Skip to content

Comments

Add request signing tests to multi-runtime compatibility CI#645

Merged
tillrohrmann merged 1 commit intorestatedev:mainfrom
tillrohrmann:request-signing
Feb 19, 2026
Merged

Add request signing tests to multi-runtime compatibility CI#645
tillrohrmann merged 1 commit intorestatedev:mainfrom
tillrohrmann:request-signing

Conversation

@tillrohrmann
Copy link
Contributor

I've asked our automation engineer Claude to help me with adding support for testing request signing across the different TS runtimes.

Enable identity verification (request signing) in the 5 runtime compatibility tests (Node, Bun, Deno, Cloudflare Workers, Vercel) to ensure that dependency upgrades in restate-sdk-shared-core won't break JWT signature verification across JS runtimes.

Changes:

  • Add a test-only ED25519 keypair in test/fixtures/request-signing/
  • Modify all 6 example services to optionally enable identity verification via the RESTATE_IDENTITY_KEYS env var
  • Switch 5 CI workflow templates from services: block to docker run so the Restate server's signing private key PEM file can be mounted
  • Lambda template is unchanged (uses same WASM core as Node)

Comment on lines +45 to +48
- name: Create .dev.vars for Cloudflare Worker
working-directory: packages/examples/cloudflare
run: |
echo "RESTATE_IDENTITY_KEYS=${{ env.RESTATE_IDENTITY_KEYS }}" > .dev.vars
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure whether this is really working.

Comment on lines +27 to +28
const identityKeys =
process.env.RESTATE_IDENTITY_KEYS?.split(",").filter(Boolean);
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this ok to add to the public examples? Alternatively, we could add dedicated testing handlers to the repo. Same question for all the other example handlers.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sounds good to me, these are not ready to clone examples anyway, that's something we have in the examples repo.
just make sure it tolerates starting without identity keys.

Enable identity verification (request signing) in the 5 runtime
compatibility tests (Node, Bun, Deno, Cloudflare Workers, Vercel) to
ensure that dependency upgrades in restate-sdk-shared-core won't break
JWT signature verification across JS runtimes.

Changes:
- Add a test-only ED25519 keypair in test/fixtures/request-signing/
- Modify all 6 example services to optionally enable identity
  verification via the RESTATE_IDENTITY_KEYS env var
- Switch 5 CI workflow templates from services: block to docker run
  so the Restate server's signing private key PEM file can be mounted
- Lambda template is unchanged (uses same WASM core as Node)

Fix Cloudflare Worker: enable nodejs_compat_populate_process_env

The Cloudflare Workers runtime does not define `process` by default,
even with nodejs_compat enabled. Add the nodejs_compat_populate_process_env
compatibility flag so that process.env is populated from Worker bindings
(including .dev.vars in local development). This allows the identity key
env var to be read at module scope without restructuring the example.

Bump wrangler to ^4.66.0

Update wrangler minimum version to get a newer workerd runtime that
may properly support nodejs_compat_populate_process_env at module
evaluation time.

Update pnpm-lock.yaml for wrangler ^4.66.0

Fix Cloudflare Worker: use globalThis.process for safe env access

The Cloudflare Workers runtime does not define the process global at
module evaluation time, even with nodejs_compat_populate_process_env.
Use globalThis.process?.env?. with full optional chaining to safely
handle this, matching the pattern used by the SDK itself in
console_logger_transport.ts.
@tillrohrmann
Copy link
Contributor Author

The tests seem to pass now :-) I needed to use thisGlobal to access process. On the way, I also bumped the wrangler dependency in a desperate attempt to solve the problem differently. Kept it as it does not seem to hurt.

Copy link
Contributor

@nikrooz nikrooz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tillrohrmann tillrohrmann merged commit 754f9d1 into restatedev:main Feb 19, 2026
8 checks passed
@tillrohrmann tillrohrmann deleted the request-signing branch February 19, 2026 09:49
@slinkydeveloper
Copy link
Collaborator

Thanks 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants