fix(ci): write Brev credentials file so CLI authenticates on runner

[cjagwani]

Summary

• Write ~/.brev/credentials.json during the "Install Brev CLI" workflow step
• The Brev CLI v0.6.322 does not read BREV_API_TOKEN from the environment — it requires a credentials file
• The brev login --token call was removed in 374a847 (refactor(installer): unify host preflight and thin deploy compatibility #1470), breaking all E2E runs since

Root Cause

PR #1470 replaced brev("login", "--token", process.env.BREV_API_TOKEN) with a brev("ls") pre-check (hasAuthenticatedBrev), but nothing writes the credentials file on the ephemeral GH Actions runner. Result: brev ls fails silently, hasAuthenticatedBrev returns false, describe.runIf() skips the entire suite, and CI reports success with 0 tests run.

Evidence

• Last working run (Apr 4): 23968693963 — 1 passed, 988s
• Broken runs (Apr 8): 24160260650, 24160572779, 24161141317 — all 1 skipped, <1s

Test plan

• Merge to main, trigger e2e-brev workflow with TEST_SUITE=full — confirm tests actually run (not skip)

Fixes #1638

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Improved CI end-to-end workflow: requires and validates an API token before running, securely writes and protects credential data, and verifies authentication to ensure reliable automated test runs.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2691f9d2-29ed-4455-acc5-a1539ed65cca

📥 Commits

Reviewing files that changed from the base of the PR and between 7af8b06 and 7079b27.

📒 Files selected for processing (1)

• .github/workflows/e2e-brev.yaml

---

📝 Walkthrough

Walkthrough

The workflow now injects BREV_API_TOKEN into the "Install Brev CLI" step, validates it, writes ~/.brev/credentials.json with {"refresh_token":"$BREV_API_TOKEN"} (secure perms), and runs brev ls to confirm authentication for the CI test harness.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/workflows/e2e-brev.yaml	Pass BREV_API_TOKEN into the step, validate it's non-empty, create ~/.brev/credentials.json with the refresh token (set restrictive permissions), and run brev ls to verify authentication.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant GH as GH Actions runner
participant Step as "Install Brev CLI" step
participant FS as Filesystem (~/.brev/credentials.json)
participant Brev as Brev CLI
participant Tests as Vitest/CI tests

GH->>Step: start step (env BREV_API_TOKEN)
Step->>Step: validate BREV_API_TOKEN non-empty
Step->>FS: write credentials.json {"refresh_token": token}
Step->>FS: set umask/chmod 600
Step->>Brev: run brev ls
Brev-->>Step: authentication status
Step->>Tests: proceed if authenticated

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰
A token tucked in a tiny file,
I hopped it in with a careful smile,
Now brev can speak and tests can run,
CI sings softly — hop, job done! 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately reflects the main change: writing the Brev credentials file in CI to enable CLI authentication on runners.
Linked Issues check	✅ Passed	The PR directly addresses all objectives from issue #1638: creates ~/.brev/credentials.json, validates BREV_API_TOKEN, enables brev ls to succeed, and restores full E2E test execution.
Out of Scope Changes check	✅ Passed	All changes are scoped to fixing CI authentication: adding BREV_API_TOKEN handling, credentials file creation, and validation in the GitHub Actions workflow step.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/brev-e2e-auth-credentials

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/e2e-brev.yaml:
- Around line 155-160: The workflow currently writes ~/.brev/credentials.json
from $BREV_API_TOKEN without checking it's present and doesn't verify
authentication, so CI can silently skip tests; update the steps that create the
credentials (the mkdir + printf block) to first fail-fast if $BREV_API_TOKEN is
empty or invalid, write the credentials file with restricted permissions (e.g.,
chmod 600) and immediately run a quick verification command (brev ls) and exit
non-zero on failure so the pipeline fails fast instead of allowing the test
harness's hasAuthenticatedBrev to swallow auth errors.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c8ab42b2-e63d-42ad-b9d8-06d54c156b75

📥 Commits

Reviewing files that changed from the base of the PR and between 8f6995c and 7af8b06.

📒 Files selected for processing (1)

• .github/workflows/e2e-brev.yaml

[cv]

LGTM — security review WARNING (non-blocking).

Minor suggestion: The printf '{"refresh_token":"%s"}' could malform JSON if the token ever contains quotes/backslashes. Since Node.js is already set up on the runner, consider:

node -e "process.stdout.write(JSON.stringify({refresh_token: process.env.BREV_API_TOKEN}))" > ~/.brev/credentials.json

Otherwise clean:

• File permissions correct (umask 077 + chmod 600)
• Secret never echoed to logs (masked by GHA, written to file only)
• Fail-fast guard on empty token
• brev ls >/dev/null verification step
• CI-only, no production impact
• All checks green

No blocking concerns.