feat(build): add build-time secret injection for launchdarkly (#157)

* feat(build): add build-time secret injection for launchdarkly

- Add reusable workflow for AWS Secrets Manager integration
- Update Dockerfile with BuildKit secret mounts for secure injection
- Configure Angular define feature for build-time constant replacement
- Implement OpenFeature with LaunchDarkly provider
- Add feature flag service and provider with SSR support
- Update all Docker build workflows to use reusable secret workflow
- Add comprehensive documentation for build-time secrets pattern
- Support local development with fallback values for ng serve

LFXV2-750

Signed-off-by: Asitha de Silva <[email protected]>

* refactor(feature-flags): remove duplicate sdk interfaces and update docs

- Remove duplicate EvaluationContext and LaunchDarklyConfig interfaces from shared package (available from @openfeature/web-sdk)
- Update feature flags documentation to show provideAppInitializer instead of deprecated APP_INITIALIZER pattern
- Replace hardcoded LaunchDarkly client IDs with placeholders in documentation
- Add preferred_username field to User interface for feature flag targeting
- Improve type safety in feature-flag.service.ts by using User type

LFXV2-750

Generated with [Claude Code](https://claude.ai/code)

Signed-off-by: Asitha de Silva <[email protected]>

* fix(build): correct --define syntax for angular cli

- Fix Dockerfile to use --define=KEY=VALUE without -- separator
- Update documentation with verified working syntax
- Remove incorrect -- separator from all examples
- Tested build completes successfully and value is injected

The Angular CLI requires --define=KEY=VALUE format directly on yarn build
commands without the -- separator. String values must be quoted within
quotes: --define=KEY="'value'"

Verified with test build that value is properly injected into bundle.

LFXV2-750

Generated with [Claude Code](https://claude.ai/code)

Signed-off-by: Asitha de Silva <[email protected]>

* refactor(build): separate shared and ui builds to support --define

- Build shared package separately before UI to avoid TypeScript compiler errors
- Use yarn workspace commands for targeted builds
- Update Dockerfile to build @lfx-one/shared then lfx-one-ui
- Update documentation with workspace build approach
- Change --define syntax to use space (matches Angular CLI docs)

This resolves the issue where running build from root would fail because
the shared package's TypeScript compiler doesn't understand --define flags.
Building them separately allows each package to use appropriate build flags.

LFXV2-750

Generated with [Claude Code](https://claude.ai/code)

Signed-off-by: Asitha de Silva <[email protected]>

* refactor(ci): use GITHUB_ENV for secret retrieval

Remove get-launchdarkly-secrets.yml reusable workflow and implement direct
AWS Secrets Manager retrieval in each job using GITHUB_ENV. This resolves
the GitHub Actions issue where masked values cannot be used in workflow
outputs.

Changes:
- Update docker-build-main.yml to retrieve secrets directly in job
- Update docker-build-tag.yml to retrieve secrets directly in job
- Update docker-build-pr.yml to retrieve secrets directly in job
- Delete get-launchdarkly-secrets.yml reusable workflow file
- Update build-time-secrets.md documentation to reflect new approach
- LaunchDarkly client-side IDs are NOT masked (they're public values)

LFXV2-750

Generated with [Claude Code](https://claude.ai/code)

Signed-off-by: Asitha de Silva <[email protected]>

---------

Signed-off-by: Asitha de Silva <[email protected]>

Author: asithade

.github/workflows/docker-build-main.yml

@@ -11,6 +11,8 @@ on:
 
 permissions:
   contents: read
+  id-token: write
+  packages: write
 
 env:
   REGISTRY: ghcr.io
@@ -19,15 +21,33 @@ env:
 jobs:
   build-and-push:
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: OIDC Auth
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          audience: sts.amazonaws.com
+          role-to-assume: arn:aws:iam::788942260905:role/github-actions-deploy
+          aws-region: us-west-2
+
+      - name: Get LaunchDarkly client ID from AWS Secrets Manager
+        uses: aws-actions/aws-secretsmanager-get-secrets@v2
+        with:
+          secret-ids: |
+            LAUNCHDARKLY, /cloudops/managed-secrets/launchdarkly/lfx_one/ld_client_id
+
+      - name: Set LaunchDarkly client ID environment variable
+        run: |
+          LAUNCHDARKLY_CLIENT_ID=$(echo "$LAUNCHDARKLY" | jq -r '.ld_client_id // empty')
+          if [ -z "$LAUNCHDARKLY_CLIENT_ID" ]; then
+            echo "❌ LaunchDarkly client ID not found in AWS Secrets Manager"
+            exit 1
+          fi
+          echo "LAUNCHDARKLY_CLIENT_ID=$LAUNCHDARKLY_CLIENT_ID" >> $GITHUB_ENV
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
@@ -68,3 +88,5 @@ jobs:
           cache-to: type=gha,mode=max
           build-args: |
             BUILD_ENV=development
+          secret-envs: |
+            LAUNCHDARKLY_CLIENT_ID=LAUNCHDARKLY_CLIENT_ID

.github/workflows/docker-build-pr.yml

@@ -12,6 +12,7 @@ permissions:
   packages: write
   pull-requests: write
   issues: write
+  id-token: write
 
 env:
   REGISTRY: ghcr.io
@@ -27,10 +28,33 @@ jobs:
       github.event.pull_request.head.repo.fork == false &&
       contains(github.event.pull_request.labels.*.name, 'deploy-preview')
     runs-on: ubuntu-latest
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: OIDC Auth
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          audience: sts.amazonaws.com
+          role-to-assume: arn:aws:iam::788942260905:role/github-actions-deploy
+          aws-region: us-west-2
+
+      - name: Get LaunchDarkly client ID from AWS Secrets Manager
+        uses: aws-actions/aws-secretsmanager-get-secrets@v2
+        with:
+          secret-ids: |
+            LAUNCHDARKLY, /cloudops/managed-secrets/launchdarkly/lfx_one/ld_client_id
+
+      - name: Set LaunchDarkly client ID environment variable
+        run: |
+          LAUNCHDARKLY_CLIENT_ID=$(echo "$LAUNCHDARKLY" | jq -r '.ld_client_id // empty')
+          if [ -z "$LAUNCHDARKLY_CLIENT_ID" ]; then
+            echo "❌ LaunchDarkly client ID not found in AWS Secrets Manager"
+            exit 1
+          fi
+          echo "LAUNCHDARKLY_CLIENT_ID=$LAUNCHDARKLY_CLIENT_ID" >> $GITHUB_ENV
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
@@ -72,6 +96,8 @@ jobs:
           cache-to: type=gha,mode=max
           build-args: |
             BUILD_ENV=development
+          secret-envs: |
+            LAUNCHDARKLY_CLIENT_ID=LAUNCHDARKLY_CLIENT_ID
 
       - name: Comment deployment URL on PR
         uses: actions/github-script@v7

.github/workflows/docker-build-tag.yml

@@ -10,6 +10,8 @@ on:
 
 permissions:
   contents: read
+  id-token: write
+  packages: write
 
 env:
   REGISTRY: ghcr.io
@@ -20,10 +22,6 @@ env:
 jobs:
   build-and-push:
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
     outputs:
       app_version: ${{ steps.prepare.outputs.app_version }}
       chart_name: ${{ steps.prepare.outputs.chart_name }}
@@ -33,6 +31,28 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
+      - name: OIDC Auth
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          audience: sts.amazonaws.com
+          role-to-assume: arn:aws:iam::788942260905:role/github-actions-deploy
+          aws-region: us-west-2
+
+      - name: Get LaunchDarkly client ID from AWS Secrets Manager
+        uses: aws-actions/aws-secretsmanager-get-secrets@v2
+        with:
+          secret-ids: |
+            LAUNCHDARKLY, /cloudops/managed-secrets/launchdarkly/lfx_one/ld_client_id
+
+      - name: Set LaunchDarkly client ID environment variable
+        run: |
+          LAUNCHDARKLY_CLIENT_ID=$(echo "$LAUNCHDARKLY" | jq -r '.ld_client_id // empty')
+          if [ -z "$LAUNCHDARKLY_CLIENT_ID" ]; then
+            echo "❌ LaunchDarkly client ID not found in AWS Secrets Manager"
+            exit 1
+          fi
+          echo "LAUNCHDARKLY_CLIENT_ID=$LAUNCHDARKLY_CLIENT_ID" >> $GITHUB_ENV
+
       - name: Prepare versions and chart name
         id: prepare
         run: |
@@ -86,6 +106,8 @@ jobs:
           cache-to: type=gha,mode=max
           build-args: |
             BUILD_ENV=production
+          secret-envs: |
+            LAUNCHDARKLY_CLIENT_ID=LAUNCHDARKLY_CLIENT_ID
 
