chore: add workflow to run tests against different runtimes

[frederikprijck]

Description

This PR adds CI workflows to verify runtime compatibility across Bun, Deno, and Cloudflare Workers for all three packages (auth0-auth-js, auth0-server-js, auth0-api-js).

New workflows

• runtime-bun.yml — Installs dependencies and runs tests using Bun
• runtime-deno.yml — Runs tests via deno run with Vitest
• runtime-workers.yml — Runs tests in a simulated Cloudflare Workers environment using @cloudflare/vitest-pool-workers

Per-package changes

Each package (auth0-auth-js, auth0-server-js, auth0-api-js) received:

• A test:workers script that runs Vitest with the Workers-specific config
• A vitest.config.workers.ts using the @cloudflare/vitest-pool-workers pool
• A wrangler.toml with nodejs_compat enabled
• A src/index.workers.spec.ts smoke test that verifies the main client can be instantiated in a Workers environment
• @cloudflare/vitest-pool-workers and wrangler added as dev dependencies

Because we need to refactor our tests to properly run on Cloudflare Workers, we are adding just the smoke test in this PR, but I have a follow up with a PR that refactors the tests to run on Cloudflare Workers.

Cross-runtime fixes

• Changed fs imports to node:fs in auth0-auth-js to align with explicit Node.js built-in conventions required by some runtimes.
• Updated the DPoP error message regex in auth0-api-js to handle a different error thrown by jose on Deno and Cloudflare Workers when private key material is present in the jwk header parameter.

References

#148

Checklist

• I have added documentation for new/changed functionality in this PR or in auth0.com/docs
• All active GitHub checks for tests, formatting, and security are passing
• The correct base branch is being used, if not the default branch

Summary by CodeRabbit

• New Features

  • Added runtime compatibility testing for Bun, Deno, and Cloudflare Workers.
  • Improved DPoP validation with an explicit error message for non-public key material.

• Tests

  • Added worker-targeted test suites and configs for multiple packages.
  • Added dedicated worker test commands alongside existing CI test scripts.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: b6c11a34-75c7-4c19-8081-602020f40754

📥 Commits

Reviewing files that changed from the base of the PR and between 1d0d66e and e317a61.

📒 Files selected for processing (4)

• packages/auth0-api-js/package.json
• packages/auth0-auth-js/package.json
• packages/auth0-server-js/package.json
• packages/auth0-server-js/vitest.config.ts

✅ Files skipped from review due to trivial changes (1)

• packages/auth0-server-js/vitest.config.ts

🚧 Files skipped from review as they are similar to previous changes (3)

• packages/auth0-auth-js/package.json
• packages/auth0-server-js/package.json
• packages/auth0-api-js/package.json

---

📝 Walkthrough

Walkthrough

This PR adds multi-runtime test support and CI: Cloudflare Workers worker-test infra and instantiation tests across three packages, Bun and Deno CI workflows, a DPoP error-message constant with broadened test matching, and Node core import specifier fixes.

Changes

Multi-Runtime Compatibility Testing

Layer / File(s)	Summary
Worker Test Framework Setup packages/auth0-api-js/package.json, packages/auth0-api-js/vitest.config.workers.ts, packages/auth0-api-js/wrangler.toml, packages/auth0-auth-js/package.json, packages/auth0-auth-js/vitest.config.workers.ts, packages/auth0-auth-js/wrangler.toml, packages/auth0-server-js/package.json, packages/auth0-server-js/vitest.config.workers.ts, packages/auth0-server-js/wrangler.toml	Adds test:workers scripts, adds @cloudflare/vitest-pool-workers and wrangler devDependencies, creates worker-specific Vitest configs that target src/**/*.workers.spec.ts, and adds wrangler.toml for each package.
Worker Instantiation Tests packages/auth0-api-js/src/index.workers.spec.ts, packages/auth0-auth-js/src/index.workers.spec.ts, packages/auth0-server-js/src/index.workers.spec.ts	New worker-spec tests that instantiate ApiClient and AuthClient; ServerClient test includes in-memory TestStateStore and TestTransactionStore implementations and verifies instantiation.
Runtime CI Workflows .github/workflows/runtime-bun.yml, .github/workflows/runtime-deno.yml, .github/workflows/runtime-workers.yml	Adds CI workflows for Bun, Deno, and Workers. Each workflow runs a test_core job for auth0-auth-js then a matrix job for auth0-server-js and auth0-api-js; workflows trigger on pushes and PRs to main, use concurrency groups, and set read-only repo permissions.
DPoP Error Message Refinement packages/auth0-api-js/src/dpop-api.ts, packages/auth0-api-js/src/dpop-api.spec.ts	Adds DPOP_ERROR_MESSAGES.HEADER_PARAMETER_MUST_BE_PUBLIC_KEY and broadens the test to accept multiple runtime-specific error message substrings when private key material is present.
Node.js Core Module Imports packages/auth0-auth-js/tsup.config.ts, packages/auth0-auth-js/vitest.config.ts, packages/auth0-server-js/vitest.config.ts	Switches readFileSync imports from fs to the explicit node:fs specifier in configuration files.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🐰 Runtime hopping, tests that bloom,
Workers, Deno, Bun fill the room,
Each config set, each test in place,
Multi-runtime with graceful pace! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'chore: add workflow to run tests against different runtimes' accurately and concisely describes the main objective—adding CI workflows for runtime compatibility testing across Bun, Deno, and Cloudflare Workers.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/runtimes-ci

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

packages/auth0-api-js/src/dpop-api.ts (1)

54-54: 💤 Low value

String.raw is unnecessary here.

The template literal doesn't contain backslashes or template variables, so String.raw serves no purpose. A regular string literal would be clearer.

✨ Suggested simplification

-  HEADER_PARAMETER_MUST_BE_PUBLIC_KEY: String.raw`"jwk" (JSON Web Key) Header Parameter must be a public key`,
+  HEADER_PARAMETER_MUST_BE_PUBLIC_KEY: '"jwk" (JSON Web Key) Header Parameter must be a public key',

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/auth0-api-js/src/dpop-api.ts` at line 54, The constant
HEADER_PARAMETER_MUST_BE_PUBLIC_KEY currently uses String.raw with a plain
template literal; replace String.raw`"jwk" (JSON Web Key) Header Parameter must
be a public key` with a normal string literal (e.g. "\"jwk\" (JSON Web Key)
Header Parameter must be a public key") to remove the unnecessary String.raw
wrapper in the declaration of HEADER_PARAMETER_MUST_BE_PUBLIC_KEY in
dpop-api.ts.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/runtime-bun.yml:
- Around line 22-25: Update the workflow steps that use actions/checkout and
oven-sh/setup-bun to pin to immutable SHAs and disable credential persistence:
replace usages of "actions/checkout@v4" with the specific
actions/checkout@<commit-SHA> and set the checkout step's input
persist-credentials: false, and replace "oven-sh/setup-bun@v2" with
oven-sh/setup-bun@<commit-SHA>; apply the same changes to both jobs/steps that
reference actions/checkout and oven-sh/setup-bun so all checkout/setup-bun
invocations are SHA-pinned and checkout does not persist credentials.

In @.github/workflows/runtime-deno.yml:
- Around line 23-31: Pin the mutable action tags and disable checkout credential
persistence: replace actions/checkout@v4, denoland/setup-deno@v2, and
actions/setup-node@v5 with their corresponding commit SHAs (use the specific
commit refs for each action) and add with: persist-credentials: false to the
actions/checkout step(s); update the checkout steps in both jobs test_core and
test to include persist-credentials: false so the GITHUB_TOKEN is not stored in
git config.

In @.github/workflows/runtime-workers.yml:
- Around line 23-26: The workflow uses actions/checkout@v4 and
actions/setup-node@v5 without pinning or disabling credential persistence;
update both occurrences of the checkout step to pin to the specific commit SHAs
for actions/checkout and actions/setup-node and add persist-credentials: false
to the actions/checkout steps so the default checkout token is not retained;
ensure you update both job blocks where actions/checkout and actions/setup-node
appear (the checkout step and the setup-node step) and verify the SHA pins
reference the corresponding repository commit SHAs for those actions.

---

Nitpick comments:
In `@packages/auth0-api-js/src/dpop-api.ts`:
- Line 54: The constant HEADER_PARAMETER_MUST_BE_PUBLIC_KEY currently uses
String.raw with a plain template literal; replace String.raw`"jwk" (JSON Web
Key) Header Parameter must be a public key` with a normal string literal (e.g.
"\"jwk\" (JSON Web Key) Header Parameter must be a public key") to remove the
unnecessary String.raw wrapper in the declaration of
HEADER_PARAMETER_MUST_BE_PUBLIC_KEY in dpop-api.ts.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 08443907-dcfb-464d-9a23-8a1f3330a77b

📥 Commits

Reviewing files that changed from the base of the PR and between 1818362 and 1d0d66e.

📒 Files selected for processing (19)

• .github/workflows/runtime-bun.yml
• .github/workflows/runtime-deno.yml
• .github/workflows/runtime-workers.yml
• packages/auth0-api-js/package.json
• packages/auth0-api-js/src/dpop-api.spec.ts
• packages/auth0-api-js/src/dpop-api.ts
• packages/auth0-api-js/src/index.workers.spec.ts
• packages/auth0-api-js/vitest.config.workers.ts
• packages/auth0-api-js/wrangler.toml
• packages/auth0-auth-js/package.json
• packages/auth0-auth-js/src/index.workers.spec.ts
• packages/auth0-auth-js/tsup.config.ts
• packages/auth0-auth-js/vitest.config.ts
• packages/auth0-auth-js/vitest.config.workers.ts
• packages/auth0-auth-js/wrangler.toml
• packages/auth0-server-js/package.json
• packages/auth0-server-js/src/index.workers.spec.ts
• packages/auth0-server-js/vitest.config.workers.ts
• packages/auth0-server-js/wrangler.toml

[Piyush-85]

Can we rename these Build steps to "Build auth0-auth-js" and "Build ${{ matrix.package }}". Would be easy to figure out what failed.

[Piyush-85]

Can be applied here as well https://github.com/auth0/auth0-auth-js/pull/150/changes#r3355535181

[Piyush-85]

Should we consider updating these packages to latest version !!

[Piyush-85]

Should we consider adding exclude: ['src/**/*.workers.spec.ts'], as of today we don't have worker specific apis but later this can fail.