From 50a7b574085f05182e7420e982ba821df086b75b Mon Sep 17 00:00:00 2001 From: Brian Love Date: Thu, 18 Jun 2026 20:32:24 -0700 Subject: [PATCH] =?UTF-8?q?ci:=20fix=20preview=20smoke=20probe=20=E2=80=94?= =?UTF-8?q?=20drop=20broken=20beta=20`vercel=20curl`,=20skip=20gracefully?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The smoke-preview job failed on every PR. The protected preview (401 without a bypass) was probed via the Vercel CLI's beta `curl` subcommand, pinned to `vercel@latest`. A CLI update (54.14.0) dropped the `-- ` passthrough, so `--write-out "%{http_code}"`/`--token` leaked to the inner curl: `curl: option --token=***: is unknown` → "did not return 200" → exit 1. The preview deploy itself succeeded; only the readiness probe broke. The token-based path was always a degraded fallback (readiness ping, no real browser smoke) and the new `vercel curl` exposes no HTTP status, so it can't gate on 200. Replace it with the intended design: - bypass secret present → wait via plain curl + x-vercel-protection-bypass, then run the real Playwright browser smoke (unchanged path) - bypass secret absent → skip gracefully (job stays green) with a step-summary explaining how to add VERCEL_AUTOMATION_BYPASS_SECRET to enable real coverage Removes the `vercel@latest` beta dependency (the root cause of recurring breakage) and the now-dead "Prepare Vercel project settings" step (only the deleted `vercel curl` needed project linking). Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/ci.yml | 35 ++++++++--------------------------- 1 file changed, 8 insertions(+), 27 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 022b6eac..111bb988 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -232,20 +232,20 @@ jobs: node-version: 22 cache: pnpm - run: pnpm install --frozen-lockfile - - name: Prepare Vercel project settings - run: | - mkdir -p .vercel - cat > .vercel/project.json <> "$GITHUB_OUTPUT" else - echo "mode=vercel-curl" >> "$GITHUB_OUTPUT" - echo "No VERCEL_AUTOMATION_BYPASS_SECRET repository secret is configured; verifying protected preview readiness with vercel curl instead of browser smoke." >> "$GITHUB_STEP_SUMMARY" + echo "mode=skip" >> "$GITHUB_OUTPUT" + { + echo "### Preview smoke skipped" + echo + echo "No \`VERCEL_AUTOMATION_BYPASS_SECRET\` repository secret is configured, so the Playwright browser smoke cannot reach the protection-gated preview (it returns 401 without a bypass)." + echo + echo "Add the secret to enable real preview smoke coverage: Vercel → Project → Settings → Deployment Protection → Protection Bypass for Automation, then save it as the \`VERCEL_AUTOMATION_BYPASS_SECRET\` repository secret." + } >> "$GITHUB_STEP_SUMMARY" fi - name: Install Playwright browser if: steps.preview-access.outputs.mode == 'browser' @@ -264,25 +264,6 @@ jobs: done echo "Preview did not return 200" exit 1 - - name: Verify protected preview readiness with Vercel CLI - if: steps.preview-access.outputs.mode == 'vercel-curl' - run: | - for i in 1 2 3 4 5 6; do - code=$(npx --yes vercel@latest curl / \ - --deployment "$PREVIEW_URL" \ - --token=${{ secrets.VERCEL_TOKEN }} \ - --yes \ - -- \ - --silent \ - --show-error \ - --output /dev/null \ - --write-out "%{http_code}" || true) - echo "Attempt $i: HTTP $code" - if [ "$code" = "200" ]; then exit 0; fi - sleep 5 - done - echo "Protected preview did not return 200 through vercel curl" - exit 1 - name: Smoke test preview with Playwright if: steps.preview-access.outputs.mode == 'browser' env: