment variable handling.

Note: This is an infrastructure update with no end-user visible changes.

[vercel]

@xandyxor is attempting to deploy a commit to the OpenCut OSS Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

📝 Walkthrough

Walkthrough

The Dockerfile was updated to introduce a build-time argument for MARBLE_WORKSPACE_KEY and replace a hardcoded placeholder default with dynamic parameter expansion, allowing the value to be overridden at build or runtime.

Changes

Cohort / File(s)	Summary
Docker Configuration apps/web/Dockerfile	Added ARG MARBLE_WORKSPACE_KEY build argument and updated environment variable to use parameter expansion ${MARBLE_WORKSPACE_KEY:-cmd4iw9mm0006l804kwqv0k46} instead of the previous hardcoded "build-placeholder" default.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A key that flows from build to run,
No longer trapped in stone!
Parameter expansion, oh what fun,
Our workspace key has grown!
Dynamic defaults, defaults so keen,
The finest Dockerfile we've seen! 🌟

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is incomplete; it does not follow the repository's required template which asks for issue reference or maintainer approval confirmation for bug fixes.	Add checkboxes confirming an issue was opened and maintainer approval was obtained, as required by the repository's PR template.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: allowing MARBLE_WORKSPACE_KEY to be passed during Docker build, which directly addresses the core problem in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/web/Dockerfile`:
- Line 35: Remove the hardcoded default workspace key: change the Dockerfile ENV
declaration so MARBLE_WORKSPACE_KEY is not set to a literal default (stop using
ENV MARBLE_WORKSPACE_KEY=${MARBLE_WORKSPACE_KEY:-cmd4iw9mm0006l804kwqv0k46});
instead require a build-arg or use Docker build secrets (e.g., use --build-arg
MARBLE_WORKSPACE_KEY=... at build time or RUN --mount=type=secret,id=marble_key
ENV MARBLE_WORKSPACE_KEY=$(cat /run/secrets/marble_key)). Also remove the
fallback hardcoded key in the client code (the fallback in
apps/web/src/lib/blog/query.ts) and make code that reads
process.env.MARBLE_WORKSPACE_KEY fail loudly or throw a clear error when the env
var is missing so the secret must be injected at runtime.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4d77e3f and 4a4c9b7.

📒 Files selected for processing (1)

• apps/web/Dockerfile

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# Search for references to MARBLE_WORKSPACE_KEY in the codebase
rg -i "MARBLE_WORKSPACE_KEY" --context 3

Repository: OpenCut-app/OpenCut

Length of output: 2849

---

🏁 Script executed:

# Look for any documentation about Marble or this key
find . -type f \( -name "README*" -o -name "*.md" -o -name "*.txt" \) | head -20 | xargs grep -l -i "marble\|workspace" 2>/dev/null

Repository: OpenCut-app/OpenCut

Length of output: 100

---

🏁 Script executed:

# Check if there are any comments in the Dockerfile itself
cat -n apps/web/Dockerfile

Repository: OpenCut-app/OpenCut

Length of output: 2459

---

🌐 Web query:

Marble CMS workspace key public or sensitive

💡 Result:

Marble CMS workspace key should be treated as sensitive (a secret), not public.

Marble’s API docs state that requests are authenticated using the workspace key in the URL path, and explicitly warn: “Your workspace key carries many privileges, so be sure to keep it secure! Do not share your workspace key in publicly accessible areas such as GitHub, client-side code…” [1]. If you need a value that can be exposed, use a scoped API key instead (ideally server-side), since even “public/read-only” keys can still be abused (e.g., consuming rate limits) [2].

Sources: [1] [2]

---

🌐 Web query:

Marble API marblecms.com workspace authentication

💡 Result:

Marble CMS (marblecms.com) authenticates API requests with an API key tied to your workspace:

• Create/manage the key: In your workspace dashboard go to Settings → API Keys. [1]
• Send the key on every request (recommended): Put it in the Authorization header. [1]

  curl -H "Authorization: YOUR_API_KEY" \
    https://api.marblecms.com/v1/posts

• Alternative (less recommended): Pass it as a query parameter ?key=YOUR_API_KEY. [1]

  curl "https://api.marblecms.com/v1/posts?key=YOUR_API_KEY"

If you tell me what you mean by “workspace authentication” (e.g., selecting a workspace in API calls, user login/OAuth, or server-to-server API access), I can point to the exact endpoint/headers for that. [1]

---

Remove the default MARBLE_WORKSPACE_KEY or move it to secret injection.

Per Marble CMS documentation, workspace keys are sensitive secrets and must not be committed to publicly accessible repositories. The key cmd4iw9mm0006l804kwqv0k46 is now baked into the Docker image layer at build time and also hardcoded in apps/web/src/lib/blog/query.ts as a fallback. Marble explicitly warns: "Your workspace key carries many privileges, so be sure to keep it secure! Do not share your workspace key in publicly accessible areas such as GitHub, client-side code…"

Either:

1. Remove the default entirely and require --build-arg MARBLE_WORKSPACE_KEY=... at build time, or
2. Use Docker build secrets: RUN --mount=type=secret,id=marble_key ENV MARBLE_WORKSPACE_KEY=$(cat /run/secrets/marble_key)

Also remove the hardcoded default from apps/web/src/lib/blog/query.ts and require the env var to be set at runtime.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/web/Dockerfile` at line 35, Remove the hardcoded default workspace key:
change the Dockerfile ENV declaration so MARBLE_WORKSPACE_KEY is not set to a
literal default (stop using ENV
MARBLE_WORKSPACE_KEY=${MARBLE_WORKSPACE_KEY:-cmd4iw9mm0006l804kwqv0k46});
instead require a build-arg or use Docker build secrets (e.g., use --build-arg
MARBLE_WORKSPACE_KEY=... at build time or RUN --mount=type=secret,id=marble_key
ENV MARBLE_WORKSPACE_KEY=$(cat /run/secrets/marble_key)). Also remove the
fallback hardcoded key in the client code (the fallback in
apps/web/src/lib/blog/query.ts) and make code that reads
process.env.MARBLE_WORKSPACE_KEY fail loudly or throw a clear error when the env
var is missing so the secret must be injected at runtime.