feat(apiSmokeTest): legacy-api-key fallback for stacks past TempApiKey#55
Merged
Conversation
chrisdicaprio
approved these changes
Jun 10, 2026
chrisbc
added a commit
that referenced
this pull request
Jun 10, 2026
The Setup Yarn2 step hard-coded `yarn set version berry` before
`yarn install --immutable`. This forces the latest 4.x release and
overrides whatever `packageManager` field the consumer has pinned.
When a consumer is on an older yarn (e.g. 4.14.x with yarn.lock
metadata `version: 9`) and `berry` resolves to 4.16.0 (which uses
metadata `version: 10`), `yarn install --immutable` then refuses to
write the metadata bump and the workflow fails:
YN0028: │ - version: 9
YN0028: │ + version: 10
YN0028: │ The lockfile would have been modified by this install,
which is explicitly forbidden.
Causes a self-failure too: the self-tests on this repo use the
`samplePythonProject*` fixtures which pin `yarn@4.14.1` with v9
lockfiles. The PR-test job for #55 was failing for exactly this
reason — has nothing to do with the smoketest changes in the
parent commits.
Fix: drop the `yarn set version berry` line. Corepack already
respects the `packageManager` field in package.json, so consumers
keep their pin. Consumers can use any yarn 4.x (or upgrade to
yarn 5 in future) without needing to wait for a workflow update.
Applies to both `deploy-to-aws-uv.yml` and `deploy-to-aws.yml`.
Stacks that have migrated past `apiGateway.apiKeys` in their serverless config to a Lambda authorizer (which accepts x-api-key via env var) have no `TempApiKey-*` line in deploy.out. The action's key-extraction regex misses, `keyMatch` is null, and the action crashes with: Could not find key TypeError: Cannot read properties of null (reading '0') apiSmokeTest action ------------------- - New optional input `legacy-api-key` — used as the x-api-key value when the TempApiKey regex misses in deploy.out. - src/index.js: null-safety on keyMatch and urlMatch; falls back to legacy-api-key input when regex misses. - core.setSecret(key) regardless of source so the value is masked in subsequent log output. "Key: …" info line now prints "Key: <masked>". - dist/index.js + sourcemap rebuilt via yarn build (rollup). deploy-to-aws-uv.yml -------------------- - New optional secret `smoketest-legacy-api-key` — passed through to the action's `legacy-api-key` input. Callers that have moved past TempApiKey can pass their Lambda-authorizer x-api-key value. Backward-compatible ------------------- - legacy-api-key defaults to "". Stacks still emitting TempApiKey-* in deploy.out work unchanged. Downstream ---------- - GNS-Science/nshm-toshi-api/deploy-aws-lambda.yaml will pass smoketest-legacy-api-key after this lands.
…ted secrets
After review feedback (would have required all callers to switch from
`secrets: inherit` to an explicit secret block — a big breaking change),
revise the design so that the shared workflow reads inherited secrets
directly. Caller workflows keep `secrets: inherit` and need no changes.
The smoketest step's `legacy-api-key` input now picks up the first
non-empty value from a fallback chain of standard GNS-Science API-key
secrets:
LEGACY_API_KEY
NZSHM22_TOSHI_API_KEY
NZSHM22_KORORAA_API_KEY
NZSHM22_NSHM_MODEL_API_KEY
NZSHM22_SOLVIS_API_KEY
NZSHM22_HAZARD_API_KEY
Each consumer's serverless.yml wires its own named secret into the
Lambda authorizer's LEGACY_API_KEY env var; the same value flows
through to the smoketest with no extra plumbing.
The `secrets:` block on the workflow_call is dropped — no new caller-
facing API surface.
The non-uv `deploy-to-aws.yml` had the same Smoke Test step shape as `deploy-to-aws-uv.yml` but was missing the legacy-api-key fallback that was added to the uv variant in the previous commit. Adding it here for parity — consumers using the non-uv workflow with a stack that has moved past `apiGateway.apiKeys` will otherwise hit the same "Could not find key" failure.
chrisbc
force-pushed
the
fix/smoketest-legacy-api-key
branch
from
64e7520 to
d86788d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Unblocks downstream deploys (
nshm-toshi-api/deploy-testand any other repo that has migrated past the legacyapiGateway.apiKeysconfig in serverless).Currently the action extracts the API key from
deploy.outwith:In stacks that have moved past
apiGateway.apiKeysto a Lambda authorizer with x-api-key compatibility,deploy.outno longer contains aTempApiKey-…line. The regex misses,keyMatchis null, and the action fails with:Has been
blockingappearing as deployment noise fornshm-toshi-api/deploy-testsince 2026-05-11.Changes
apiSmokeTestactionlegacy-api-key(optional, defaults to""). Used as the fallback x-api-key value when the TempApiKey regex misses.keyMatchandurlMatch— don't index[0]when the regex didn't match. Failure now reports a clear message viacore.setFailedinstead of throwing.core.setSecret(key)regardless of source. The "Key: …" info line now prints "Key: ".dist/index.jsrebuilt viayarn build(rollup). The dist diff is large because the local rebuild picked up newer transitive deps; the meaningful src change is small and isolated tosrc/index.js.deploy-to-aws-uv.ymlsmoketest-legacy-api-key. Passed through to the action'slegacy-api-keyinput.Backward compatibility
legacy-api-keydefaults to"". Stacks still emittingTempApiKey-…in deploy output work unchanged — no caller change required.Downstream
Companion PR in
nshm-toshi-apiwill addsecrets.smoketest-legacy-api-keyto the local deploy workflow once this merges.Test plan
yarn install+yarn buildinapiSmokeTest/— succeeddist/index.jscontains the new fallback logic (grep-verified)