From 7af8b06ae51ac51976719b511807ea5ad277a27b Mon Sep 17 00:00:00 2001
From: Charan Jagwani <cjagwani@nvidia.com>
Date: Wed, 8 Apr 2026 15:15:46 -0700
Subject: [PATCH 1/2] fix(ci): write Brev credentials file so CLI authenticates
 on runner

The `brev login --token` call was removed in 374a847d (#1470),
replaced with a `brev ls` pre-check that assumes the CLI is already
authenticated. But on ephemeral GH Actions runners there is no
~/.brev/credentials.json, so `brev ls` fails and the entire E2E
suite silently skips (0 tests run, reports success).

Write the credentials file during the "Install Brev CLI" step so
the `hasAuthenticatedBrev` check in brev-e2e.test.js passes.

Fixes #1638

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/e2e-brev.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/e2e-brev.yaml b/.github/workflows/e2e-brev.yaml
index 046e24e67..143c2a404 100644
--- a/.github/workflows/e2e-brev.yaml
+++ b/.github/workflows/e2e-brev.yaml
@@ -144,12 +144,20 @@ jobs:
           cache: npm
 
       - name: Install Brev CLI
+        env:
+          BREV_API_TOKEN: ${{ inputs.brev_token || secrets.BREV_API_TOKEN }}
         run: |
           # Brev CLI v0.6.322+ — CPU instances use `brev search cpu | brev create`
           # Startup scripts use `brev create --startup-script @file` (not brev start --cpu)
           curl -fsSL -o /tmp/brev.tar.gz "https://github.com/brevdev/brev-cli/releases/download/v0.6.322/brev-cli_0.6.322_linux_amd64.tar.gz"
           tar -xzf /tmp/brev.tar.gz -C /usr/local/bin brev
           chmod +x /usr/local/bin/brev
+          # Brev CLI does not read BREV_API_TOKEN from env — it requires
+          # ~/.brev/credentials.json. The login call was removed in #1470
+          # (374a847d), breaking CI. Write the credentials file so `brev ls`
+          # works in the test harness's hasAuthenticatedBrev check.
+          mkdir -p ~/.brev
+          printf '{"refresh_token":"%s"}' "$BREV_API_TOKEN" > ~/.brev/credentials.json
 
       - name: Install dependencies
         run: npm install --ignore-scripts

From 7079b27636f423969776f7239a6504c8d25ef66b Mon Sep 17 00:00:00 2001
From: Charan Jagwani <cjagwani@nvidia.com>
Date: Wed, 8 Apr 2026 15:31:16 -0700
Subject: [PATCH 2/2] fix(ci): add fail-fast auth validation and file
 permissions

Address CodeRabbit review: guard against empty BREV_API_TOKEN,
restrict credentials file to 600, and verify auth with `brev ls`
immediately so the pipeline fails fast instead of silently skipping.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/e2e-brev.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/e2e-brev.yaml b/.github/workflows/e2e-brev.yaml
index 143c2a404..ff64ced3e 100644
--- a/.github/workflows/e2e-brev.yaml
+++ b/.github/workflows/e2e-brev.yaml
@@ -156,8 +156,15 @@ jobs:
           # ~/.brev/credentials.json. The login call was removed in #1470
           # (374a847d), breaking CI. Write the credentials file so `brev ls`
           # works in the test harness's hasAuthenticatedBrev check.
+          if [ -z "${BREV_API_TOKEN:-}" ]; then
+            echo "::error::BREV_API_TOKEN is empty — cannot authenticate Brev CLI."
+            exit 1
+          fi
           mkdir -p ~/.brev
+          umask 077
           printf '{"refresh_token":"%s"}' "$BREV_API_TOKEN" > ~/.brev/credentials.json
+          chmod 600 ~/.brev/credentials.json
+          brev ls >/dev/null
 
       - name: Install dependencies
         run: npm install --ignore-scripts