Skip to content

feat: first-class secrets — a forwardable slot with SecretBox (TML-3018) #243

feat: first-class secrets — a forwardable slot with SecretBox (TML-3018)

feat: first-class secrets — a forwardable slot with SecretBox (TML-3018) #243

Workflow file for this run

name: E2E deploy
# Deploys examples/storefront-auth and examples/pn-widgets to real Prisma
# Cloud, verifies each round trip, then destroys them. Requires repo secret
# PRISMA_SERVICE_TOKEN and repo variable PRISMA_WORKSPACE_ID.
on:
push:
branches: [main]
pull_request:
workflow_dispatch:
permissions:
contents: read
# Fixed group (not per-ref): only one real-cloud deploy runs at a time.
# cancel-in-progress stays false so a kill mid-deploy/destroy can't orphan resources.
concurrency:
group: e2e-deploy
cancel-in-progress: false
jobs:
deploy:
name: Deploy, verify, destroy
runs-on: ubuntu-latest
timeout-minutes: 3
# Secrets aren't available on forked-PR runs; skip rather than fail loudly.
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
env:
PRISMA_SERVICE_TOKEN: ${{ secrets.PRISMA_SERVICE_TOKEN }}
PRISMA_WORKSPACE_ID: ${{ vars.PRISMA_WORKSPACE_ID }}
# The root binds the auth module's secret need to AUTH_SIGNING_SECRET (ADR-0029).
# This non-sensitive test marker in the runner env is what deploy preflight
# fill-missing provisions onto the ephemeral per-run stack — the single-step
# CI path (runner env -> direct API POST -> platform). It must match the
# auth service's EXPECTED_SIGNING_SECRET (modules/auth/src/server.ts); the
# value never enters deploy state, only its pointer name does.
AUTH_SIGNING_SECRET: sk_test_ci_storefront_auth
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: ./.github/actions/deploy-verify-destroy
with:
working-directory: examples/storefront-auth
build-filter: '@prisma/example-storefront-auth...'
stack-name: storefront-auth-ci-${{ github.run_id }}
verify-command: bash scripts/e2e-verify.sh
deploy-pn-widgets:
name: Deploy, verify, destroy (pn-widgets)
runs-on: ubuntu-latest
# Not a data dependency — runs after storefront so the two deploys never
# hold projects/databases concurrently (workspace DB-quota headroom).
needs: deploy
timeout-minutes: 3
# Secrets aren't available on forked-PR runs; skip rather than fail loudly.
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
env:
PRISMA_SERVICE_TOKEN: ${{ secrets.PRISMA_SERVICE_TOKEN }}
PRISMA_WORKSPACE_ID: ${{ vars.PRISMA_WORKSPACE_ID }}
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: ./.github/actions/deploy-verify-destroy
with:
working-directory: examples/pn-widgets
build-filter: '@prisma/example-pn-widgets...'
stack-name: pn-widgets-ci-${{ github.run_id }}
verify-command: bun scripts/e2e-verify.ts
destroy-label: 'pn-widgets '
sweep-prefixes: storefront-auth pn-widgets hello canary
cold-connect-canary:
name: Cold-connect canary (FT-5226)
runs-on: ubuntu-latest
# Runs after both deploys so it never holds a database concurrently with
# them (workspace DB-quota headroom). Fails when PPg no longer rejects a
# database's first connection — the signal to remove withConnectionRetry.
needs: deploy-pn-widgets
timeout-minutes: 3
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
env:
PRISMA_SERVICE_TOKEN: ${{ secrets.PRISMA_SERVICE_TOKEN }}
PRISMA_WORKSPACE_ID: ${{ vars.PRISMA_WORKSPACE_ID }}
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: ./.github/actions/setup
- run: pnpm install --frozen-lockfile
- run: bun examples/scripts/cold-connect-canary.ts