   release-helm-chart:
     needs: build-and-push

Dockerfile

@@ -24,8 +24,13 @@ RUN yarn install --immutable
 # NOW copy source code (changes here won't invalidate the dependency layer)
 COPY . .
 
-# Build the application with specified environment
-RUN yarn build:${BUILD_ENV}
+# Build shared package first (doesn't need --define flag)
+RUN yarn workspace @lfx-one/shared build:${BUILD_ENV}
+
+# Build the Angular application with LaunchDarkly client ID from secret
+RUN --mount=type=secret,id=LAUNCHDARKLY_CLIENT_ID \
+    LAUNCHDARKLY_CLIENT_ID=$(cat /run/secrets/LAUNCHDARKLY_CLIENT_ID) && \
+    yarn workspace lfx-one-ui build:${BUILD_ENV} --define LAUNCHDARKLY_CLIENT_ID="'${LAUNCHDARKLY_CLIENT_ID}'"
 
 # Expose port 4000
 EXPOSE 4000

apps/lfx-one/.env.example

@@ -66,6 +66,12 @@ SNOWFLAKE_ROLE=your-read-role
 AI_PROXY_URL=https://litellm.tools.lfx.dev/chat/completions
 AI_API_KEY=your-litellm-ai-api-key
 
+# LaunchDarkly Feature Flags Configuration
+# Client ID for LaunchDarkly feature flag service
+# This is injected at Docker build time via --build-arg
+# For local development, set this to your LaunchDarkly client-side ID
+LD_CLIENT_ID=your-launchdarkly-client-id
+
 # E2E Test Configuration (Optional)
 # Test user credentials for automated testing
 TEST_USERNAME=your-test-username

apps/lfx-one/angular.json

@@ -53,7 +53,10 @@
               "entry": "src/server/server.ts"
             },
             "allowedCommonJsDependencies": ["@linuxfoundation/lfx-ui-core"],
-            "externalDependencies": ["snowflake-sdk"]
+            "externalDependencies": ["snowflake-sdk"],
+            "define": {
+              "LAUNCHDARKLY_CLIENT_ID": "''"
+            }
           },
           "configurations": {
             "production": {
@@ -75,7 +78,10 @@
                   "replace": "src/environments/environment.ts",
                   "with": "src/environments/environment.prod.ts"
                 }
-              ]
+              ],
+              "define": {
+                "LAUNCHDARKLY_CLIENT_ID": "''"
+              }
             },
             "staging": {
               "budgets": [
@@ -96,7 +102,10 @@
                   "replace": "src/environments/environment.ts",
                   "with": "src/environments/environment.staging.ts"
                 }
-              ]
+              ],
+              "define": {
+                "LAUNCHDARKLY_CLIENT_ID": "''"
+              }
             },
             "development": {
               "optimization": false,
@@ -107,12 +116,18 @@
                   "replace": "src/environments/environment.ts",
                   "with": "src/environments/environment.dev.ts"
                 }
-              ]
+              ],
+              "define": {
+                "LAUNCHDARKLY_CLIENT_ID": "''"
+              }
             },
             "local": {
               "optimization": false,
               "extractLicenses": false,
-              "sourceMap": true
+              "sourceMap": true,
+              "define": {
+                "LAUNCHDARKLY_CLIENT_ID": "''"
+              }
             }
           },
           "defaultConfiguration": "production"

