Skip to content

ci(e2e): prod LIVE E2E via on-the-fly minted cohort account#174

Merged
mastermanas805 merged 1 commit into
mainfrom
e2e-prod-minted-account
Jun 5, 2026
Merged

ci(e2e): prod LIVE E2E via on-the-fly minted cohort account#174
mastermanas805 merged 1 commit into
mainfrom
e2e-prod-minted-account

Conversation

@mastermanas805

Copy link
Copy Markdown
Member

What

The production E2E CI workflow that mints an ephemeral, cohort-scoped test account on the fly, runs the real-backend live specs against prod with it, and reaps everything. This is THE deliverable for "integration tests running in CI against prod."

The new workflow — .github/workflows/e2e-prod.yml

  • Triggers: workflow_dispatch + schedule (*/30 * * * *, every 30 min) + repository_dispatch type e2e-prod-from-deploy (post-deploy hook the api repo can fire).
  • Guard: no-ops cleanly (::notice::, all later steps skipped) when secrets.E2E_ACCOUNT_TOKEN is empty — never reds when unconfigured.
  • MINT: POST https://api.instanode.dev/internal/e2e/account with X-E2E-Token: $E2E_ACCOUNT_TOKEN + {"tier":"pro"} → captures session_jwt + team_id, masks them (::add-mask::), exports to later steps. Non-200 fails the job.
  • RUN: E2E_LIVE=1 E2E_API_URL=https://api.instanode.dev E2E_SESSION_JWT=<minted> npx playwright test --config=playwright.live.config.ts (via npm run test:e2e:live). Authed legs use the minted account; anon legs run as-is.
  • REAP (if: always()): DELETE /internal/e2e/account/{team_id} then npm run reap:live (ledger reaper, exits non-zero on any leak → fails the job loudly, rule 24).

Prod sibling of e2e-live.yml (staging) — that workflow is kept, not deleted.

Harness wiring

  • e2e/cohort.tsmintedSession() surfaces the workflow-minted account (E2E_SESSION_JWT + E2E_TEAM_ID/E2E_ACCOUNT_EMAIL/E2E_ACCOUNT_TIER). When set, the authed legs use that real cohort account instead of self-minting from E2E_JWT_SECRET.
  • Prod-allow relaxationassertSafeApiTarget() now ALLOWS a prod E2E_API_URL only for a sanctioned minted-account run (E2E_ACCOUNT_TOKEN or E2E_SESSION_JWT present); an un-tokened prod target is still REFUSED so a stray run can't hammer prod. Safety reasoning documented in-file. All four live specs call it at module load.
  • live-auth.spec.ts A8/A10 — prefer mintedSession() when set (assert minted email/tier; reap only spec-created resources — the account itself is reaped by the workflow). Self-mint path (E2E_JWT_SECRET) retained as fallback; anon legs unchanged.

Verification

npm run gate (tsc --noEmit && build && vitest run) green — 80 files, 1115 pass / 3 skip. Workflow YAML validated.

The workflow goes green only once the api mint endpoint (api PR #260) is deployed and the E2E_ACCOUNT_TOKEN GH secret is set (orchestrator-handled). It no-ops safely until then.

🤖 Generated with Claude Code

Add the production E2E CI workflow that mints an ephemeral, cohort-scoped
test account against prod, runs the real-backend live specs with it, and
reaps the account + any spec-created resources.

- .github/workflows/e2e-prod.yml: workflow_dispatch + schedule (every 30m)
  + repository_dispatch(e2e-prod-from-deploy). No-ops cleanly when
  secrets.E2E_ACCOUNT_TOKEN is empty. MINT (POST /internal/e2e/account,
  X-E2E-Token, {"tier":"pro"}) -> mask+export session_jwt/team_id -> RUN
  (E2E_LIVE=1, E2E_API_URL=prod, E2E_SESSION_JWT) -> REAP (always: DELETE
  the account + npm run reap:live; reaper exits non-zero on leak).
  Prod sibling of e2e-live.yml (staging); that file is kept.

- e2e/cohort.ts: mintedSession() surfaces the workflow-minted account
  (E2E_SESSION_JWT + companion identity env) so authed legs use a real
  cohort account instead of self-minting from E2E_JWT_SECRET.
  assertSafeApiTarget() relaxes the prod-refusal: prod is ALLOWED only for
  a sanctioned minted-account run (E2E_ACCOUNT_TOKEN/E2E_SESSION_JWT
  present), still REFUSED otherwise so a stray run can't hammer prod.

- live-auth A8/A10 prefer mintedSession() when set (assert minted
  email/tier; reap only spec-created resources, account reaped by the
  workflow); anon legs unchanged. All four live specs now call
  assertSafeApiTarget() at module load.

npm run gate green (build + 1115 vitest pass / 3 skip). Workflow no-ops
until the api mint endpoint deploys + E2E_ACCOUNT_TOKEN secret is set.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@mastermanas805
mastermanas805 enabled auto-merge (squash) June 5, 2026 04:32
@github-actions

github-actions Bot commented Jun 5, 2026

Copy link
Copy Markdown

size-limit report 📦

Path Size
dist/assets/index-902QtfQT.js 161.98 KB (0%)
dist/assets/index-BsJUZYRr.css 6.13 KB (0%)

@mastermanas805
mastermanas805 merged commit 295900e into main Jun 5, 2026
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant