ci(repo): add e2e-staging workflow for clerk_go deploy validation#8051
Merged
jacekradko merged 8 commits intomainfrom Mar 12, 2026
Merged
ci(repo): add e2e-staging workflow for clerk_go deploy validation#8051jacekradko merged 8 commits intomainfrom
jacekradko merged 8 commits intomainfrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
🦋 Changeset detectedLatest commit: 301e259 The changes in this PR will be included in the next version bump. This PR includes changesets to release 0 packagesWhen changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Contributor
|
Caution Review failedPull request was closed or merged during review 📝 WalkthroughWalkthroughAdds a new GitHub Actions workflow at 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. 📝 Coding Plan
Comment |
@clerk/agent-toolkit
@clerk/astro
@clerk/backend
@clerk/chrome-extension
@clerk/clerk-js
@clerk/dev-cli
@clerk/expo
@clerk/expo-passkeys
@clerk/express
@clerk/fastify
@clerk/hono
@clerk/localizations
@clerk/nextjs
@clerk/nuxt
@clerk/react
@clerk/react-router
@clerk/shared
@clerk/tanstack-react-start
@clerk/testing
@clerk/ui
@clerk/upgrade
@clerk/vue
commit: |
![semgrep-code-clerk[bot]](https://avatars.githubusercontent.com/u/49538330?s=60&v=4){kind=small}
jacekradko
changed the base branch from
main
to
jacek/release-slack-notifications
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/e2e-staging.yml:
- Around line 49-61: Duplicate shell normalization logic in the "Normalize
inputs" step (id: inputs) — which sets ref, clerk-go-commit-sha and notify-slack
via $GITHUB_OUTPUT — should be centralized: extract that logic into a single
reusable unit (either a tiny composite action or a dedicated preparatory job
that emits outputs) and replace both copies with calls to that unit; ensure the
composite/job writes the same outputs (ref, clerk-go-commit-sha, notify-slack)
to $GITHUB_OUTPUT and update callers to read the outputs instead of duplicating
the shell branch.
- Around line 121-123: Remove the console.log that prints the secret by
eliminating the console.log('rootCa', rootCa) call and keep writing the
INTEGRATION_ROOT_CA to disk via
fs.writeFileSync(path.join(process.env.GITHUB_WORKSPACE, 'integration/certs',
'rootCA.pem'), rootCa);; also add a simple guard to avoid writing undefined
(check process.env.INTEGRATION_ROOT_CA or rootCa and throw or fail the job with
a clear non-secret error) so the secret is never emitted to logs while still
creating the file.
- Around line 23-25: The workflow currently passes a caller-controlled ref into
actions/checkout while granting actions: write and exposing
TURBO_REMOTE_CACHE_SIGNATURE_KEY and TURBO_TOKEN, which lets a malicious ref run
local actions with staging creds; fix this by restricting the ref input to a
safe allowlist of known branches before checkout (validate
github.event.inputs.ref against a whitelist and only call actions/checkout when
it matches) and remove/limit the broad actions: write permission (or scope it
down) so the checkout cannot run unreviewed code with write-scoped GITHUB_TOKEN;
references to update: the actions/checkout usage, the ref input validation, and
the permissions block and the secrets
TURBO_REMOTE_CACHE_SIGNATURE_KEY/TURBO_TOKEN.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: ASSERTIVE
Plan: Pro
Run ID: c042fe0d-9761-4e5b-accc-9f695e61b9d0
📒 Files selected for processing (1)
.github/workflows/e2e-staging.yml
Comment on lines
+49
to
+61
| - name: Normalize inputs | ||
| id: inputs | ||
| run: | | ||
| if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then | ||
| echo "ref=${{ github.event.inputs.ref || 'main' }}" >> $GITHUB_OUTPUT | ||
| echo "clerk-go-commit-sha=${{ github.event.inputs.clerk-go-commit-sha }}" >> $GITHUB_OUTPUT | ||
| echo "notify-slack=${{ github.event.inputs.notify-slack }}" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "ref=${{ github.event.client_payload.ref || 'main' }}" >> $GITHUB_OUTPUT | ||
| echo "clerk-go-commit-sha=${{ github.event.client_payload.clerk-go-commit-sha || '' }}" >> $GITHUB_OUTPUT | ||
| NOTIFY_SLACK="${{ github.event.client_payload.notify-slack }}" | ||
| echo "notify-slack=${NOTIFY_SLACK:-true}" >> $GITHUB_OUTPUT | ||
| fi |
Contributor
There was a problem hiding this comment.
🧹 Nitpick | 🔵 Trivial
Deduplicate the input normalization block.
The same shell branch appears in both jobs. Any future payload/input change now has two drift points; consider emitting these values once as job outputs or moving the logic into a tiny composite action.
