feat(e2e): add encrypted secrets loading for E2E tests#3414
Merged
Conversation
Contributor
Author
This stack of pull requests is managed by Graphite. Learn more about stacking. |
Contributor
|
Oxygen deployed a preview of your
Learn more about Hydrogen's GitHub integration. |
kdaviduik
force-pushed
the
kd-set-up-secrets-for-e2e
branch
from
b865765 to
4e260be
Compare
5 tasks
kdaviduik
force-pushed
the
2025-10-sfapi-caapi-update
branch
from
04f9469 to
bce6ffc
Compare
kdaviduik
force-pushed
the
kd-set-up-secrets-for-e2e
branch
from
4e260be to
d6bf802
Compare
5 tasks
fredericoo
changed the base branch from
2025-10-sfapi-caapi-update
to
graphite-base/3414
kdaviduik
force-pushed
the
kd-set-up-secrets-for-e2e
branch
from
d6bf802 to
4f0b3ea
Compare
fredericoo
requested changes
Jan 28, 2026
Contributor
fredericoo
left a comment
fredericoo
left a comment
There was a problem hiding this comment.
lgtb but needs a rebase
Add infrastructure for securely loading test secrets from secrets.ejson
using EJSON encryption. This enables E2E tests to use real gift card codes
without hardcoding them in test files.
Example usage in an E2E test file:
```typescript
import {getRequiredSecret} from '../../fixtures/test-secrets';
const GIFT_CARD_CODE_1 = getRequiredSecret('gift_card_code_1');
const GIFT_CARD_CODE_2 = getRequiredSecret('gift_card_code_2');
```
How it works:
- Secrets stored encrypted in secrets.ejson under `e2e-testing` section
- Local dev: Uses ejson keydir at /opt/ejson/keys (standard convention)
- CI: Uses EJSON_PRIVATE_KEY env var passed via --key-from-stdin
- Single code path for both environments
Security considerations:
- Uses execFileSync (not execSync) to prevent shell injection
- Private key passed via stdin, never on command line or disk
- Secrets decrypted in-memory, never written to files
kdaviduik
force-pushed
the
kd-set-up-secrets-for-e2e
branch
from
4f0b3ea to
8f952fb
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
WHY are these changes introduced?
E2E tests need access to real gift card codes, but hardcoding them in test files is a security risk. This PR adds infrastructure to load test secrets from the encrypted
secrets.ejsonfile at runtime.WHAT is this pull request doing?
Adds a
test-secrets.tsmodule that decrypts and loads secrets from thee2e-testingsection ofsecrets.ejson. Uses a single code path for both local development and CI:/opt/ejson/keys(standard convention)EJSON_PRIVATE_KEYenv var passed via--key-from-stdinExample usage in E2E tests:
Security considerations:
execFileSync(notexecSync) to prevent shell injectionHOW to test your changes?
/opt/ejson/keys/{public_key}contains private key)getRequiredSecret('gift_card_code_1')from a test filePost-merge steps
EJSON_PRIVATE_KEYto GitHub repository secrets (Settings → Secrets → Actions)Checklist