ci(e2e): use INTEGRATION_STAGING_INSTANCE_KEYS for mobile-e2e workflow (#8498)

chriscanin · web-flow · commit 888a68c378e7 · 2026-05-07T12:37:01.000-07:00
diff --git a/.github/workflows/mobile-e2e.yml b/.github/workflows/mobile-e2e.yml
@@ -3,10 +3,10 @@
 # and runs Maestro flows on iOS simulator and Android emulator.
 #
 # Secrets:
-#   INTEGRATION_INSTANCE_KEYS — JSON map of named test instances
+#   INTEGRATION_STAGING_INSTANCE_KEYS — JSON map of named staging test instances
 #     ({ "<name>": { "pk": "pk_test_...", "sk": "sk_test_..." } }).
-#     Same secret used by /integration (Playwright). We read the entry named
-#     EXPO_INSTANCE_NAME (set in env: below).
+#     Same secret used by /integration (Playwright) staging jobs. We read the
+#     entry named EXPO_INSTANCE_NAME (set in env: below).
 #
 # Test users are provisioned per-run via Clerk Backend API and deleted at
 # teardown — same pattern as /integration's createBapiUser.
@@ -69,20 +69,8 @@ jobs:
       - name: Resolve Clerk instance keys
         id: keys
         env:
-          INTEGRATION_INSTANCE_KEYS: ${{ secrets.INTEGRATION_INSTANCE_KEYS }}
-        run: |
-          if [ -z "$INTEGRATION_INSTANCE_KEYS" ]; then
-            echo "::error::INTEGRATION_INSTANCE_KEYS secret is not set"
-            exit 1
-          fi
-          pk=$(echo "$INTEGRATION_INSTANCE_KEYS" | jq -er ".[\"$EXPO_INSTANCE_NAME\"].pk") || {
-            echo "::error::No entry '$EXPO_INSTANCE_NAME' found in INTEGRATION_INSTANCE_KEYS"
-            exit 1
-          }
-          sk=$(echo "$INTEGRATION_INSTANCE_KEYS" | jq -er ".[\"$EXPO_INSTANCE_NAME\"].sk")
-          echo "::add-mask::$sk"
-          echo "pk=$pk" >> "$GITHUB_OUTPUT"
-          echo "sk=$sk" >> "$GITHUB_OUTPUT"
+          INTEGRATION_STAGING_INSTANCE_KEYS: ${{ secrets.INTEGRATION_STAGING_INSTANCE_KEYS }}
+        run: node scripts/resolve-instance-keys.mjs INTEGRATION_STAGING_INSTANCE_KEYS "$EXPO_INSTANCE_NAME"
 
       - name: Write quickstart .env
         working-directory: clerk-expo-quickstart/NativeComponentQuickstart
@@ -186,20 +174,8 @@ jobs:
       - name: Resolve Clerk instance keys
         id: keys
         env:
-          INTEGRATION_INSTANCE_KEYS: ${{ secrets.INTEGRATION_INSTANCE_KEYS }}
-        run: |
-          if [ -z "$INTEGRATION_INSTANCE_KEYS" ]; then
-            echo "::error::INTEGRATION_INSTANCE_KEYS secret is not set"
-            exit 1
-          fi
-          pk=$(echo "$INTEGRATION_INSTANCE_KEYS" | jq -er ".[\"$EXPO_INSTANCE_NAME\"].pk") || {
-            echo "::error::No entry '$EXPO_INSTANCE_NAME' found in INTEGRATION_INSTANCE_KEYS"
-            exit 1
-          }
-          sk=$(echo "$INTEGRATION_INSTANCE_KEYS" | jq -er ".[\"$EXPO_INSTANCE_NAME\"].sk")
-          echo "::add-mask::$sk"
-          echo "pk=$pk" >> "$GITHUB_OUTPUT"
-          echo "sk=$sk" >> "$GITHUB_OUTPUT"
+          INTEGRATION_STAGING_INSTANCE_KEYS: ${{ secrets.INTEGRATION_STAGING_INSTANCE_KEYS }}
+        run: node scripts/resolve-instance-keys.mjs INTEGRATION_STAGING_INSTANCE_KEYS "$EXPO_INSTANCE_NAME"
 
       - name: Write quickstart .env
         working-directory: clerk-expo-quickstart/NativeComponentQuickstart
diff --git a/scripts/resolve-instance-keys.mjs b/scripts/resolve-instance-keys.mjs
@@ -0,0 +1,51 @@
+#!/usr/bin/env node
+
+/**
+ * Resolves Clerk pk/sk for a named test instance from a JSON-encoded env var
+ * (e.g. INTEGRATION_INSTANCE_KEYS / INTEGRATION_STAGING_INSTANCE_KEYS).
+ *
+ * Usage:
+ *   node scripts/resolve-instance-keys.mjs <SECRET_ENV_VAR> <INSTANCE_NAME>
+ *
+ * Writes pk and sk as GitHub Actions step outputs to $GITHUB_OUTPUT and masks
+ * sk in the runner logs. Exits non-zero with a ::error:: annotation if the
+ * env var is missing, malformed, or doesn't contain the requested instance.
+ */
+
+import { appendFileSync } from 'node:fs';
+
+const fail = msg => {
+  console.error(`::error::${msg}`);
+  process.exit(1);
+};
+
+const [, , secretVar, instanceName] = process.argv;
+if (!secretVar || !instanceName) {
+  fail('Usage: resolve-instance-keys.mjs <SECRET_ENV_VAR> <INSTANCE_NAME>');
+}
+
+const raw = process.env[secretVar];
+if (!raw) fail(`${secretVar} secret is not set`);
+
+let parsed;
+try {
+  parsed = JSON.parse(raw);
+} catch (err) {
+  fail(`Failed to parse ${secretVar} as JSON: ${err.message}`);
+}
+
+if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
+  fail(`Expected ${secretVar} to be a JSON object of instance entries`);
+}
+
+const entry = parsed[instanceName];
+if (!entry) fail(`No entry '${instanceName}' found in ${secretVar}`);
+
+const { pk, sk } = entry;
+if (!pk) fail(`Entry '${instanceName}' in ${secretVar} is missing 'pk'`);
+if (!sk) fail(`Entry '${instanceName}' in ${secretVar} is missing 'sk'`);
+
+console.log(`::add-mask::${sk}`);
+
+const out = process.env.GITHUB_OUTPUT;
+if (out) appendFileSync(out, `pk=${pk}\nsk=${sk}\n`);
