test: WORKFLOW TEST: DO NOT MERGE (Delete after ENG-2146) Dashboard code only change

[mcstepp]

What does this PR do?

Fixes # (issue)

If there is not an issue for this, please create one first. This is used to tracking purposes and also helps use understand why this PR exists

Type of change

• Bug fix (non-breaking change which fixes an issue)
• Chore (refactoring code, technical debt, workflow improvements)
• Enhancement (small improvements)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How should this be tested?

• Test A
• Test B

Checklist

Required

• Filled out the "How to test" section in this PR
• Read Contributing Guide
• Self-reviewed my own code
• Commented on my code in hard-to-understand areas
• Ran pnpm build
• Ran pnpm fmt
• Checked for warnings, there are none
• Removed all console.logs
• Merged the latest changes from main onto my branch with git pull origin main
• My changes don't cause any responsiveness issues

Appreciated

• If a UI change was made: Added a screen recording or screenshots to this PR
• Updated the Unkey Docs if changes were necessary

[linear]

ENG-2146 [APPS] [P1] Dashboard Workflow

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
dashboard	Ignored	Preview		Oct 30, 2025 3:49pm
engineering	Ignored	Preview		Oct 30, 2025 3:49pm

[changeset-bot]

⚠️ No Changeset found

Latest commit: 9aa744b

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

Refines detect_changes globs (dashboard and Go paths), adjusts job condition grouping in the PR workflow, and adds a new Test Dashboard workflow invoked when detect_changes reports dashboard changes.

Changes

Cohort / File(s)	Summary
Change detection filters .github/workflows/job_detect_changes.yaml	Replaces broad dashboard/internal globs with granular include/exclude patterns (excludes markdown/text under dashboards); expands internal/* and packages/* dashboard-related paths; consolidates Go exclusions into a single negated glob (`go/!(benchmarks
PR pipeline gating .github/workflows/pr.yaml	Adjusts conditional grouping to require ((A
Dashboard test workflow .github/workflows/job_test_dashboard.yaml	Adds workflow Test Dashboard callable via workflow_call; defines test job on depot-ubuntu-24.04-4 with checkout, local Node setup action, and test/build steps for @unkey/dashboard with CI env and many service/config env vars.

Sequence Diagram(s)

sequenceDiagram
    participant PR as Pull Request
    participant Detect as detect_changes job
    participant PRwf as pr.yaml jobs
    participant DashboardWF as Test Dashboard (workflow_call)

    PR->>Detect: push PR triggers change detection
    Detect-->>PRwf: outputs (api, packages, dashboard, ...)
    alt dashboard == true
        PRwf->>DashboardWF: invoke test_dashboard (needs.detect_changes)
        DashboardWF->>DashboardWF: checkout -> setup-node -> test -> build
        DashboardWF-->>PRwf: result (success/failure)
    end
    alt api/packages == true
        PRwf->>PRwf: run build/test_api jobs (conditioned on grouped logic)
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Inspect glob semantics in job_detect_changes.yaml to ensure exclusions/inclusions match intended files (shell/CI glob behavior).
• Verify conditional parentheses in .github/workflows/pr.yaml produce the desired evaluation order and job gating.
• Review job_test_dashboard.yaml environment variables for leakage, secrets usage, and correctness of the local setup-node action invocation.

Possibly related PRs

• chore: CI improvements part 1. #3176 — Modifies the same detect_changes workflow and PR gating logic; likely overlaps in filter/outputs changes.
• chore: more CI improvements #3755 — Also updates job_detect_changes filters for dashboard and Go paths; closely related to the path-pattern edits.
• fix: broken dashboard tests #3078 — Adds/adjusts dashboard CI and tests; related to introducing the dashboard test workflow and invoking dashboard-specific test steps.

