cli/.github/workflows/ci.yml at main · clerk/cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
name: CI

on:
  pull_request:
    branches: [main]
  workflow_call:
    inputs:
      ref:
        type: string
        default: ""
        description: Git ref to checkout. Leave empty for default checkout behavior.
      run-e2e:
        type: boolean
        default: true
        description: Whether to run E2E tests

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

permissions:
  contents: read

jobs:
  build:
    name: Build
    runs-on: blacksmith-2vcpu-ubuntu-2404
    timeout-minutes: 10
    steps:
      - uses: actions/checkout@v6
        with:
          ref: ${{ inputs.ref }}
      - uses: oven-sh/setup-bun@v2
      # Skip cache restore when invoked via workflow_call from release.yml's
      # snapshot path (issue_comment trigger). That path checks out
      # PR-author-controlled code in the default branch's privileged context;
      # consuming a cached install in that context is a poisoning surface.
      - if: github.event_name != 'issue_comment'
        uses: actions/cache/restore@v5
        with:
          path: ~/.bun/install/cache
          key: bun-${{ runner.os }}-${{ hashFiles('bun.lock') }}
          restore-keys: bun-${{ runner.os }}-
      - run: bun install --frozen-lockfile
      - run: bun run build

  lint:
    name: Lint
    needs: [build]
    runs-on: blacksmith-2vcpu-ubuntu-2404
    timeout-minutes: 10
    steps:
      - uses: actions/checkout@v6
        with:
          ref: ${{ inputs.ref }}
      - uses: oven-sh/setup-bun@v2
      - if: github.event_name != 'issue_comment'
        uses: actions/cache/restore@v5
        with:
          path: ~/.bun/install/cache
          key: bun-${{ runner.os }}-${{ hashFiles('bun.lock') }}
          restore-keys: bun-${{ runner.os }}-
      - run: bun install --frozen-lockfile
      - run: bun run format:check
      - run: bun run lint
      - run: bun run typecheck

  test:
    name: Test
    needs: [build]
    runs-on: blacksmith-2vcpu-ubuntu-2404
    timeout-minutes: 10
    steps:
      - uses: actions/checkout@v6
        with:
          ref: ${{ inputs.ref }}
      - uses: oven-sh/setup-bun@v2
      - if: github.event_name != 'issue_comment'
        uses: actions/cache/restore@v5
        with:
          path: ~/.bun/install/cache
          key: bun-${{ runner.os }}-${{ hashFiles('bun.lock') }}
          restore-keys: bun-${{ runner.os }}-
      - run: bun install --frozen-lockfile
      - run: bun run check:patches
      - run: bun run test

  test-e2e:
    name: E2E Test
    needs: [build]
    # For workflow_call: respect the run-e2e input.
    # For pull_request: skip fork PRs (no access to secrets) and Dependabot PRs
    # (cannot access Actions secrets, so CLERK_CLI_TEST_APP_ID would be empty).
    if: >-
      (github.event_name == 'pull_request' &&
       github.event.pull_request.head.repo.full_name == github.repository &&
       github.actor != 'dependabot[bot]') ||
      (github.event_name != 'pull_request' && inputs.run-e2e)
    runs-on: blacksmith-8vcpu-ubuntu-2404
    container:
      image: mcr.microsoft.com/playwright:v1.59.1-noble
    timeout-minutes: 30
    steps:
      - name: Install unzip (required by setup-bun)
        run: apt-get update && apt-get install -y unzip
      - name: Pin localhost to IPv4 in /etc/hosts
        # The playwright image resolves `localhost` to `::1` first, which
        # breaks Next.js dev: Next's internal proxy connects to `localhost`
        # regardless of the -H flag, so if localhost is IPv6-only the
        # proxy gets ECONNRESET. Drop the `::1 localhost` entry so every
        # consumer (Next dev proxy, Bun fetch, Chromium) reaches 127.0.0.1.
        run: |
          grep -v '::1.*localhost' /etc/hosts > /tmp/hosts.new
          cat /tmp/hosts.new > /etc/hosts
      - uses: actions/checkout@v6
        with:
          ref: ${{ inputs.ref }}
      - uses: actions/setup-node@v6
        with:
          node-version: 22
      - name: Mark workspace as safe for git
        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
      - uses: oven-sh/setup-bun@v2
      - if: github.event_name != 'issue_comment'
        uses: actions/cache/restore@v5
        with:
          path: ~/.bun/install/cache
          key: bun-${{ runner.os }}-${{ hashFiles('bun.lock') }}
          restore-keys: bun-${{ runner.os }}-
      - run: bun install --frozen-lockfile

      - name: Cleanup stale test users
        run: bun scripts/cleanup-test-users.ts
        env:
          CLERK_CLI_TEST_APP_ID: ${{ secrets.CLERK_CLI_TEST_APP_ID }}
          CLERK_PLATFORM_API_KEY: ${{ secrets.CLERK_PLATFORM_API_KEY }}

      - name: Run E2E tests
        run: bun run test:e2e
        env:
          CLERK_CLI_TEST_APP_ID: ${{ secrets.CLERK_CLI_TEST_APP_ID }}
          CLERK_PLATFORM_API_KEY: ${{ secrets.CLERK_PLATFORM_API_KEY }}
          CLERK_E2E_DEBUG: "1"