apps/lfx-one/package.json

@@ -40,11 +40,15 @@
     "@fullcalendar/timegrid": "^6.1.19",
     "@lfx-one/shared": "workspace:*",
     "@linuxfoundation/lfx-ui-core": "^0.0.20",
+    "@openfeature/core": "^1.9.1",
+    "@openfeature/launchdarkly-client-provider": "^0.3.3",
+    "@openfeature/web-sdk": "^1.7.1",
     "@primeng/themes": "^19.1.4",
     "compression": "^1.8.1",
     "dotenv": "^17.2.1",
     "express": "^4.18.2",
     "express-openid-connect": "^2.19.2",
+    "launchdarkly-js-client-sdk": "^3.9.0",
     "nats": "^2.29.3",
     "ngx-cookie-service-ssr": "^19.1.2",
     "pino-http": "^10.5.0",

apps/lfx-one/src/app/app.component.ts

@@ -7,6 +7,7 @@ import { RouterOutlet } from '@angular/router';
 import { AuthContext } from '@lfx-one/shared/interfaces';
 import { ToastModule } from 'primeng/toast';
 
+import { FeatureFlagService } from './shared/services/feature-flag.service';
 import { SegmentService } from './shared/services/segment.service';
 import { UserService } from './shared/services/user.service';
 
@@ -19,6 +20,7 @@ import { UserService } from './shared/services/user.service';
 export class AppComponent {
   private readonly userService = inject(UserService);
   private readonly segmentService = inject(SegmentService);
+  private readonly featureFlagService = inject(FeatureFlagService);
 
   public auth: AuthContext | undefined;
   public transferState = inject(TransferState);
@@ -52,6 +54,11 @@ export class AppComponent {
 
       // Identify user with Segment tracking (pass entire Auth0 user object)
       this.segmentService.identifyUser(this.auth.user);
+
+      // Initialize feature flags with user context
+      this.featureFlagService.initialize(this.auth.user).catch((error) => {
+        console.error('Failed to initialize feature flags:', error);
+      });
     }
   }
 }

apps/lfx-one/src/app/app.config.ts

@@ -15,6 +15,7 @@ import { providePrimeNG } from 'primeng/config';
 import { DialogService } from 'primeng/dynamicdialog';
 
 import { routes } from './app.routes';
+import { provideFeatureFlags } from './shared/providers/feature-flag.provider';
 import { CustomPreloadingStrategy } from './shared/strategies/custom-preloading.strategy';
 
 const customPreset = definePreset(Aura, {
@@ -45,6 +46,7 @@ export const appConfig: ApplicationConfig = {
         },
       },
     }),
+    provideFeatureFlags(),
     ConfirmationService,
     DialogService,
     MessageService,

apps/lfx-one/src/app/layouts/main-layout/main-layout.component.html

@@ -4,7 +4,7 @@
 <div class="flex min-h-screen">
   <!-- Sidebar - Desktop -->
   <div class="hidden lg:block w-64 flex-shrink-0 fixed top-0 left-0">
-    <lfx-sidebar [items]="sidebarItems" [footerItems]="sidebarFooterItems" [showProjectSelector]="true"></lfx-sidebar>
+    <lfx-sidebar [items]="sidebarItems()" [footerItems]="sidebarFooterItems" [showProjectSelector]="true"></lfx-sidebar>
   </div>
 
   <!-- Sidebar - Mobile Overlay -->
@@ -23,7 +23,7 @@ <h2 class="text-lg font-semibold text-gray-900">Menu</h2>
           </button>
         </div>
         <div class="overflow-y-auto h-[calc(100vh-4rem)]">
-          <lfx-sidebar [items]="sidebarItems" [footerItems]="sidebarFooterItems" [showProjectSelector]="true"></lfx-sidebar>
+          <lfx-sidebar [items]="sidebarItems()" [footerItems]="sidebarFooterItems" [showProjectSelector]="true"></lfx-sidebar>
         </div>
       </div>
     </div>