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The PR description consists entirely of the template structure with no meaningful content provided by the author. Critical sections remain unfilled: the "What does this PR do?" section shows only placeholder text "Fixes # (issue)" with no actual issue reference or explanation, "Type of change" has no checkboxes selected, "How should this be tested?" contains only placeholder entries ("Test A" and "Test B"), and all checklist items remain unchecked. This represents a largely incomplete submission that fails to communicate the PR's purpose, rationale, or testing approach.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The PR title clearly indicates this is a workflow test related to dashboard code changes, which aligns with the actual changeset that modifies GitHub workflow files (.github/workflows/) and introduces new dashboard testing infrastructure. While the title includes contextual metadata ("DO NOT MERGE" warning and "Delete after ENG-2146" reference), these are secondary to the primary descriptive content that communicates the main purpose of the PR. The title accurately conveys that the changes involve testing workflows for dashboard-specific code.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch test/dashboard-code-change

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d735523 and 9aa744b.

📒 Files selected for processing (1)

• .github/workflows/job_test_dashboard.yaml (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: imeyer
PR: unkeyed/unkey#3755
File: .github/workflows/runbook-freshness-check.yaml:157-173
Timestamp: 2025-08-08T14:59:52.283Z
Learning: Repo unkeyed/unkey: When a CI/workflow fix is deferred, imeyer prefers a thorough GitHub issue be opened with sections (Summary, Impact, Where, Repro, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References) and assigned to imeyer, including backlinks to the originating PR and comment.

📚 Learning: 2025-08-08T19:52:42.113Z

Learnt from: imeyer
PR: unkeyed/unkey#3765
File: .github/workflows/job_detect_changes.yaml:43-43
Timestamp: 2025-08-08T19:52:42.113Z
Learning: In the unkeyed/unkey repository, the workflows `.github/workflows/job_test_api_local.yaml` and `.github/workflows/job_test_go_api_local.yaml` should keep their Blacksmith self-hosted runners (blacksmith-4vcpu-ubuntu-2404 and blacksmith-8vcpu-ubuntu-2404 respectively) as these are performance-critical test jobs that require dedicated resources.

Applied to files:

• .github/workflows/job_test_dashboard.yaml

🪛 actionlint (1.7.8)

.github/workflows/job_test_dashboard.yaml

9-9: label "depot-ubuntu-24.04-4" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: autofix

🔇 Additional comments (1)

.github/workflows/job_test_dashboard.yaml (1)

9-9: Verify custom runner label is properly configured in actionlint.yaml.

The runner label depot-ubuntu-24.04-4 is flagged by actionlint as unknown. If this is a custom self-hosted Depot runner (not a GitHub-provided label), ensure it is registered in .github/actionlint.yaml under the runner section so that future runs of actionlint do not produce false positives.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Thank you for following the naming conventions for pull request titles! 🙏

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 750111b and 7ef2002.

📒 Files selected for processing (1)

• .github/workflows/job_dashboard_checks.yaml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.8)

.github/workflows/job_dashboard_checks.yaml

9-9: label "depot-ubuntu-24.04-4" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-11-arm", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-26-xlarge", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Dashboard Checks / Dashboard Checks
• GitHub Check: autofix

🔇 Additional comments (2)

.github/workflows/job_dashboard_checks.yaml (2)

1-19: Workflow structure and permissions are sound.

The workflow follows good practices:

• Minimal read-only permissions (line 5).
• Pinned action versions (line 11) for reproducibility.
• Proper use of workflow_call trigger for reusability.
• Filtered build to dashboard package only, reducing build time.
• Custom setup-node action for consistent Node environment.

---

9-9: ****

The depot-ubuntu-24.04-4 runner label is not misconfigured. This label is used consistently across 24 workflows in the repository, including critical production workflows (release.yaml, deploy.yaml, job_deploy_api_production.yaml), indicating it's a properly configured, repository-wide standard—likely Depot.dev's third-party runner service. The actionlint flagging is a false positive; this runner is actively operational.

Likely an incorrect or invalid review comment.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Document or externalize hardcoded credentials.

