feat: support skew protection token (#7796)

* feat: support skew protection token

* chore: remove claude file

* refactor: move options to `getRunBuildOptions`

Author: eduardoboucas

src/commands/deploy/deploy.ts

@@ -680,29 +680,36 @@ const handleBuild = async ({
   currentDir,
   defaultConfig,
   deployHandler,
+  deployId,
   options,
   packagePath,
+  skewProtectionToken,
 }: {
   cachedConfig: CachedConfig
   currentDir: string
   defaultConfig?: DefaultConfig | undefined
   deployHandler?: PatchedHandlerType<OnPostBuild> | undefined
+  deployId?: string
   options: DeployOptionValues
   packagePath: string | undefined
+  skewProtectionToken?: string
 }) => {
   if (!options.build) {
     return {}
   }
   const [token] = await getToken()
   const resolvedOptions = await getRunBuildOptions({
     cachedConfig,
+    currentDir,
     defaultConfig,
+    deployHandler,
+    deployId,
+    options,
     packagePath,
+    skewProtectionToken,
     token,
-    options,
-    currentDir,
-    deployHandler,
   })
+
   const { configMutations, exitCode, newConfig, logs } = await runBuild(resolvedOptions)
   // Without this, the deploy command fails silently
   if (exitCode !== 0) {
@@ -1112,13 +1119,7 @@ export const deploy = async (options: DeployOptionValues, command: BaseCommand)
       source_zip_filename?: string
     }
     const deployId = deployMetadata.id || ''
-    const deployUrl = deployMetadata.deploy_ssl_url || deployMetadata.deploy_url || ''
-
-    command.netlify.cachedConfig.env.DEPLOY_ID = { sources: ['internal'], value: deployId }
-    command.netlify.cachedConfig.env.DEPLOY_URL = { sources: ['internal'], value: deployUrl }
-
-    process.env.DEPLOY_ID = deployId
-    process.env.DEPLOY_URL = deployUrl
+    const skewProtectionToken = deployMetadata.skew_protection_token
 
     if (
       options.uploadSourceZip &&
@@ -1157,6 +1158,8 @@ export const deploy = async (options: DeployOptionValues, command: BaseCommand)
 
           return {}
         },
+        deployId,
+        skewProtectionToken,
       })
     } catch (error) {
       // The build has failed, so let's cancel the deploy we created.

src/lib/build.ts

@@ -132,16 +132,20 @@ export const getRunBuildOptions = async ({
   currentDir,
   defaultConfig,
   deployHandler,
+  deployId,
   options: { context, cwd, debug, dry, json, offline, silent },
   packagePath,
+  skewProtectionToken,
   token,
 }: {
   cachedConfig: CachedConfig
   currentDir: string
   defaultConfig?: undefined | DefaultConfig
   deployHandler?: PatchedHandlerType<OnPostBuild>
+  deployId?: string
   options: OptionValues
   packagePath?: string
+  skewProtectionToken?: string
   token?: null | string
 }): Promise<RunBuildOptions> => {
   const eventHandlers: { onEnd: EventHandler<OnEnd>; onPostBuild?: EventHandler<OnPostBuild> } = {
@@ -170,6 +174,7 @@ export const getRunBuildOptions = async ({
   return {
     cachedConfig,
     defaultConfig: defaultConfig ?? {},
+    deployId,
     siteId: cachedConfig.siteInfo.id,
     accountId: cachedConfig.siteInfo.account_id,
     packagePath,
@@ -191,6 +196,7 @@ export const getRunBuildOptions = async ({
     // @ts-expect-error(serhalp) -- TODO(serhalp): Upstream the type fixes above into @netlify/build
     eventHandlers,
     edgeFunctionsBootstrapURL: await getBootstrapURL(),
+    skewProtectionToken,
   }
 }
 

tests/integration/commands/deploy/deploy.test.ts

@@ -388,14 +388,16 @@ describe.skipIf(process.env.NETLIFY_TEST_DISABLE_LIVE === 'true').concurrent('co
           name: 'log-env',
           plugin: {
             async onPreBuild() {
-              const { DEPLOY_ID, DEPLOY_URL } = require('process').env
+              const { DEPLOY_ID, DEPLOY_URL, NETLIFY_SKEW_PROTECTION_TOKEN } = require('process').env
               console.log(`DEPLOY_ID_PREBUILD: ${DEPLOY_ID}`)
               console.log(`DEPLOY_URL_PREBUILD: ${DEPLOY_URL}`)
+              console.log(`NETLIFY_SKEW_PROTECTION_TOKEN_PREBUILD: ${NETLIFY_SKEW_PROTECTION_TOKEN}`)
             },
             async onSuccess() {
-              const { DEPLOY_ID, DEPLOY_URL } = require('process').env
+              const { DEPLOY_ID, DEPLOY_URL, NETLIFY_SKEW_PROTECTION_TOKEN } = require('process').env
               console.log(`DEPLOY_ID: ${DEPLOY_ID}`)
               console.log(`DEPLOY_URL: ${DEPLOY_URL}`)
+              console.log(`NETLIFY_SKEW_PROTECTION_TOKEN: ${NETLIFY_SKEW_PROTECTION_TOKEN}`)
             },
           },
         })
@@ -424,15 +426,20 @@ describe.skipIf(process.env.NETLIFY_TEST_DISABLE_LIVE === 'true').concurrent('co
       t.expect(output).toContain('Netlify Build completed in')
       const [, deployIdPreBuild] = output.match(/DEPLOY_ID_PREBUILD: (\w+)/) ?? []
       const [, deployURLPreBuild] = output.match(/DEPLOY_URL_PREBUILD: (.+)/) ?? []
+      const [, skewProtectionTokenPreBuild] = output.match(/NETLIFY_SKEW_PROTECTION_TOKEN_PREBUILD: (.+)/) ?? []
       const [, deployId] = output.match(/DEPLOY_ID: (\w+)/) ?? []
       const [, deployURL] = output.match(/DEPLOY_URL: (.+)/) ?? []
+      const [, skewProtectionToken] = output.match(/NETLIFY_SKEW_PROTECTION_TOKEN: (.+)/) ?? []
 
       t.expect(deployIdPreBuild).toBeTruthy()
       t.expect(deployIdPreBuild).not.toEqual('0')
       t.expect(deployURLPreBuild).toContain(`https://${deployIdPreBuild}--`)
       t.expect(deployId).toEqual(deployIdPreBuild)
       t.expect(deployURL).toEqual(deployURLPreBuild)
 
+      t.expect(skewProtectionTokenPreBuild).toEqual(skewProtectionToken)
+      t.expect(skewProtectionToken).toBeTruthy()
+
       await validateContent({ siteUrl: deployURL, path: '', content: rootContent })
       await validateContent({ siteUrl: deployURL, path: '/edge-function', content: 'Hello from edge function' })
       await validateContent({ siteUrl: deployURL, path: '/function', content: 'Hello from function' })