This page documents the automated workflows and testing frameworks used to maintain the reliability, security, and data integrity of Stack Auth. The infrastructure is primarily built on GitHub Actions and Vitest, covering everything from unit tests and linting to full end-to-end (E2E) API testing and database migration compatibility.
The CI/CD pipeline is designed to provide rapid feedback while ensuring that no regressions are introduced to the core authentication logic or the multi-tenant database schema.
| Workflow | Purpose | Trigger |
|---|---|---|
lint-and-build.yaml | Validates code style, types, and buildability. | Push (main/dev), PR |
e2e-api-tests.yaml | Runs full suite of API tests against a live environment. | Push (main/dev), PR |
check-prisma-migrations.yaml | Ensures the Prisma schema matches generated migrations. | Push (main/dev), PR |
db-migration-backwards-compatibility.yaml | Verifies new migrations don't break existing code. | Push (non-main), PR |
setup-tests.yaml | Validates the CLI initialization and setup wizard. | Push (main/dev), PR |
all-good.yaml | Aggregate status check for branch protection. | Push (main/dev), PR |
The all-good.yaml workflow acts as a gatekeeper. It polls the GitHub Checks API to ensure all other mandatory workflows have completed successfully before a PR can be merged .github/workflows/all-good.yaml15-51 It specifically ignores non-blocking checks like claude-review .github/workflows/all-good.yaml45 It implements a polling loop that waits for completion and fails if any required check has a non-success conclusion .github/workflows/all-good.yaml53-112
Sources: .github/workflows/all-good.yaml1-113
The E2E suite is the most critical part of the testing infrastructure. It spins up the entire Stack Auth stack, including dependencies like PostgreSQL, ClickHouse, and Svix.
The environment is configured via .env.test.local files, which are cloned from development templates during the CI run .github/workflows/e2e-api-tests.yaml57-96
docker compose for external services .github/workflows/e2e-api-tests.yaml44-52JarvusInnovations/background-action .github/workflows/e2e-api-tests.yaml119-163pnpm exec wait-on to ensure TCP/HTTP ports (e.g., 8128 for Postgres, 8136 for ClickHouse) are ready before proceeding .github/workflows/e2e-api-tests.yaml101-115To ensure the system is robust against port conflicts and environment variations, a dedicated workflow e2e-custom-base-port-api-tests.yaml runs the entire suite using a custom NEXT_PUBLIC_STACK_PORT_PREFIX (e.g., "67") .github/workflows/e2e-custom-base-port-api-tests.yaml21 This shifts all service ports (e.g., Postgres moves from 8128 to 6728, Svix to 6713) .github/workflows/e2e-custom-base-port-api-tests.yaml20-107
This diagram maps the CI workflow steps to the actual service entities started in the background.
Sources: .github/workflows/e2e-api-tests.yaml44-180 .github/workflows/e2e-custom-base-port-api-tests.yaml112-156
Because the E2E tests generate dynamic data (UUIDs, timestamps, API keys), the snapshot-serializer.ts is used to sanitize Vitest snapshots. This ensures that snapshots remain deterministic across test runs.
isApiKey and replaces them with a generic string indicating the key type (e.g., stack_sk_<stripped secret server API key>) apps/e2e/tests/snapshot-serializer.ts156-159<stripped UUID> apps/e2e/tests/snapshot-serializer.ts162-168<$NEXT_PUBLIC_STACK_PORT_PREFIX> apps/e2e/tests/snapshot-serializer.ts123-125set-cookie, authorization, and x-stack-request-id apps/e2e/tests/snapshot-serializer.ts8-32access_token, refresh_token, exp, and various _at_millis timestamps apps/e2e/tests/snapshot-serializer.ts36-88Sources: apps/e2e/tests/snapshot-serializer.ts1-126
Stack Auth implements strict checks for database schema changes to prevent data corruption and ensure zero-downtime deployments.
The check-prisma-migrations.yaml workflow runs prisma migrate diff to compare the current state of the database against the local schema.prisma file .github/workflows/check-prisma-migrations.yaml60-61 If the schema has been modified without a corresponding migration file being generated, the check fails.
The db-migration-backwards-compatibility.yaml workflow performs a "drift test":
dev or main) .github/workflows/db-migration-backwards-compatibility.yaml26-49After tests complete, the verify-data-integrity.ts script is executed .github/workflows/e2e-api-tests.yaml179-180 It performs deep checks:
verifyClickhouseSync apps/backend/scripts/verify-data-integrity/index.ts16createPaymentsSchema and createBulldozerExecutionContext apps/backend/scripts/verify-data-integrity/index.ts174-176verifyStripePayoutIntegrity (unless using mock keys) apps/backend/scripts/verify-data-integrity/index.ts19 apps/backend/scripts/verify-data-integrity/index.ts159-161Sources: .github/workflows/db-migration-backwards-compatibility.yaml1-200 apps/backend/scripts/verify-data-integrity/index.ts1-180 .github/workflows/check-prisma-migrations.yaml1-62
The setup-tests.yaml workflow specifically validates the CLI initialization and the initial onboarding experience.
pnpm run build:packages .github/workflows/setup-tests.yaml38pnpm run codegen to ensure all generated types are up to date .github/workflows/setup-tests.yaml39pnpm run dev to start the local development environment .github/workflows/setup-tests.yaml44setup-wizard.test.ts), ensuring that project initialization works correctly .github/workflows/setup-tests.yaml50-59Sources: .github/workflows/setup-tests.yaml1-59 .github/workflows/e2e-api-tests.yaml24 apps/backend/scripts/verify-data-integrity/index.ts21
Refresh this wiki