The workflow contains hardcoded test/placeholder credentials (e.g., WORKOS_CLIENT_ID: "client_", WORKOS_API_KEY: "sk_test_", AGENT_TOKEN: "not-empty"). While these appear to be safe test values, they should be:

1. Clearly documented as test/placeholder values in a comment if intentional.
2. Moved to GitHub Secrets if they need to be sensitive or change frequently.
3. Verified to not contain any actual credentials or PII.

Apply this diff to add clarifying documentation and consider externalizing sensitive values:

      - name: Build
        run: pnpm turbo run build --filter=@unkey/dashboard
        env:
+         # Test/placeholder configuration for dashboard build in CI
          CI: 1
          DATABASE_HOST: localhost:8080
          DATABASE_USERNAME: unkey
          DATABASE_PASSWORD: password
          DATABASE_NAME: unkey
          UNKEY_WORKSPACE_ID: "not-empty"
          UNKEY_API_ID: "not-empty"
          UNKEY_WEBHOOK_KEYS_API_ID: "not-empty"
          AGENT_URL: "http://localhost:8080"
          AGENT_TOKEN: "not-empty"
          AUTH_PROVIDER: "workos"
          WORKOS_CLIENT_ID: "client_"
          WORKOS_API_KEY: "sk_test_"
          WORKOS_COOKIE_PASSWORD: "IAMACOOKIEPASSWORD"
          NEXT_PUBLIC_WORKOS_REDIRECT_URI: "http://localhost:3000/auth/sso-callback"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	env:
	CI: 1
	DATABASE_HOST: localhost:8080
	DATABASE_USERNAME: unkey
	DATABASE_PASSWORD: password
	DATABASE_NAME: unkey
	UNKEY_WORKSPACE_ID: "not-empty"
	UNKEY_API_ID: "not-empty"
	UNKEY_WEBHOOK_KEYS_API_ID: "not-empty"
	AGENT_URL: "http://localhost:8080"
	AGENT_TOKEN: "not-empty"
	AUTH_PROVIDER: "workos"
	WORKOS_CLIENT_ID: "client_"
	WORKOS_API_KEY: "sk_test_"
	WORKOS_COOKIE_PASSWORD: "IAMACOOKIEPASSWORD"
	NEXT_PUBLIC_WORKOS_REDIRECT_URI: "http://localhost:3000/auth/sso-callback"
	env:
	# Test/placeholder configuration for dashboard build in CI
	CI: 1
	DATABASE_HOST: localhost:8080
	DATABASE_USERNAME: unkey
	DATABASE_PASSWORD: password
	DATABASE_NAME: unkey
	UNKEY_WORKSPACE_ID: "not-empty"
	UNKEY_API_ID: "not-empty"
	UNKEY_WEBHOOK_KEYS_API_ID: "not-empty"
	AGENT_URL: "http://localhost:8080"
	AGENT_TOKEN: "not-empty"
	AUTH_PROVIDER: "workos"
	WORKOS_CLIENT_ID: "client_"
	WORKOS_API_KEY: "sk_test_"
	WORKOS_COOKIE_PASSWORD: "IAMACOOKIEPASSWORD"
	NEXT_PUBLIC_WORKOS_REDIRECT_URI: "http://localhost:3000/auth/sso-callback"

🤖 Prompt for AI Agents

.github/workflows/job_dashboard_checks.yaml lines 20-35: the workflow currently
defines hardcoded placeholder credentials (WORKOS_CLIENT_ID, WORKOS_API_KEY,
AGENT_TOKEN, etc.); update the file by (1) adding an inline comment above these
env vars noting they are test/placeholder values only, (2) replace any values
that should be treated as secrets with references to GitHub Secrets (e.g., use
the actions secrets context for WORKOS_API_KEY, AGENT_TOKEN, DATABASE_PASSWORD,
etc.), and (3) add a checklist comment to verify none of the values contain real
credentials or PII before merging; ensure you do not commit any actual secret
values when switching to secrets.