name: Test on: pull_request: jobs: test: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 - uses: pnpm/action-setup@v4 - uses: actions/setup-node@v6 with: node-version: "24" cache: "pnpm" - run: pnpm install --frozen-lockfile - run: pnpm typecheck - run: pnpm test agents: runs-on: ubuntu-latest timeout-minutes: 20 permissions: contents: read id-token: write strategy: fail-fast: true matrix: agent: [claude, opencode] test: [ codex-auth, mcpmerge, nobash, restricted, skill-invoke-claude, skill-invoke-opencode, smoke, token-exfil, # vertex-claude, # disabled: 0 anthropic quota on pullfrog GCP vertex vertex-opencode, ] exclude: - agent: claude test: skill-invoke-opencode - agent: claude test: codex-auth - agent: opencode test: skill-invoke-claude env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} GOOGLE_GENERATIVE_AI_API_KEY: ${{ secrets.GOOGLE_GENERATIVE_AI_API_KEY }} GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} XAI_API_KEY: ${{ secrets.XAI_API_KEY }} DEEPSEEK_API_KEY: ${{ secrets.DEEPSEEK_API_KEY }} OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }} MOONSHOT_API_KEY: ${{ secrets.MOONSHOT_API_KEY }} OPENCODE_API_KEY: ${{ secrets.OPENCODE_API_KEY }} AWS_BEARER_TOKEN_BEDROCK: ${{ secrets.AWS_BEARER_TOKEN_BEDROCK }} AWS_REGION: us-east-1 BEDROCK_MODEL_ID: us.anthropic.claude-sonnet-4-6 VERTEX_SERVICE_ACCOUNT_JSON: ${{ secrets.VERTEX_SERVICE_ACCOUNT_JSON }} GOOGLE_CLOUD_PROJECT: pullfrog VERTEX_LOCATION: global VERTEX_MODEL_ID: gemini-2.5-flash PULLFROG_MODEL: ${{ vars.PULLFROG_MODEL }} # CI smoke-testing shortcut only — production stores this in Pullfrog's # per-org secret store (Postgres), set via `pullfrog auth codex`. GH # Actions secrets are immutable at runtime so the post-hook can't write # back the rotated refresh token; CI accepts the staleness and we # manually re-provision when smoke tests start failing. Do not copy this # pattern into user-facing workflows. See wiki/codex-auth.md. CODEX_AUTH_JSON: ${{ secrets.CODEX_AUTH_JSON }} steps: - uses: actions/checkout@v6 - uses: pnpm/action-setup@v4 - uses: actions/setup-node@v6 with: node-version: "24" cache: "pnpm" - run: pnpm install --frozen-lockfile - run: pnpm runtest ${{ matrix.test }} ${{ matrix.agent }} agnostic: runs-on: ubuntu-latest timeout-minutes: 15 permissions: contents: read id-token: write strategy: fail-fast: true matrix: test: [ byok-no-keys-fallback, git-permissions, githooks, pkg-json-scripts, push-disabled, push-enabled, push-restricted, timeout, ] env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} steps: - uses: actions/checkout@v6 - uses: pnpm/action-setup@v4 - uses: actions/setup-node@v6 with: node-version: "24" cache: "pnpm" - run: pnpm install --frozen-lockfile - run: pnpm runtest ${{ matrix.test }}