Skip to content

Add guarded build-time secret probe for Webflow Cloud E2E tests#8

Open
fbaralle wants to merge 1 commit into
mainfrom
CLD-2210-e2e-buildtime-secret-probe
Open

Add guarded build-time secret probe for Webflow Cloud E2E tests#8
fbaralle wants to merge 1 commit into
mainfrom
CLD-2210-e2e-buildtime-secret-probe

Conversation

@fbaralle

@fbaralle fbaralle commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

What

Adds a guarded build-time probe so Webflow Cloud's end-to-end tests can verify that build-time secret values are redacted from build logs.

The E2E test sets a secret environment variable E2E_TEST_SECRET and checks that its value never appears in the build logs. For that check to be meaningful, the app has to actually print the secret during the build — a plain next build prints nothing, so there would be nothing to redact.

Changes

  • scripts/e2e-buildtime-secret-probe.mjs — prints E2E_TEST_SECRET behind a stable marker ([webflow-cloud-e2e] build-time secret probe), one line at a time. No-op unless E2E_TEST_SECRET is set.
  • package.json — adds the e2e:buildtime-secret-probe script.
  • next.config.ts — during the production build (PHASE_PRODUCTION_BUILD, which opennextjs-cloudflare build runs), invokes the probe so its output flows through the build log pipeline. Guarded on E2E_TEST_SECRET, so next dev and normal builds are unaffected.

User impact

None for normal users. The hook only runs during a production build and only when E2E_TEST_SECRET is present, which only the E2E sets. When it does run, the printed value is redacted before build logs are exposed — that redaction is exactly what the E2E verifies.

🤖 Generated with Claude Code

Webflow Cloud's end-to-end tests verify that build-time secret values are
redacted from build logs. That requires the app to print the secret during the
build so there is something to redact.

This adds a build-time probe (scripts/e2e-buildtime-secret-probe.mjs) that prints
E2E_TEST_SECRET behind a stable marker during the production build, invoked from
next.config.ts so it runs under `opennextjs-cloudflare build`. It is a no-op
unless E2E_TEST_SECRET is set, so normal builds and `next dev` are unaffected.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant