Skip to content

ci(e2e): add org membership check to e2e-staging workflow#8144

Merged
jacekradko merged 3 commits intomainfrom
jacek/e2e-staging-permissions-check
Mar 21, 2026
Merged

ci(e2e): add org membership check to e2e-staging workflow#8144
jacekradko merged 3 commits intomainfrom
jacek/e2e-staging-permissions-check

Conversation

@jacekradko
Copy link
Member

@jacekradko jacekradko commented Mar 20, 2026
edited by coderabbitai bot
Loading

Summary

  • Adds a permissions-check job to the E2E Staging workflow that verifies the actor is a member of the clerk GitHub org before allowing the workflow to run
  • Both validate-instances and integration-tests jobs now depend on this check, gating all workflow execution behind org membership
  • Uses the same orgs.checkMembershipForUser pattern as major-version-check.yml

Test plan

  • Trigger workflow manually as an org member — should pass permissions check and run normally
  • Verify repository_dispatch from clerk_go (using an org member's PAT) passes the check

Summary by CodeRabbit

  • Chores
    • Added a permissions check to the staging CI pipeline to validate membership before running validation and integration tests.
    • Added a placeholder changeset marker file for release tracking.

@changeset-bot
Copy link

changeset-bot bot commented Mar 20, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 0380e3c

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 0 packages

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel
Copy link

vercel bot commented Mar 20, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
clerk-js-sandbox Ready Ready Preview, Comment Mar 20, 2026 9:21pm

Request Review

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 20, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: 68a7b482-5558-4262-90bf-aae8375d2fd2

📥 Commits

Reviewing files that changed from the base of the PR and between f8c6e71 and 0380e3c.

📒 Files selected for processing (1)
  • .github/workflows/e2e-staging.yml
📝 Walkthrough

Walkthrough

A new permissions-check job was added to .github/workflows/e2e-staging.yml. It uses actions/github-script@v7 to call github.rest.orgs.checkMembershipForUser for context.repo.owner and the triggering actor, and the job fails when the membership response is not 204 or when the API returns 404. The validate-instances and integration-tests jobs were updated to need permissions-check. A new Changesets file .changeset/e2e-staging-permissions-check.md containing frontmatter was added.

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title directly and clearly describes the main change: adding an organization membership check to the e2e-staging workflow.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Comment @coderabbitai help to get the list of available commands and usage tips.

@pkg-pr-new
Copy link

pkg-pr-new bot commented Mar 20, 2026
edited
Loading

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@8144

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8144

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8144

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8144

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8144

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8144

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8144

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8144

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8144

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8144

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8144

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8144

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8144

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8144

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8144

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8144

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8144

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8144

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8144

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8144

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8144

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8144

commit: 0380e3c

coderabbitai[bot]
coderabbitai bot reviewed Mar 20, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/e2e-staging.yml:
- Around line 60-62: The catch always reports "not a member" for
github.rest.orgs.checkMembershipForUser failures; change the handler to inspect
the thrown error (e.g., error.status or error.statusCode) from
github.rests.orgs.checkMembershipForUser and differentiate cases: treat 404 as
"user 'username' is not a member of 'org'", but for 403, 401 or 5xx return a
distinct permission/API failure message that includes the status and
error.message and surface it (via core.setFailed or rethrow) so triage can
distinguish non-membership from auth/permission/API errors; update the catch
around the checkMembershipForUser call (referencing
github.rests.orgs.checkMembershipForUser, core.setFailed, username, org, and
error) to implement this branching behavior.
- Around line 48-50: The current permission check uses context.actor (assigned
to username) which stays as the original actor on reruns; replace that usage
with the runtime triggering actor by reading GITHUB_TRIGGERING_ACTOR (e.g., set
username = process.env.GITHUB_TRIGGERING_ACTOR || context.actor) so permission
enforcement reflects who initiated the current run; keep org derived from
context.repo.owner as before and ensure downstream checks use this updated
username value.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: abe23700-08f4-47c1-bd5e-683137cebf72

📥 Commits

Reviewing files that changed from the base of the PR and between ad782ff and f8c6e71.

📒 Files selected for processing (2)
  • .changeset/e2e-staging-permissions-check.md
  • .github/workflows/e2e-staging.yml

@jacekradko jacekradko merged commit 35d45be into main Mar 21, 2026
44 checks passed
@jacekradko jacekradko deleted the jacek/e2e-staging-permissions-check branch March 21, 2026 01:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@wobsoriano wobsoriano wobsoriano approved these changes

Assignees

No one assigned

Labels

actions

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jacekradko @wobsoriano