ci(repo): Use pull_request_target event by triggering actor permissions
#10716
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| workflow_dispatch: | |
| merge_group: | |
| pull_request: | |
| branches: | |
| - main | |
| - release/v4 | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| approve: | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: Run CI for external contribution | |
| steps: | |
| - name: Approve external contribution | |
| run: echo For security reasons, all pull requests need to be approved first before running any automated CI. | |
| if: ${{ github.event.pull_request.head.repo.fork }} | |
| formatting-linting: | |
| needs: [approve] | |
| name: Formatting, linting & changeset checks | |
| runs-on: 'blacksmith-8vcpu-ubuntu-2204' | |
| timeout-minutes: ${{ vars.TIMEOUT_MINUTES_NORMAL && fromJSON(vars.TIMEOUT_MINUTES_NORMAL) || 10 }} | |
| env: | |
| TURBO_SUMMARIZE: false | |
| steps: | |
| - name: Checkout Repo | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| show-progress: false | |
| - name: Setup | |
| id: config | |
| uses: ./.github/actions/init-blacksmith | |
| with: | |
| turbo-signature: ${{ secrets.TURBO_REMOTE_CACHE_SIGNATURE_KEY }} | |
| turbo-summarize: ${{ env.TURBO_SUMMARIZE }} | |
| turbo-team: ${{ vars.TURBO_TEAM }} | |
| turbo-token: ${{ secrets.TURBO_TOKEN }} | |
| - name: Require Changeset | |
| if: ${{ !(github.event_name == 'merge_group') }} | |
| run: if [[ "${{ github.event.pull_request.user.login }}" = "clerk-cookie" || "${{ github.event.pull_request.user.login }}" = "renovate[bot]" ]]; then echo 'Skipping' && exit 0; else pnpm changeset status --since=origin/main; fi | |
| - name: Lint GitHub Actions Workflows | |
| run: pnpm eslint .github | |
| shell: bash | |
| - name: Check Formatting | |
| run: pnpm format:check | |
| - name: Build Packages | |
| run: pnpm turbo build $TURBO_ARGS --only | |
| - name: Check size using bundlewatch | |
| run: pnpm turbo bundlewatch $TURBO_ARGS --only | |
| env: | |
| BUNDLEWATCH_GITHUB_TOKEN: ${{ secrets.BUNDLEWATCH_GITHUB_TOKEN }} | |
| CI_REPO_OWNER: ${{ vars.REPO_OWNER }} | |
| CI_REPO_NAME: ${{ vars.REPO_NAME }} | |
| CI_COMMIT_SHA: ${{ github.event.pull_request.head.sha }} | |
| CI_BRANCH: ${{ github.ref }} | |
| CI_BRANCH_BASE: refs/heads/main | |
| - name: Lint packages using publint | |
| run: pnpm turbo lint:publint $TURBO_ARGS --only | |
| - name: Lint types using attw | |
| run: pnpm turbo lint:attw $TURBO_ARGS --only | |
| - name: Run lint | |
| run: pnpm turbo lint $TURBO_ARGS --only -- --quiet | |
| - name: Upload Turbo Summary | |
| uses: actions/upload-artifact@v3 | |
| if: ${{ env.TURBO_SUMMARIZE == 'true' }} | |
| continue-on-error: true | |
| with: | |
| name: turbo-summary-report-lint-${{ github.run_id }}-${{ github.run_attempt }} | |
| path: .turbo/runs | |
| retention-days: 5 | |
| unit-tests: | |
| needs: [approve] | |
| name: Unit Tests | |
| runs-on: 'blacksmith-8vcpu-ubuntu-2204' | |
| timeout-minutes: ${{ vars.TIMEOUT_MINUTES_NORMAL && fromJSON(vars.TIMEOUT_MINUTES_NORMAL) || 10 }} | |
| env: | |
| TURBO_SUMMARIZE: false | |
| strategy: | |
| matrix: | |
