fix: address review — clear auth env vars in CI, isolate sidecar import

BYK · BYK · commit 9da45e28ea36 · 2026-05-22T21:24:17.000Z
- Add explicit SENTRY_AUTH_TOKEN="" and SENTRY_TOKEN="" env overrides
  to CI smoke test steps to prevent future env leakage on main/release
  branches where production secrets are available.

- Move Ink sidecar import test to a subprocess via spawnCollect to
  avoid polluting the vitest process with React/Ink globals from the
  sidecar's bundled dependencies.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -312,6 +312,9 @@ jobs:
       - name: Smoke test (deep — SQLite, telemetry, auth DB)
         if: matrix.can-test
         shell: bash
+        env:
+          SENTRY_AUTH_TOKEN: ""
+          SENTRY_TOKEN: ""
         run: |
           if [[ "${{ matrix.target }}" == "windows-x64" ]]; then
             BIN=./dist-bin/sentry-windows-x64.exe
@@ -735,6 +738,9 @@ jobs:
         run: node dist/bin.cjs --help
       - name: Smoke test (Node.js — deep)
         shell: bash
+        env:
+          SENTRY_AUTH_TOKEN: ""
+          SENTRY_TOKEN: ""
         run: |
           # auth status without a token exercises SQLite init, schema
           # migrations, telemetry lazy import, and the CJS require chain.
diff --git a/test/e2e/bundle.test.ts b/test/e2e/bundle.test.ts
@@ -9,7 +9,6 @@ import { spawn } from "node:child_process";
 import { existsSync, rmSync } from "node:fs";
 import { readFile } from "node:fs/promises";
 import { join } from "node:path";
-import { pathToFileURL } from "node:url";
 import { afterAll, beforeAll, describe, expect, test } from "vitest";
 
 function noop(): void {
@@ -214,11 +213,27 @@ describe("npm bundle", () => {
     // by Node, and exports mountApp as a function. This catches sidecar
     // bundling/resolution bugs — the exact class of bug where `with { type: "file" }`
     // crashed in tsx dev mode.
+    //
+    // Run in a subprocess to avoid polluting the vitest process with
+    // React/Ink globals from the sidecar's bundled dependencies.
     expect(existsSync(INK_APP_PATH)).toBe(true);
 
-    // Node requires a file:// URL for dynamic import of absolute ESM paths
-    const sidecar = await import(pathToFileURL(INK_APP_PATH).href);
-
-    expect(typeof sidecar.mountApp).toBe("function");
+    const { stdout, stderr, exitCode } = await spawnCollect("node", [
+      "--input-type=module",
+      "-e",
+      `import { mountApp } from ${JSON.stringify(`file://${INK_APP_PATH}`)};\n` +
+        'if (typeof mountApp !== "function") {\n' +
+        '  process.stderr.write("mountApp is " + typeof mountApp + ", expected function");\n' +
+        "  process.exit(1);\n" +
+        "}",
+    ]);
+
+    if (exitCode !== 0) {
+      const output = stdout + stderr;
+      throw new Error(
+        `Ink sidecar import failed (exit ${exitCode}): ${output}`
+      );
+    }
+    expect(exitCode).toBe(0);
   }, 15_000);
 });
