chore: trigger supabase-js tests (#1098)

## What kind of change does this PR introduce?

CI/CD enhancement - Improves the preview release workflow and
cross-repository testing integration.

## What is the current behavior?

- Preview releases are created but there's no automated way to test
compatibility with downstream packages
- No cross-repository testing between `auth-js` and `supabase-js`
- Manual testing required to verify changes don't break integration
points
- Limited feedback loop for developers on cross-package compatibility

## What is the new behavior?

- **Automated Cross-Repo Testing**: Preview releases automatically
trigger compatibility tests in `supabase-js`
- **Smart Triggering**: Only runs on actual source code changes (src/,
package files, tsconfig) to avoid unnecessary builds
- **Enhanced Control**: Manual workflow dispatch with configurable
options for target branch and test triggering
- **Better UX**: PR comments show preview package URLs and test status
updates
- **Secure Integration**: Uses GitHub App authentication for
cross-repository workflow triggering

## Key Features

### 🚀 **Cross-Repository Test Integration**
- Automatically triggers `supabase-js` external tests when `auth-js`
changes are made
- Passes preview package URL and metadata to downstream tests
- Supports both PR and push-based workflows

### ⚡ **Optimized Triggering**
- **Path-based filtering**: Only triggers on meaningful changes
(`src/**`, `package.json`, etc.)
- **Label-based control**: PRs require `trigger: preview` label for
activation
- **Manual override**: Workflow dispatch with configurable target branch

### 💬 **Enhanced Feedback**
- Automated PR comments with preview package links
- Status updates on cross-repo test progress
- Clear visibility into the testing pipeline

### 🔒 **Secure Cross-Repo Access**
- GitHub App-based authentication for repository access
- Scoped permissions to `auth-js` and `supabase-js` repositories only

## Testing

This workflow enables:
- Early detection of breaking changes between `auth-js` and
`supabase-js`
- Automated compatibility verification for all preview releases  
- Faster feedback cycles for developers working on authentication
features
- Reduced risk of integration issues in production releases

## Additional context

This enhancement creates a robust CI/CD pipeline that ensures `auth-js`
changes are automatically validated against its primary consumer
(`supabase-js`), significantly improving the development workflow and
reducing integration risks.

More context: supabase/supabase-js#1532

Author: mandarini

.github/workflows/preview-release.yml

@@ -4,19 +4,46 @@ permissions:
   pull-requests: write
 
 on:
+  # Manual trigger with inputs for control
+  workflow_dispatch:
+    inputs:
+      trigger_supabase_js:
+        description: 'Trigger supabase-js tests'
+        type: boolean
+        default: true
+      target_branch:
+        description: 'Target branch for supabase-js tests'
+        type: string
+        default: 'master'
+
+  # Push to master - only when source code changes
   push:
     branches:
       - master
+    paths:
+      - 'src/**'
+      - 'package.json'
+      - 'package-lock.json'
+      - 'tsconfig.json'
+
+  # PR triggers - only when labeled
   pull_request:
-    types: [opened, synchronize, labeled]
+    types: [labeled, synchronize]
 
 jobs:
   preview:
+    # Run only for PRs with 'trigger: preview' label or pushes to master
     if: >
       github.repository == 'supabase/auth-js' &&
-      (github.event_name == 'push' ||
-      (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'trigger: preview')))
+      (
+        github.event_name == 'workflow_dispatch' ||
+        github.event_name == 'push' ||
+        (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'trigger: preview'))
+      )
     runs-on: ubuntu-latest
+    outputs:
+      preview-url: ${{ steps.preview.outputs.url }}
+      package-name: ${{ steps.preview.outputs.package }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -33,4 +60,104 @@ jobs:
       - name: Build
         run: npm run build
 
-      - run: npx pkg-pr-new@latest publish --compact
+      - name: Publish preview
+        id: preview
+        run: |
+          OUTPUT=$(npx pkg-pr-new@latest publish --compact 2>&1)
+          PREVIEW_URL=$(echo "$OUTPUT" | grep -o 'https://pkg\.pr\.new/@supabase/[^[:space:]]*' | head -1)
+          REPO_NAME=$(echo "$GITHUB_REPOSITORY" | cut -d'/' -f2)
+
+          if [ -z "$PREVIEW_URL" ]; then
+            echo "Error: Failed to extract preview URL from pkg-pr-new output"
+            echo "Output was: $OUTPUT"
+            exit 1
+          fi
+
+          echo "Preview Release URL: $PREVIEW_URL"
+          echo "url=$PREVIEW_URL" >> $GITHUB_OUTPUT
+          echo "package=$REPO_NAME" >> $GITHUB_OUTPUT
+
+  trigger-supabase-js-tests:
+    needs: preview
+    # Only run if preview URL exists and either:
+    # - Not workflow_dispatch, OR
+    # - workflow_dispatch with trigger_supabase_js = true
+    if: >
+      needs.preview.outputs.preview-url != '' &&
+      (
+        github.event_name != 'workflow_dispatch' ||
+        github.event.inputs.trigger_supabase_js == 'true'
+      )
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate GitHub App token
+        id: generate-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.CROSS_REPO_APP_ID }}
+          private-key: ${{ secrets.CROSS_REPO_APP_PRIVATE_KEY }}
+          owner: supabase
+          repositories: auth-js,supabase-js
+
+      - name: Trigger supabase-js CI tests
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ steps.generate-token.outputs.token }}
+          script: |
+            const prNumber = context.issue.number || 'push';
+            const triggeringRepo = context.repo.repo;
+            // Use input target_branch if workflow_dispatch, otherwise default to master
+            const targetBranch = context.eventName === 'workflow_dispatch' && context.payload.inputs?.target_branch
+              ? context.payload.inputs.target_branch
+              : 'master';
+
+            try {
+              const response = await github.rest.actions.createWorkflowDispatch({
+                owner: 'supabase',
+                repo: 'supabase-js',
+                workflow_id: 'external-test.yml',
+                ref: targetBranch,
+                inputs: {
+                  triggering_repo: triggeringRepo,
+                  triggering_pr: prNumber.toString(),
+                  preview_url: '${{ needs.preview.outputs.preview-url }}',
+                  package_name: '${{ needs.preview.outputs.package-name }}',
+                  triggering_sha: context.eventName === 'pull_request' ? context.payload.pull_request.head.sha : context.sha
+                }
+              });
+              
+              console.log('Successfully triggered supabase-js tests');
+              console.log('Response:', response.status);
+            } catch (error) {
+              console.error('Failed to trigger supabase-js tests:', error);
+              throw error;
+            }
+
+      - name: Find existing preview comment
+        if: github.event_name == 'pull_request'
+        uses: peter-evans/find-comment@v3
+        id: find-comment
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-author: 'github-actions[bot]'
+          body-includes: '<!-- auth-js-preview-status -->'
+
+      - name: Create or update preview comment
+        if: github.event_name == 'pull_request'
+        uses: peter-evans/create-or-update-comment@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          comment-id: ${{ steps.find-comment.outputs.comment-id }}
+          issue-number: ${{ github.event.pull_request.number }}
+          body: |
+            <!-- auth-js-preview-status -->
+            🚀 **Preview release created!**
+
+            supabase-js CI tests have been automatically triggered on feature branch to verify compatibility.
+
+            **Preview package:** `${{ needs.preview.outputs.preview-url }}`
+
+            Results will be posted here once testing is complete.
+
+          edit-mode: replace