Also applies to: 161-173
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/e2e-staging.yml around lines 49 - 61, Duplicate shell
normalization logic in the "Normalize inputs" step (id: inputs) — which sets
ref, clerk-go-commit-sha and notify-slack via $GITHUB_OUTPUT — should be
centralized: extract that logic into a single reusable unit (either a tiny
composite action or a dedicated preparatory job that emits outputs) and replace
both copies with calls to that unit; ensure the composite/job writes the same
outputs (ref, clerk-go-commit-sha, notify-slack) to $GITHUB_OUTPUT and update
callers to read the outputs instead of duplicating the shell branch.
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/e2e-staging.yml:
- Around line 57-70: In the "Normalize inputs" step validate the sdk-source
value from both workflow_dispatch and repository_dispatch paths before echoing
it to $GITHUB_OUTPUT: read the candidate into a local variable (e.g.,
SDK_SOURCE) from github.event.inputs.sdk-source or
github.event.client_payload.sdk-source, then if SDK_SOURCE is not empty and not
equal to "latest" or "ref" print an error and exit non‑zero (rejecting the run);
otherwise echo "sdk-source=${SDK_SOURCE:-latest}" to $GITHUB_OUTPUT—apply this
logic in the existing branches so invalid payloads are rejected before writing
sdk-source.
- Around line 51-53: The artifact name fails because the matrix key test-name
contains colons (values "sessions:staging" and "handshake:staging") which are
interpolated into the artifact name used by actions/upload-artifact@v4; update
the matrix to include a separate slug-safe field (e.g., test-slug) or transform
matrix.test-name to a slug (replace ":" with "-" or remove illegal chars) and
use that slug for the artifact name, while keeping matrix.test-name for
human-readable display; locate usages of matrix.test-name in the workflow (the
artifact upload step) and switch them to the new slug field (or the sanitized
value) so the artifact name contains no colons.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: ASSERTIVE
Plan: Pro
Run ID: 7ddc83f9-6aa6-484f-b578-4f13ffddf5d2
📒 Files selected for processing (2)
.changeset/floppy-rabbits-tease.md.github/workflows/e2e-staging.yml
dstaley
approved these changes
Mar 12, 2026
Contributor
There was a problem hiding this comment.
♻️ Duplicate comments (3)
.github/workflows/e2e-staging.yml (3)
31-33:⚠️ Potential issue | 🟠 MajorDrop the unused
actions: writescope.None of the live steps appear to write to the Actions API, so this staging workflow is granting a write-scoped
GITHUB_TOKENwithout a current need. The commentedclerk_gocallback usesCLERK_COOKIE_PAT, not this token.🔐 Tighten the default token scope
permissions: contents: read - actions: write🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/e2e-staging.yml around lines 31 - 33, The workflow permissions block grants an unnecessary write-scoped GITHUB_TOKEN via the "actions: write" entry; remove the "actions: write" line (leaving "contents: read") so the default token is least-privilege, and verify no job references require Actions write access (ensure callbacks like the commented clerk_go use CLERK_COOKIE_PAT instead of GITHUB_TOKEN).
51-54:⚠️ Potential issue | 🟠 MajorUse a slug-safe artifact name.
matrix.test-namecontainssessions:staging/handshake:staging, andactions/upload-artifact@v4rejects:inwith.name. The trace upload will fail exactly when you need it most.📦 Keep the human-readable test name separate from the artifact slug
strategy: fail-fast: false matrix: - test-name: - - "sessions:staging" - - "handshake:staging" - test-project: ["chrome"] + include: + - test-name: "sessions:staging" + artifact-name: "sessions-staging" + test-project: "chrome" + - test-name: "handshake:staging" + artifact-name: "handshake-staging" + test-project: "chrome" @@ - name: Upload test-results if: ${{ cancelled() || failure() }} uses: actions/upload-artifact@v4 with: - name: playwright-traces-${{ github.run_id }}-${{ github.run_attempt }}-${{ matrix.test-name }} + name: playwright-traces-${{ github.run_id }}-${{ github.run_attempt }}-${{ matrix.artifact-name }} path: integration/test-results retention-days: 1Also applies to: 197-201
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/e2e-staging.yml around lines 51 - 54, matrix.test-name contains colons (e.g., "sessions:staging", "handshake:staging") which are rejected by actions/upload-artifact@v4; fix by adding a slug-safe artifact name (either a new matrix variable like test-slug or sanitize matrix.test-name) and use that sanitized value in the upload step's with.name. Locate references to matrix.test-name in the workflow (the matrix declaration entries "sessions:staging"/"handshake:staging" and the upload-artifact step that uses with.name), replace or map them to a version with forbidden characters replaced (e.g., replace ":" with "-" or use github.actions/hash/format) and ensure the same change is applied where the trace upload occurs (also update the other matrix block referenced).