| node-version: [18,22] | |
| steps: | |
| - name: Checkout Repo | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| show-progress: false | |
| - name: Setup | |
| id: config | |
| uses: ./.github/actions/init-blacksmith | |
| with: | |
| # Ensures that all builds are cached appropriately with a consistent run name `Unit Tests (18)`. | |
| node-version: ${{ matrix.node-version }} | |
| turbo-signature: ${{ secrets.TURBO_REMOTE_CACHE_SIGNATURE_KEY }} | |
| turbo-summarize: ${{ env.TURBO_SUMMARIZE }} | |
| turbo-team: ${{ vars.TURBO_TEAM }} | |
| turbo-token: ${{ secrets.TURBO_TOKEN }} | |
| - name: Run tests | |
| run: | | |
| if [ "${{ matrix.node-version }}" == "18" ]; then | |
| echo "Running tests on Node 18 only for packages with LTS support." | |
| pnpm turbo test $TURBO_ARGS --filter="@clerk/astro" --filter="@clerk/backend" --filter="@clerk/express" --filter="@clerk/nextjs" --filter="@clerk/clerk-react" --filter="@clerk/clerk-sdk-node" --filter="@clerk/shared" --filter="@clerk/remix" --filter="@clerk/tanstack-start" --filter="@clerk/elements" --filter="@clerk/vue" --filter="@clerk/nuxt" | |
| else | |
| echo "Running tests for all packages on Node 20." | |
| pnpm turbo test $TURBO_ARGS | |
| fi | |
| env: | |
| NODE_VERSION: ${{ matrix.node-version }} | |
| - name: Upload Turbo Summary | |
| uses: actions/upload-artifact@v4 | |
| if: ${{ env.TURBO_SUMMARIZE == 'true' }} | |
| continue-on-error: true | |
| with: | |
| name: turbo-summary-report-unit-${{ github.run_id }}-${{ github.run_attempt }}-node-${{ matrix.node-version }} | |
| path: .turbo/runs | |
| retention-days: 5 | |
| integration-tests: | |
| needs: [approve] | |
| name: Integration Tests | |
| runs-on: 'blacksmith-8vcpu-ubuntu-2204' | |
| timeout-minutes: ${{ vars.TIMEOUT_MINUTES_LONG && fromJSON(vars.TIMEOUT_MINUTES_LONG) || 15 }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| test-name: [ 'generic', 'express', 'quickstart', 'ap-flows', 'elements', 'sessions', 'astro', 'expo-web', 'tanstack-start', 'tanstack-router', 'vue', 'nuxt'] | |
| test-project: ['chrome'] | |
| include: | |
| - test-name: 'nextjs' | |
| test-project: 'chrome' | |
| next-version: '13' | |
| - test-name: 'nextjs' | |
| test-project: 'chrome' | |
| next-version: '14' | |
| - test-name: 'nextjs' | |
| test-project: 'chrome' | |
| next-version: '15' | |
| steps: | |
| - name: Setup | |
| id: config | |
| uses: ./.github/actions/init-blacksmith | |
| with: | |
| turbo-signature: ${{ secrets.TURBO_REMOTE_CACHE_SIGNATURE_KEY }} | |
| turbo-team: ${{ vars.TURBO_TEAM }} | |
| turbo-token: ${{ secrets.TURBO_TOKEN }} | |
| playwright-enabled: true | |
| - name: Task Status | |
| id: task-status | |
| env: | |
| E2E_APP_CLERK_JS_DIR: ${{runner.temp}} | |
| E2E_CLERK_VERSION: 'latest' | |
| E2E_NEXTJS_VERSION: ${{ matrix.next-version }} | |
| E2E_PROJECT: ${{ matrix.test-project }} | |
| INTEGRATION_INSTANCE_KEYS: ${{ secrets.INTEGRATION_INSTANCE_KEYS }} | |
| run: | | |
| AFFECTED=0 | |
| (pnpm turbo-ignore --task=test:integration:${{ matrix.test-name }} --fallback=${{ github.base_ref || 'refs/heads/main' }}) || AFFECTED=1 | |
| echo "affected=${AFFECTED}" | |
| echo "affected=${AFFECTED}" >> $GITHUB_OUTPUT | |
| - name: Verdaccio | |
| if: ${{ steps.task-status.outputs.affected == '1' }} | |
| uses: ./.github/actions/verdaccio | |
| with: | |
| publish-cmd: | | |
| if [ "$(pnpm config get registry)" = "https://registry.npmjs.org/" ]; then echo 'Error: Using default registry' && exit 1; else pnpm turbo build $TURBO_ARGS --only && pnpm changeset publish --no-git-tag; fi | |
| - name: Edit .npmrc [link-workspace-packages=false] | |
| run: sed -i -E 's/link-workspace-packages=(deep|true)/link-workspace-packages=false/' .npmrc | |
| - name: Install @clerk/backend in /integration | |
| if: ${{ steps.task-status.outputs.affected == '1' }} | |
| working-directory: ./integration | |
| run: pnpm init && pnpm add @clerk/backend | |
| - name: Install @clerk/clerk-js in os temp | |
| if: ${{ steps.task-status.outputs.affected == '1' }} | |
| working-directory: ${{runner.temp}} | |
| run: mkdir clerk-js && cd clerk-js && pnpm init && pnpm add @clerk/clerk-js | |
| - name: Copy components @clerk/astro | |
| if: ${{ matrix.test-name == 'astro' }} | |
| run: cd packages/astro && pnpm copy:components | |
| - name: Write all ENV certificates to files in integration/certs | |
| if: ${{ steps.task-status.outputs.affected == '1' }} | |
| uses: actions/github-script@v7 | |
| env: | |
| INTEGRATION_CERTS: '${{secrets.INTEGRATION_CERTS}}' | |
| INTEGRATION_ROOT_CA: '${{secrets.INTEGRATION_ROOT_CA}}' | |
| with: | |
| script: | | |
| const fs = require('fs'); | |
| const path = require('path'); | |
| const rootCa = process.env.INTEGRATION_ROOT_CA; | |
| console.log('rootCa', rootCa); | |
| fs.writeFileSync(path.join(process.env.GITHUB_WORKSPACE, 'integration/certs', 'rootCA.pem'), rootCa); | |
| const certs = JSON.parse(process.env.INTEGRATION_CERTS); | |
| for (const [name, cert] of Object.entries(certs)) { | |
| fs.writeFileSync(path.join(process.env.GITHUB_WORKSPACE, 'integration/certs', name), cert); | |
| } | |
| - name: LS certs | |
| if: ${{ steps.task-status.outputs.affected == '1' }} | |
| working-directory: ./integration/certs | |
| run: ls -la && pwd | |
| - name: Run Integration Tests | |
| if: ${{ steps.task-status.outputs.affected == '1' }} | |
| id: integration-tests | |
| run: sudo npm install -g pnpm && sudo --preserve-env pnpm turbo test:integration:${{ matrix.test-name }} $TURBO_ARGS | |
| env: | |
| E2E_APP_CLERK_JS_DIR: ${{runner.temp}} | |
| E2E_CLERK_VERSION: 'latest' | |
| E2E_NEXTJS_VERSION: ${{ matrix.next-version }} | |
| E2E_PROJECT: ${{ matrix.test-project }} | |
| E2E_CLERK_ENCRYPTION_KEY: ${{ matrix.clerk-encryption-key }} | |
| INTEGRATION_INSTANCE_KEYS: ${{ secrets.INTEGRATION_INSTANCE_KEYS }} | |
| MAILSAC_API_KEY: ${{ secrets.MAILSAC_API_KEY }} | |
| NODE_EXTRA_CA_CERTS: ${{ github.workspace }}/integration/certs/rootCA.pem | |
| - name: Upload test-results | |
| if: ${{ cancelled() || failure() }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: playwright-traces-${{ github.run_id }}-${{ github.run_attempt }}-${{ matrix.test-name }} | |
| path: integration/test-results | |
| retention-days: 1 |