ci(e2e): prod LIVE E2E via on-the-fly minted cohort account#174
Merged
Conversation
Add the production E2E CI workflow that mints an ephemeral, cohort-scoped
test account against prod, runs the real-backend live specs with it, and
reaps the account + any spec-created resources.
- .github/workflows/e2e-prod.yml: workflow_dispatch + schedule (every 30m)
+ repository_dispatch(e2e-prod-from-deploy). No-ops cleanly when
secrets.E2E_ACCOUNT_TOKEN is empty. MINT (POST /internal/e2e/account,
X-E2E-Token, {"tier":"pro"}) -> mask+export session_jwt/team_id -> RUN
(E2E_LIVE=1, E2E_API_URL=prod, E2E_SESSION_JWT) -> REAP (always: DELETE
the account + npm run reap:live; reaper exits non-zero on leak).
Prod sibling of e2e-live.yml (staging); that file is kept.
- e2e/cohort.ts: mintedSession() surfaces the workflow-minted account
(E2E_SESSION_JWT + companion identity env) so authed legs use a real
cohort account instead of self-minting from E2E_JWT_SECRET.
assertSafeApiTarget() relaxes the prod-refusal: prod is ALLOWED only for
a sanctioned minted-account run (E2E_ACCOUNT_TOKEN/E2E_SESSION_JWT
present), still REFUSED otherwise so a stray run can't hammer prod.
- live-auth A8/A10 prefer mintedSession() when set (assert minted
email/tier; reap only spec-created resources, account reaped by the
workflow); anon legs unchanged. All four live specs now call
assertSafeApiTarget() at module load.
npm run gate green (build + 1115 vitest pass / 3 skip). Workflow no-ops
until the api mint endpoint deploys + E2E_ACCOUNT_TOKEN secret is set.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
mastermanas805
enabled auto-merge (squash)
June 5, 2026 04:32
size-limit report 📦
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
The production E2E CI workflow that mints an ephemeral, cohort-scoped test account on the fly, runs the real-backend live specs against prod with it, and reaps everything. This is THE deliverable for "integration tests running in CI against prod."
The new workflow —
.github/workflows/e2e-prod.ymlworkflow_dispatch+schedule(*/30 * * * *, every 30 min) +repository_dispatchtypee2e-prod-from-deploy(post-deploy hook the api repo can fire).::notice::, all later steps skipped) whensecrets.E2E_ACCOUNT_TOKENis empty — never reds when unconfigured.POST https://api.instanode.dev/internal/e2e/accountwithX-E2E-Token: $E2E_ACCOUNT_TOKEN+{"tier":"pro"}→ capturessession_jwt+team_id, masks them (::add-mask::), exports to later steps. Non-200 fails the job.E2E_LIVE=1 E2E_API_URL=https://api.instanode.dev E2E_SESSION_JWT=<minted> npx playwright test --config=playwright.live.config.ts(vianpm run test:e2e:live). Authed legs use the minted account; anon legs run as-is.if: always()):DELETE /internal/e2e/account/{team_id}thennpm run reap:live(ledger reaper, exits non-zero on any leak → fails the job loudly, rule 24).Prod sibling of
e2e-live.yml(staging) — that workflow is kept, not deleted.Harness wiring
e2e/cohort.ts—mintedSession()surfaces the workflow-minted account (E2E_SESSION_JWT+E2E_TEAM_ID/E2E_ACCOUNT_EMAIL/E2E_ACCOUNT_TIER). When set, the authed legs use that real cohort account instead of self-minting fromE2E_JWT_SECRET.assertSafeApiTarget()now ALLOWS a prodE2E_API_URLonly for a sanctioned minted-account run (E2E_ACCOUNT_TOKENorE2E_SESSION_JWTpresent); an un-tokened prod target is still REFUSED so a stray run can't hammer prod. Safety reasoning documented in-file. All four live specs call it at module load.live-auth.spec.tsA8/A10 — prefermintedSession()when set (assert minted email/tier; reap only spec-created resources — the account itself is reaped by the workflow). Self-mint path (E2E_JWT_SECRET) retained as fallback; anon legs unchanged.Verification
npm run gate(tsc --noEmit && build && vitest run) green — 80 files, 1115 pass / 3 skip. Workflow YAML validated.🤖 Generated with Claude Code