From fc39861bedc69bcfa98641aa78a5058ab71d9b69 Mon Sep 17 00:00:00 2001 From: Brian Love Date: Fri, 19 Jun 2026 16:33:27 -0700 Subject: [PATCH] ci: preview readiness ping uses bypass header only (200, not 307) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Now that VERCEL_AUTOMATION_BYPASS_SECRET is configured, smoke-preview runs in browser mode. The "Wait for preview to respond" readiness curl sent `x-vercel-set-bypass-cookie: true`, which makes Vercel reply 307 + Set-Cookie (seeding the bypass cookie) instead of 200 — a cookieless curl never reaches the `= 200` check, so the step would fail on every PR. Drop that header from the readiness ping; the bypass header alone returns 200 (verified against a live protected preview). Playwright keeps both headers (it persists the cookie across requests) and the chromium smoke passes 4/4 against the protected preview. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/ci.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 111bb98..f146f3e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -253,10 +253,15 @@ jobs: - name: Wait for preview to respond if: steps.preview-access.outputs.mode == 'browser' run: | + # Readiness ping only: send the bypass header alone. Do NOT send + # `x-vercel-set-bypass-cookie: true` here — that makes Vercel answer + # with a 307 + Set-Cookie (to seed the bypass cookie) rather than 200, + # which a cookieless curl can't satisfy. Playwright keeps the cookie + # header (it persists the cookie across requests); this plain curl + # just needs a 200 to know the deployment is live. for i in 1 2 3 4 5 6; do code=$(curl -sS -o /dev/null -w "%{http_code}" \ -H "x-vercel-protection-bypass: $VERCEL_AUTOMATION_BYPASS_SECRET" \ - -H "x-vercel-set-bypass-cookie: true" \ "$PREVIEW_URL" || true) echo "Attempt $i: HTTP $code" if [ "$code" = "200" ]; then exit 0; fi