Add request signing tests to multi-runtime compatibility CI#645
Merged
tillrohrmann merged 1 commit intorestatedev:mainfrom Feb 19, 2026
Merged
Add request signing tests to multi-runtime compatibility CI#645tillrohrmann merged 1 commit intorestatedev:mainfrom
tillrohrmann merged 1 commit intorestatedev:mainfrom
Conversation
tillrohrmann
commented
Feb 18, 2026
Comment on lines
+45
to
+48
| - name: Create .dev.vars for Cloudflare Worker | ||
| working-directory: packages/examples/cloudflare | ||
| run: | | ||
| echo "RESTATE_IDENTITY_KEYS=${{ env.RESTATE_IDENTITY_KEYS }}" > .dev.vars |
Contributor
Author
There was a problem hiding this comment.
Not sure whether this is really working.
tillrohrmann
commented
Feb 18, 2026
Comment on lines
+27
to
+28
| const identityKeys = | ||
| process.env.RESTATE_IDENTITY_KEYS?.split(",").filter(Boolean); |
Contributor
Author
There was a problem hiding this comment.
Is this ok to add to the public examples? Alternatively, we could add dedicated testing handlers to the repo. Same question for all the other example handlers.
Collaborator
There was a problem hiding this comment.
sounds good to me, these are not ready to clone examples anyway, that's something we have in the examples repo.
just make sure it tolerates starting without identity keys.
tillrohrmann
force-pushed
the
request-signing
branch
from
329504e to
5f56ce9
Compare
Enable identity verification (request signing) in the 5 runtime compatibility tests (Node, Bun, Deno, Cloudflare Workers, Vercel) to ensure that dependency upgrades in restate-sdk-shared-core won't break JWT signature verification across JS runtimes. Changes: - Add a test-only ED25519 keypair in test/fixtures/request-signing/ - Modify all 6 example services to optionally enable identity verification via the RESTATE_IDENTITY_KEYS env var - Switch 5 CI workflow templates from services: block to docker run so the Restate server's signing private key PEM file can be mounted - Lambda template is unchanged (uses same WASM core as Node) Fix Cloudflare Worker: enable nodejs_compat_populate_process_env The Cloudflare Workers runtime does not define `process` by default, even with nodejs_compat enabled. Add the nodejs_compat_populate_process_env compatibility flag so that process.env is populated from Worker bindings (including .dev.vars in local development). This allows the identity key env var to be read at module scope without restructuring the example. Bump wrangler to ^4.66.0 Update wrangler minimum version to get a newer workerd runtime that may properly support nodejs_compat_populate_process_env at module evaluation time. Update pnpm-lock.yaml for wrangler ^4.66.0 Fix Cloudflare Worker: use globalThis.process for safe env access The Cloudflare Workers runtime does not define the process global at module evaluation time, even with nodejs_compat_populate_process_env. Use globalThis.process?.env?. with full optional chaining to safely handle this, matching the pattern used by the SDK itself in console_logger_transport.ts.
tillrohrmann
force-pushed
the
request-signing
branch
from
7c36ab9 to
754f9d1
Compare
Contributor
Author
|
The tests seem to pass now :-) I needed to use |
Collaborator
|
Thanks 🙏 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I've asked our automation engineer Claude to help me with adding support for testing request signing across the different TS runtimes.
Enable identity verification (request signing) in the 5 runtime compatibility tests (Node, Bun, Deno, Cloudflare Workers, Vercel) to ensure that dependency upgrades in restate-sdk-shared-core won't break JWT signature verification across JS runtimes.
Changes: