Validate ANTHROPIC_API_KEY early to fail fast on missing secrets

Previously the API key check happened deep in runPipeline(), after config
loading, diff parsing, trigger evaluation, and even app startup. Users
had to wait through all that work before seeing the error.

- Extract checkApiKey() utility with clear fail/warn/ok semantics
- main action (index.ts): fail immediately after GITHUB_TOKEN check
- check-trigger (check.ts): fail if should-run=true, warn if false
- Keep existing check in pipeline.ts as safety net for CLI/direct usage
- Add unit tests for all three checkApiKey() scenarios

https://claude.ai/code/session_01Ch9jV1EASRYQZRbLwX5ofz

Author: claude

packages/action/dist/check.js

@@ -19706,11 +19706,11 @@ Support boolean input list: \`true | True | TRUE | false | False | FALSE\``);
       (0, command_1.issue)("echo", enabled ? "on" : "off");
     }
     exports2.setCommandEcho = setCommandEcho;
-    function setFailed(message) {
+    function setFailed2(message) {
       process.exitCode = ExitCode.Failure;
       error(message);
     }
-    exports2.setFailed = setFailed;
+    exports2.setFailed = setFailed2;
     function isDebug() {
       return process.env["RUNNER_DEBUG"] === "1";
     }
@@ -53620,6 +53620,22 @@ function evaluateTrigger(opts) {
   };
 }
 
+// src/api-key-check.ts
+var REMEDIATION = "Add it to your workflow: env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}";
+function checkApiKey(apiKey, shouldRun) {
+  if (apiKey) return { action: "ok" };
+  if (shouldRun) {
+    return {
+      action: "fail",
+      message: `ANTHROPIC_API_KEY is required but not set. ${REMEDIATION}`
+    };
+  }
+  return {
+    action: "warn",
+    message: `ANTHROPIC_API_KEY is not set. The pipeline will fail if it runs. ${REMEDIATION}`
+  };
+}
+
 // src/check.ts
 function streamCommand(cmd, args) {
   return new Promise((resolve2, reject) => {
@@ -53722,6 +53738,14 @@ async function check() {
     command
   });
   core.info(`Trigger decision: ${decision.shouldRun ? "RUN" : "SKIP"} \u2014 ${decision.reason}`);
+  const apiKeyCheck = checkApiKey(process.env["ANTHROPIC_API_KEY"], decision.shouldRun);
+  if (apiKeyCheck.action === "fail") {
+    core.setFailed(apiKeyCheck.message);
+    return;
+  }
+  if (apiKeyCheck.action === "warn") {
+    core.warning(apiKeyCheck.message);
+  }
   core.setOutput("should-run", String(decision.shouldRun));
 }
 check().catch((err) => {

packages/action/dist/check.js.map

@@ -70269,6 +70269,47 @@ function evaluateTrigger(opts) {
   };
 }
 
+// src/resolve-base-url.ts
+function resolveBaseUrl(config, previewUrlOverride) {
+  const previewUrl = previewUrlOverride ?? config.app.previewUrl;
+  if (previewUrl) {
+    const resolved = process.env[previewUrl];
+    if (resolved === void 0) {
+      if (previewUrl.startsWith("http")) return { url: previewUrl };
+      return {
+        error: `app.previewUrl is set to "${previewUrl}" but it doesn't look like a URL and no env var with that name was found. Set it to a full URL (e.g. "https://my-preview.vercel.app") or an env var name that is available in this workflow job.`
+      };
+    }
+    if (!resolved.startsWith("http")) {
+      return {
+        error: `Env var "${previewUrl}" was found but its value "${resolved}" is not a valid URL. Expected a value starting with "http".`
+      };
+    }
+    return { url: resolved };
+  }
+  if (config.app.readyWhen?.url) {
+    const u2 = new URL(config.app.readyWhen.url);
+    return { url: u2.origin };
+  }
+  return { url: "http://localhost:3000" };
+}
+
+// src/api-key-check.ts
+var REMEDIATION = "Add it to your workflow: env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}";
+function checkApiKey(apiKey, shouldRun) {
+  if (apiKey) return { action: "ok" };
+  if (shouldRun) {
+    return {
+      action: "fail",
+      message: `ANTHROPIC_API_KEY is required but not set. ${REMEDIATION}`
+    };
+  }
+  return {
+    action: "warn",
+    message: `ANTHROPIC_API_KEY is not set. The pipeline will fail if it runs. ${REMEDIATION}`
+  };
+}
+
 // src/index.ts
 function streamCommand(cmd, args) {
   return new Promise((resolve2, reject) => {
@@ -70290,6 +70331,11 @@ async function run() {
     core.setFailed("GITHUB_TOKEN is required");
     return;
   }
+  const apiKeyCheck = checkApiKey(process.env["ANTHROPIC_API_KEY"], true);
+  if (apiKeyCheck.action === "fail") {
+    core.setFailed(apiKeyCheck.message);
+    return;
+  }
   const eventName = context2.eventName;
   if (eventName !== "pull_request" && eventName !== "issue_comment") {
     core.info(`git-glimpse does not handle '${eventName}' events. Skipping.`);
@@ -70385,13 +70431,12 @@ async function run() {
     core.setOutput("success", "false");
     return;
   }
-  const baseUrl = resolveBaseUrl(config, previewUrlInput);
-  if (!baseUrl) {
-    core.setFailed(
-      "No base URL available. Set app.previewUrl or app.startCommand + app.readyWhen in config."
-    );
+  const baseUrlResult = resolveBaseUrl(config, previewUrlInput);
+  if (!baseUrlResult.url) {
+    core.setFailed(baseUrlResult.error);
     return;
   }
+  const baseUrl = baseUrlResult.url;
   if (config.setup) {
     core.info(`Running setup: ${config.setup}`);
     const parts = config.setup.split(" ");
@@ -70447,18 +70492,6 @@ ${result.errors.join("\n")}`);
     appProcess?.kill();
   }
 }
-function resolveBaseUrl(config, previewUrlOverride) {
-  const previewUrl = previewUrlOverride ?? config.app.previewUrl;
-  if (previewUrl) {
-    const resolved = process.env[previewUrl] ?? previewUrl;
-    return resolved.startsWith("http") ? resolved : null;
-  }
-  if (config.app.readyWhen?.url) {
-    const u2 = new URL(config.app.readyWhen.url);
-    return u2.origin;
-  }
-  return "http://localhost:3000";
-}
 async function startApp(startCommand, readyUrl) {
   const parts = startCommand.split(" ");
   core.info(`Starting app: ${startCommand}`);

packages/action/dist/index.js

@@ -0,0 +1,33 @@
+const REMEDIATION = 'Add it to your workflow: env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}';
+
+export type ApiKeyCheckResult =
+  | { action: 'ok' }
+  | { action: 'fail'; message: string }
+  | { action: 'warn'; message: string };
+
+/**
+ * Checks whether ANTHROPIC_API_KEY is present and returns what the caller
+ * should do.
+ *
+ * @param shouldRun - whether the pipeline is about to run
+ *   - true  → missing key is a hard failure (fail fast before expensive work)
+ *   - false → missing key is a warning only (pipeline won't run this time)
+ */
+export function checkApiKey(
+  apiKey: string | undefined,
+  shouldRun: boolean
+): ApiKeyCheckResult {
+  if (apiKey) return { action: 'ok' };
+
+  if (shouldRun) {
+    return {
+      action: 'fail',
+      message: `ANTHROPIC_API_KEY is required but not set. ${REMEDIATION}`,
+    };
+  }
+
+  return {
+    action: 'warn',
+    message: `ANTHROPIC_API_KEY is not set. The pipeline will fail if it runs. ${REMEDIATION}`,
+  };
+}

packages/action/dist/index.js.map

@@ -17,6 +17,7 @@ import {
   parseGlimpseCommand,
   DEFAULT_TRIGGER,
 } from '@git-glimpse/core';
+import { checkApiKey } from './api-key-check.js';
 
 function streamCommand(cmd: string, args: string[]): Promise<string> {
   return new Promise((resolve, reject) => {
@@ -138,6 +139,16 @@ async function check(): Promise<void> {
   });
 
   core.info(`Trigger decision: ${decision.shouldRun ? 'RUN' : 'SKIP'} — ${decision.reason}`);
+
+  const apiKeyCheck = checkApiKey(process.env['ANTHROPIC_API_KEY'], decision.shouldRun);
+  if (apiKeyCheck.action === 'fail') {
+    core.setFailed(apiKeyCheck.message);
+    return;
+  }
+  if (apiKeyCheck.action === 'warn') {
+    core.warning(apiKeyCheck.message);
+  }
+
   core.setOutput('should-run', String(decision.shouldRun));
 }
 

packages/action/src/api-key-check.ts

@@ -14,6 +14,7 @@ import {
   type GitGlimpseConfig,
 } from '@git-glimpse/core';
 import { resolveBaseUrl } from './resolve-base-url.js';
+import { checkApiKey } from './api-key-check.js';
 
 function streamCommand(cmd: string, args: string[]): Promise<string> {
   return new Promise((resolve, reject) => {
@@ -38,6 +39,12 @@ async function run(): Promise<void> {
     return;
   }
 
+  const apiKeyCheck = checkApiKey(process.env['ANTHROPIC_API_KEY'], true);
+  if (apiKeyCheck.action === 'fail') {
+    core.setFailed(apiKeyCheck.message);
+    return;
+  }
+
   const eventName = context.eventName;
   if (eventName !== 'pull_request' && eventName !== 'issue_comment') {
     core.info(`git-glimpse does not handle '${eventName}' events. Skipping.`);

packages/action/src/check.ts

@@ -0,0 +1,22 @@
+import { describe, it, expect } from 'vitest';
+import { checkApiKey } from '../../packages/action/src/api-key-check.js';
+
+describe('checkApiKey', () => {
+  it('returns ok when key is present', () => {
+    expect(checkApiKey('sk-ant-123', true)).toEqual({ action: 'ok' });
+    expect(checkApiKey('sk-ant-123', false)).toEqual({ action: 'ok' });
+  });
+
+  it('returns fail when key is missing and pipeline will run', () => {
+    const result = checkApiKey(undefined, true);
+    expect(result.action).toBe('fail');
+    expect((result as { action: 'fail'; message: string }).message).toMatch(/ANTHROPIC_API_KEY/);
+    expect((result as { action: 'fail'; message: string }).message).toMatch(/secrets\.ANTHROPIC_API_KEY/);
+  });
+
+  it('returns warn when key is missing but pipeline will not run', () => {
+    const result = checkApiKey(undefined, false);
+    expect(result.action).toBe('warn');
+    expect((result as { action: 'warn'; message: string }).message).toMatch(/ANTHROPIC_API_KEY/);
+  });
+});