chore: Add revalidate install script workflow

[alexcarpenter]

No description provided.

[changeset-bot]

🦋 Changeset detected

Latest commit: 508e1e9

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 0 packages

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request introduces two new files: a changeset metadata file containing YAML frontmatter delimiters with no additional content, and a GitHub Actions workflow that listens for pushes to the main branch affecting install.sh. When triggered, the workflow executes a single job on ubuntu-latest that sends an HTTP POST request to Clerk's revalidation endpoint using a Bearer token stored in repository secrets. The request is configured with curl flags to fail on non-2xx responses and surface errors.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	No pull request description was provided by the author, making it impossible to assess whether the description relates to the changeset.	Add a description explaining the purpose and context of the new revalidate install workflow, such as when it triggers and what it does.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: Add revalidate install script workflow' clearly describes the main change - adding a new GitHub Actions workflow for revalidating the install process.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/revalidate-install.yml (2)

15-18: Pass the secret via env rather than inline expansion.

Interpolating ${{ secrets.INSTALL_REVALIDATE_SECRET }} directly into the run: script embeds the secret value into the rendered shell command. GitHub's recommended pattern is to expose secrets as environment variables so they aren't materialized into the command line (safer against set -x, process listings, and shell-quoting pitfalls).

🔒 Proposed refactor

       - name: Revalidate install script cache
+        env:
+          INSTALL_REVALIDATE_SECRET: ${{ secrets.INSTALL_REVALIDATE_SECRET }}
         run: |
           curl -X POST https://clerk.com/api/revalidate-install \
-            -H "Authorization: Bearer ${{ secrets.INSTALL_REVALIDATE_SECRET }}" \
+            -H "Authorization: Bearer $INSTALL_REVALIDATE_SECRET" \
             --fail --silent --show-error

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/revalidate-install.yml around lines 15 - 18, The run block
currently inlines the secret into the curl command; instead expose
INSTALL_REVALIDATE_SECRET via the step’s env and reference that env var in the
Authorization header to avoid materializing the secret. Update the workflow step
that contains the run: block and set env: INSTALL_REVALIDATE_SECRET: ${{
secrets.INSTALL_REVALIDATE_SECRET }}, then change the curl header string in the
run script from using the interpolated secret to using the shell env variable
(Authorization: Bearer $INSTALL_REVALIDATE_SECRET) so the secret is provided
securely at runtime.

---

16-18: Consider adding retries for transient failures.

If clerk.com responds with a transient 5xx or network hiccup during the workflow window, the revalidation is silently skipped until the next install.sh change. Adding --retry/--retry-all-errors would make this more resilient.

♻️ Proposed change

           curl -X POST https://clerk.com/api/revalidate-install \
             -H "Authorization: Bearer $INSTALL_REVALIDATE_SECRET" \
-            --fail --silent --show-error
+            --fail --silent --show-error \
+            --retry 3 --retry-all-errors --max-time 30

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/revalidate-install.yml around lines 16 - 18, The curl POST
to https://clerk.com/api/revalidate-install currently runs without retries;
modify the curl invocation (the command that posts with -H "Authorization:
Bearer ${{ secrets.INSTALL_REVALIDATE_SECRET }}" and --fail --silent
--show-error) to add retry flags such as --retry 3 --retry-all-errors
(optionally with --retry-delay 2) so transient 5xx or network hiccups are
retried before giving up.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/revalidate-install.yml:
- Around line 15-18: The run block currently inlines the secret into the curl
command; instead expose INSTALL_REVALIDATE_SECRET via the step’s env and
reference that env var in the Authorization header to avoid materializing the
secret. Update the workflow step that contains the run: block and set env:
INSTALL_REVALIDATE_SECRET: ${{ secrets.INSTALL_REVALIDATE_SECRET }}, then change
the curl header string in the run script from using the interpolated secret to
using the shell env variable (Authorization: Bearer $INSTALL_REVALIDATE_SECRET)
so the secret is provided securely at runtime.
- Around line 16-18: The curl POST to https://clerk.com/api/revalidate-install
currently runs without retries; modify the curl invocation (the command that
posts with -H "Authorization: Bearer ${{ secrets.INSTALL_REVALIDATE_SECRET }}"
and --fail --silent --show-error) to add retry flags such as --retry 3
--retry-all-errors (optionally with --retry-delay 2) so transient 5xx or network
hiccups are retried before giving up.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fde24d5a-7d2c-484d-ac2c-0cf76f3fa377

📥 Commits

Reviewing files that changed from the base of the PR and between 578637c and 508e1e9.

📒 Files selected for processing (2)

• .changeset/silly-files-hear.md
• .github/workflows/revalidate-install.yml