57-80:⚠️ Potential issue | 🟠 MajorReject unexpected
sdk-sourcevalues before exporting them.
workflow_dispatchconstrains this input, butrepository_dispatchdoes not. Any non-empty value other thanlatestorrefskips both source-selection branches and turns into a later, harder-to-diagnose failure.🧪 Validate once before writing `sdk-source`
run: | if [ "$EVENT_NAME" = "workflow_dispatch" ]; then + SDK_SOURCE="${INPUT_SDK_SOURCE:-latest}" echo "ref=${INPUT_REF:-main}" >> $GITHUB_OUTPUT echo "clerk-go-commit-sha=$INPUT_COMMIT_SHA" >> $GITHUB_OUTPUT echo "notify-slack=$INPUT_NOTIFY_SLACK" >> $GITHUB_OUTPUT - echo "sdk-source=${INPUT_SDK_SOURCE:-latest}" >> $GITHUB_OUTPUT else + SDK_SOURCE="${PAYLOAD_SDK_SOURCE:-latest}" echo "ref=${PAYLOAD_REF:-main}" >> $GITHUB_OUTPUT echo "clerk-go-commit-sha=${PAYLOAD_COMMIT_SHA:-}" >> $GITHUB_OUTPUT echo "notify-slack=${PAYLOAD_NOTIFY_SLACK:-true}" >> $GITHUB_OUTPUT - echo "sdk-source=${PAYLOAD_SDK_SOURCE:-latest}" >> $GITHUB_OUTPUT fi + + case "$SDK_SOURCE" in + latest|ref) ;; + *) + echo "::error::Unsupported sdk-source '$SDK_SOURCE'. Expected 'latest' or 'ref'." + exit 1 + ;; + esac + + echo "sdk-source=$SDK_SOURCE" >> "$GITHUB_OUTPUT"Also applies to: 215-238
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/e2e-staging.yml around lines 57 - 80, In the "Normalize inputs" step, validate INPUT_SDK_SOURCE and PAYLOAD_SDK_SOURCE before echoing "sdk-source": ensure the selected value is empty or one of the allowed values ("latest" or "ref"); if it is any other non-empty string, print a clear error and exit non-zero to fail the job instead of exporting an unexpected value. Update the branch handling that writes "sdk-source=${INPUT_SDK_SOURCE:-latest}" and "sdk-source=${PAYLOAD_SDK_SOURCE:-latest}" to perform this validation first (using the INPUT_SDK_SOURCE / PAYLOAD_SDK_SOURCE variables) and apply the same validation logic to the other identical block referenced (lines 215-238) so both places reject invalid sdk-source values consistently.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.github/workflows/e2e-staging.yml:
- Around line 31-33: The workflow permissions block grants an unnecessary
write-scoped GITHUB_TOKEN via the "actions: write" entry; remove the "actions:
write" line (leaving "contents: read") so the default token is least-privilege,
and verify no job references require Actions write access (ensure callbacks like
the commented clerk_go use CLERK_COOKIE_PAT instead of GITHUB_TOKEN).
- Around line 51-54: matrix.test-name contains colons (e.g., "sessions:staging",
"handshake:staging") which are rejected by actions/upload-artifact@v4; fix by
adding a slug-safe artifact name (either a new matrix variable like test-slug or
sanitize matrix.test-name) and use that sanitized value in the upload step's
with.name. Locate references to matrix.test-name in the workflow (the matrix
declaration entries "sessions:staging"/"handshake:staging" and the
upload-artifact step that uses with.name), replace or map them to a version with
forbidden characters replaced (e.g., replace ":" with "-" or use
github.actions/hash/format) and ensure the same change is applied where the
trace upload occurs (also update the other matrix block referenced).
- Around line 57-80: In the "Normalize inputs" step, validate INPUT_SDK_SOURCE
and PAYLOAD_SDK_SOURCE before echoing "sdk-source": ensure the selected value is
empty or one of the allowed values ("latest" or "ref"); if it is any other
non-empty string, print a clear error and exit non-zero to fail the job instead
of exporting an unexpected value. Update the branch handling that writes
"sdk-source=${INPUT_SDK_SOURCE:-latest}" and
"sdk-source=${PAYLOAD_SDK_SOURCE:-latest}" to perform this validation first
(using the INPUT_SDK_SOURCE / PAYLOAD_SDK_SOURCE variables) and apply the same
validation logic to the other identical block referenced (lines 215-238) so both
places reject invalid sdk-source values consistently.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: ASSERTIVE
Plan: Pro
Run ID: 73b127eb-649f-4ef3-86e1-8f27e2cf389e
📒 Files selected for processing (1)
.github/workflows/e2e-staging.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
e2e-staging.yml) that runs JS SDK e2e tests against the staging environmentrepository_dispatch(for clerk_go staging deploy automation) andworkflow_dispatch(for manual runs/debugging)main), clerk_go commit SHA for traceability, and Slack failure notificationslatest(default) uses published@latestfrom npm for production-like testing;refbuilds from the checked-out branch for SDK change validationsessions:stagingandhandshake:stagingtest matrix — designed to be easily expanded as more staging instances are provisionedslackapi/slack-github-actionwith Block Kit payload (matches ci(repo): add Slack failure notifications to release workflow #8023 pattern)Test plan
workflow_dispatchfrom GitHub Actions UI with default inputs (sdk-source: latest)sdk-source: refand verify it builds from the branchworkflow_dispatchwith a non-main refSummary by CodeRabbit