From 9916d6e5623ad09f713fabebdc1ab5edd2b84dc2 Mon Sep 17 00:00:00 2001 From: Brett Date: Fri, 15 May 2026 02:26:58 -0500 Subject: [PATCH] fix(ci): pass CLOUDFLARE_API_TOKEN to deep-check wrangler dev steps Both jobs in deep-check.yml (e2e + lhci) start the test web server via `wrangler dev --local`. In wrangler 4.x, dev mode authenticates to the Cloudflare managed registry to read the container image manifest from `registry.cloudflare.com//anc-sandbox:` even under `--local`. Without CLOUDFLARE_API_TOKEN in env, wrangler exits with "Not logged in" before Playwright can connect, and the deep-check nightly fails 100% of the time. The regression landed silently in PR #84 (U3-followup), which migrated the sandbox container image off Docker Hub. Docker Hub is anonymous pullable; the CF managed registry isn't. ci.yml didn't surface this because its tests don't invoke `wrangler dev` (only `bun test` and `wrangler --dry-run`, both of which work without dev-mode auth or already have the token plumbed). Fix: pass the same CF_API_TOKEN + CF_ACCOUNT_ID secrets that deploy.yml uses, on both the e2e step and the lhci step. No new secret provisioning needed; the secrets exist in the repo already. Header comment updated to reflect the new dependency and explain why. Verification path: post-merge, manually dispatch deep-check via `gh workflow run deep-check.yml` against the merge commit to confirm the auth fix lands. Cannot fully verify pre-merge because the failure mode only surfaces in the GHA runner environment (local dev has CLOUDFLARE_API_TOKEN in shell env, so local `bun run test:e2e` works fine). Related: cloudflare/workers-sdk#13925 (today's other CF Workers gotcha), but mechanically unrelated. --- .github/workflows/deep-check.yml | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deep-check.yml b/.github/workflows/deep-check.yml index c957d86..4f6c336 100644 --- a/.github/workflows/deep-check.yml +++ b/.github/workflows/deep-check.yml @@ -34,8 +34,17 @@ # Not a PR gate — PR merge is governed by ci.yml. Failures here show up # in the Actions tab and (for dispatch-with-ref runs) as a commit status. # -# Secrets: none required. The LHCI step uses the default GITHUB_TOKEN so -# it can post a commit status (requires statuses:write, granted below). +# Secrets: +# CLOUDFLARE_API_TOKEN / CLOUDFLARE_ACCOUNT_ID — passed to `wrangler dev` +# (used by both Playwright's webServer and lighthouse-ci). wrangler 4.x +# authenticates to the Cloudflare managed registry to read the +# container image manifest even under `--local`, so without these the +# dev server fails with "Not logged in". The same secrets that +# `deploy.yml` already passes — no new provisioning. Introduced after +# the container image moved off Docker Hub to the CF managed +# registry in PR #84 (U3-followup); the LHCI step uses the default +# GITHUB_TOKEN to post a commit status (requires statuses:write, +# granted below). name: deep-check @@ -171,6 +180,14 @@ jobs: run: bun run build - name: End-to-end tests (all projects) + # CLOUDFLARE_API_TOKEN + CLOUDFLARE_ACCOUNT_ID let `wrangler dev` + # (spun up by playwright.config.ts's webServer) read the + # container image manifest from the CF managed registry. Without + # them, wrangler 4.x errors with "Not logged in" before Playwright + # can connect. + env: + CLOUDFLARE_API_TOKEN: ${{ secrets.CF_API_TOKEN }} + CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CF_ACCOUNT_ID }} run: bun run test:e2e - name: Upload Playwright artifacts on failure @@ -218,3 +235,8 @@ jobs: env: LHCI_GITHUB_APP_TOKEN: ${{ secrets.LHCI_GITHUB_APP_TOKEN }} LHCI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # `wrangler dev` (started by lighthouserc as the local server) + # needs CF auth to read the container image manifest from the + # CF managed registry, same as the e2e job above. + CLOUDFLARE_API_TOKEN: ${{ secrets.CF_API_TOKEN }} + CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CF_ACCOUNT_ID }}