ci(repo): Use pull_request_target event by triggering actor permissions
#10722
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| workflow_dispatch: | |
| merge_group: | |
| pull_request: | |
| branches: | |
| - main | |
| - release/v4 | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| approve: | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: approve_external_contribution | |
| steps: | |
| - name: Approve external contribution | |
| run: if [[ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then echo "For security reasons, all pull requests from external forks need to be approved first before running any automated CI." && exit 1; else echo 'Skipping' && exit 0; fi | |
| formatting-linting: | |
| needs: [approve] | |
| name: Formatting, linting & changeset checks | |
| runs-on: 'blacksmith-8vcpu-ubuntu-2204' | |
| timeout-minutes: ${{ vars.TIMEOUT_MINUTES_NORMAL && fromJSON(vars.TIMEOUT_MINUTES_NORMAL) || 10 }} | |
| env: | |
| TURBO_SUMMARIZE: false | |
| steps: | |
| - name: Checkout Repo | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| show-progress: false | |
| - name: Setup | |
| id: config | |
| uses: ./.github/actions/init-blacksmith | |
| with: | |
| turbo-signature: ${{ secrets.TURBO_REMOTE_CACHE_SIGNATURE_KEY }} | |
| turbo-summarize: ${{ env.TURBO_SUMMARIZE }} | |
| turbo-team: ${{ vars.TURBO_TEAM }} | |
| turbo-token: ${{ secrets.TURBO_TOKEN }} | |
| - name: Require Changeset | |
| if: ${{ !(github.event_name == 'merge_group') }} | |
| run: if [[ "${{ github.event.pull_request.user.login }}" = "clerk-cookie" || "${{ github.event.pull_request.user.login }}" = "renovate[bot]" ]]; then echo 'Skipping' && exit 0; else pnpm changeset status --since=origin/main; fi | |
| - name: Lint GitHub Actions Workflows | |
| run: pnpm eslint .github | |
| shell: bash | |
| - name: Check Formatting | |
| run: pnpm format:check | |
| - name: Build Packages | |
| run: pnpm turbo build $TURBO_ARGS --only | |
| - name: Check size using bundlewatch | |
| run: pnpm turbo bundlewatch $TURBO_ARGS --only | |
| env: | |
| BUNDLEWATCH_GITHUB_TOKEN: ${{ secrets.BUNDLEWATCH_GITHUB_TOKEN }} | |
| CI_REPO_OWNER: ${{ vars.REPO_OWNER }} | |
| CI_REPO_NAME: ${{ vars.REPO_NAME }} | |
| CI_COMMIT_SHA: ${{ github.event.pull_request.head.sha }} | |
| CI_BRANCH: ${{ github.ref }} | |
| CI_BRANCH_BASE: refs/heads/main | |
| - name: Lint packages using publint | |
| run: pnpm turbo lint:publint $TURBO_ARGS --only | |
| - name: Lint types using attw | |
| run: pnpm turbo lint:attw $TURBO_ARGS --only | |
| - name: Run lint | |
| run: pnpm turbo lint $TURBO_ARGS --only -- --quiet | |
| - name: Upload Turbo Summary | |
| uses: actions/upload-artifact@v3 | |
| if: ${{ env.TURBO_SUMMARIZE == 'true' }} | |
| continue-on-error: true | |
| with: | |
| name: turbo-summary-report-lint-${{ github.run_id }}-${{ github.run_attempt }} | |
| path: .turbo/runs | |
| retention-days: 5 | |
| unit-tests: | |
| needs: [approve] | |
| name: Unit Tests | |
| runs-on: 'blacksmith-8vcpu-ubuntu-2204' | |
| timeout-minutes: ${{ vars.TIMEOUT_MINUTES_NORMAL && fromJSON(vars.TIMEOUT_MINUTES_NORMAL) || 10 }} | |
| env: | |
| TURBO_SUMMARIZE: false | |
| strategy: | |
| matrix: | |
| node-version: [18,22] | |
| steps: | |
| - name: Checkout Repo | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| show-progress: false | |
| - name: Setup | |
| id: config | |
| uses: ./.github/actions/init-blacksmith | |
| with: | |
| # Ensures that all builds are cached appropriately with a consistent run name `Unit Tests (18)`. | |
| node-version: ${{ matrix.node-version }} | |
| turbo-signature: ${{ secrets.TURBO_REMOTE_CACHE_SIGNATURE_KEY }} | |
| turbo-summarize: ${{ env.TURBO_SUMMARIZE }} | |
| turbo-team: ${{ vars.TURBO_TEAM }} | |
| turbo-token: ${{ secrets.TURBO_TOKEN }} | |
| - name: Run tests | |
| run: | | |
| if [ "${{ matrix.node-version }}" == "18" ]; then | |
| echo "Running tests on Node 18 only for packages with LTS support." | |
| pnpm turbo test $TURBO_ARGS --filter="@clerk/astro" --filter="@clerk/backend" --filter="@clerk/express" --filter="@clerk/nextjs" --filter="@clerk/clerk-react" --filter="@clerk/clerk-sdk-node" --filter="@clerk/shared" --filter="@clerk/remix" --filter="@clerk/tanstack-start" --filter="@clerk/elements" --filter="@clerk/vue" --filter="@clerk/nuxt" | |
| else | |
| echo "Running tests for all packages on Node 20." | |
| pnpm turbo test $TURBO_ARGS | |
| fi | |
| env: | |
| NODE_VERSION: ${{ matrix.node-version }} | |
| - name: Upload Turbo Summary | |
| uses: actions/upload-artifact@v4 | |
| if: ${{ env.TURBO_SUMMARIZE == 'true' }} | |
| continue-on-error: true | |
| with: | |
| name: turbo-summary-report-unit-${{ github.run_id }}-${{ github.run_attempt }}-node-${{ matrix.node-version }} | |
| path: .turbo/runs | |
| retention-days: 5 | |
| integration-tests: | |
| needs: [approve] | |
| name: Integration Tests | |
| runs-on: 'blacksmith-8vcpu-ubuntu-2204' | |
| timeout-minutes: ${{ vars.TIMEOUT_MINUTES_LONG && fromJSON(vars.TIMEOUT_MINUTES_LONG) || 15 }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| test-name: [ 'generic', 'express', 'quickstart', 'ap-flows', 'elements', 'sessions', 'astro', 'expo-web', 'tanstack-start', 'tanstack-router', 'vue', 'nuxt'] | |
| test-project: ['chrome'] | |
| include: | |
| - test-name: 'nextjs' | |
| test-project: 'chrome' | |
| next-version: '13' | |
| - test-name: 'nextjs' | |
| test-project: 'chrome' | |
| next-version: '14' | |
| - test-name: 'nextjs' | |
| test-project: 'chrome' | |
| next-version: '15' | |
| steps: | |
| - name: Checkout Repo | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| show-progress: false | |
| - name: Setup | |
| id: config | |
| uses: ./.github/actions/init-blacksmith | |
| with: | |
| turbo-signature: ${{ secrets.TURBO_REMOTE_CACHE_SIGNATURE_KEY }} | |
| turbo-team: ${{ vars.TURBO_TEAM }} | |
| turbo-token: ${{ secrets.TURBO_TOKEN }} | |
| playwright-enabled: true | |
| - name: Task Status | |
| id: task-status | |
| env: | |
| E2E_APP_CLERK_JS_DIR: ${{runner.temp}} | |
| E2E_CLERK_VERSION: 'latest' | |
| E2E_NEXTJS_VERSION: ${{ matrix.next-version }} | |
| E2E_PROJECT: ${{ matrix.test-project }} | |
| INTEGRATION_INSTANCE_KEYS: ${{ secrets.INTEGRATION_INSTANCE_KEYS }} | |
| run: | | |
| AFFECTED=0 | |
| (pnpm turbo-ignore --task=test:integration:${{ matrix.test-name }} --fallback=${{ github.base_ref || 'refs/heads/main' }}) || AFFECTED=1 | |
