Move Browserstack into a seperate workflow

[frederikprijck]

Changes

Opening this PR as draft as a discussion starter to see if what I'm doing here makes sense and would be something we would want.

The PR separates Browserstack into its own workflow, doing that removes the need for using the pull_request_target trigger on the Build and Test workflow, making it easier to make modifications to that workflow file when needed.

It does keep the pull_request_target and authorize step for the Browserstack workflow to guarantee our secrets are protected by the means of a manual approval step.

Why?

Using pull_request_target does not run workflow changes on PRs as it ensures it always runs in the context of the target branch. For example, I opened a PR to update the NODE_VERSION to 20, but you will notice that it still uses node 18 to execute the PR's workflow. This means that we will only know if it works with node20 on GitHub Actions after merging it to master.

However, the only reason we use pull_request_target is for Browserstack. If we separate Browserstack into its own workflow, we no longer need pull_request_target on our main Build and Test workflow, meaning in that case, the PR I opened would run against node 20 on the PR level, and not after merging.

I'm not yet sure if and how this will work for automating our release, as I know it becomes really complicated when u have separate workflows. But we already have the publish in a separate workflow anyway, so adding a 3rd one doesn't necessarily add additional complexity, I think.

Unrelated, but also Drops --include=dev from npm ci, as we don't need that. But same goes for changes like this. We have no way to identify this works before merging this PR, because of the usage of pull_request_target, which (as mentioned above) is not needed to build our SDK and run its tests.

Checklist

• I have read the Auth0 general contribution guidelines
• I have read the Auth0 Code of Conduct
• All code quality tools/guidelines have been run/followed

[evansims]

LGTM! Makes perfect sense to split things up this way. A few thoughts:

1. Be sure to update the checkout event to use the ref property to support pull_request_target (as you correctly reminded me of the other day! 😆)

- uses: actions/checkout@v3
  with:
    ref: ${{ github.event.pull_request.head.sha || github.ref }}

2. I think I made a mistake with the BrowserStack call for pull_request_target, as github.sha may reference the wrong SHA for that event. You may want to change the line to instead read:

npx concurrently --raw --kill-others --success first "npm:dev" "wait-on http://127.0.0.1:3000/ && browserstack-cypress run --build-name ${{ github.event.pull_request.head.sha || github.ref }}"

3. I've also identified a few other improvements I've suggested on the Lock repository you might want to consider merging with this PR. For example, we can streamline Dependabot PRs by running those in the internal environment context automatically under the authorize job:

environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}

[frederikprijck]

Thanks, I made the changes you mentioned @evansims . Please take another look.

[evansims]

Awesome — LGTM!