| echo "affected=${AFFECTED}" | |
| echo "affected=${AFFECTED}" >> $GITHUB_OUTPUT | |
| - name: Verdaccio | |
| if: ${{ steps.task-status.outputs.affected == '1' }} | |
| uses: ./.github/actions/verdaccio | |
| with: | |
| publish-cmd: | | |
| if [ "$(pnpm config get registry)" = "https://registry.npmjs.org/" ]; then echo 'Error: Using default registry' && exit 1; else pnpm turbo build $TURBO_ARGS --only && pnpm changeset publish --no-git-tag; fi | |
| - name: Edit .npmrc [link-workspace-packages=false] | |
| run: sed -i -E 's/link-workspace-packages=(deep|true)/link-workspace-packages=false/' .npmrc | |
| - name: Install @clerk/backend in /integration | |
| if: ${{ steps.task-status.outputs.affected == '1' }} | |
| working-directory: ./integration | |
| run: pnpm init && pnpm add @clerk/backend | |
| - name: Install @clerk/clerk-js in os temp | |
| if: ${{ steps.task-status.outputs.affected == '1' }} | |
| working-directory: ${{runner.temp}} | |
| run: mkdir clerk-js && cd clerk-js && pnpm init && pnpm add @clerk/clerk-js | |
| - name: Copy components @clerk/astro | |
| if: ${{ matrix.test-name == 'astro' }} | |
| run: cd packages/astro && pnpm copy:components | |
| - name: Write all ENV certificates to files in integration/certs | |
| if: ${{ steps.task-status.outputs.affected == '1' }} | |
| uses: actions/github-script@v7 | |
| env: | |
| INTEGRATION_CERTS: '${{secrets.INTEGRATION_CERTS}}' | |
| INTEGRATION_ROOT_CA: '${{secrets.INTEGRATION_ROOT_CA}}' | |
| with: | |
| script: | | |
| const fs = require('fs'); | |
| const path = require('path'); | |
| const rootCa = process.env.INTEGRATION_ROOT_CA; | |
| console.log('rootCa', rootCa); | |
| fs.writeFileSync(path.join(process.env.GITHUB_WORKSPACE, 'integration/certs', 'rootCA.pem'), rootCa); | |
| const certs = JSON.parse(process.env.INTEGRATION_CERTS); | |
| for (const [name, cert] of Object.entries(certs)) { | |
| fs.writeFileSync(path.join(process.env.GITHUB_WORKSPACE, 'integration/certs', name), cert); | |
| } | |
| - name: LS certs | |
| if: ${{ steps.task-status.outputs.affected == '1' }} | |
| working-directory: ./integration/certs | |
| run: ls -la && pwd | |
| - name: Run Integration Tests | |
| if: ${{ steps.task-status.outputs.affected == '1' }} | |
| id: integration-tests | |
| run: sudo npm install -g pnpm && sudo --preserve-env pnpm turbo test:integration:${{ matrix.test-name }} $TURBO_ARGS | |
| env: | |
| E2E_APP_CLERK_JS_DIR: ${{runner.temp}} | |
| E2E_CLERK_VERSION: 'latest' | |
| E2E_NEXTJS_VERSION: ${{ matrix.next-version }} | |
| E2E_PROJECT: ${{ matrix.test-project }} | |
| E2E_CLERK_ENCRYPTION_KEY: ${{ matrix.clerk-encryption-key }} | |
| INTEGRATION_INSTANCE_KEYS: ${{ secrets.INTEGRATION_INSTANCE_KEYS }} | |
| MAILSAC_API_KEY: ${{ secrets.MAILSAC_API_KEY }} | |
| NODE_EXTRA_CA_CERTS: ${{ github.workspace }}/integration/certs/rootCA.pem | |
| - name: Upload test-results | |
| if: ${{ cancelled() || failure() }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: playwright-traces-${{ github.run_id }}-${{ github.run_attempt }}-${{ matrix.test-name }} | |
| path: integration/test-results | |
| retention-days: 1 |