chore(repo): Build and publish native passkeys binaries on production releases

[wobsoriano]

Description

Follow-up to #8786, which added the Electron SDK scaffold and the @clerk/electron-passkeys packages without shipping native binaries. This PR adds the release path for those native passkey binaries.

Since the passkeys package should be updated rarely, native binaries are produced by manually running the Electron Passkeys Native Build workflow before a production release that bumps @clerk/electron-passkeys. The workflow builds the macOS arm64/x64 and Windows arm64/x64 .node files on native runners, assembles them into the per-platform npm package directories, verifies every platform package contains exactly one binary, and uploads the assembled electron-passkeys-npm artifact with 90-day retention.

During a production release, the release workflow detects when @clerk/electron-passkeys is about to publish, downloads the latest successful manual artifact for the current branch, and verifies the binaries before changesets/action publishes.

Canary and snapshot releases continue to exclude these packages.

Here's a mermaid flow I generated with codex for this change:

flowchart TD
  A[Passkeys package needs a production release] --> B[Manually run Electron Passkeys Native Build]
  B --> C[Build native .node files on macOS and Windows runners]
  C --> D[Assemble per-platform npm package folders]
  D --> E[Verify each platform package has exactly one .node file]
  E --> F[Upload electron-passkeys-npm artifact with 90-day retention]

  G[Production release workflow runs on main] --> H[Detect whether @clerk/electron-passkeys version differs from npm]
  H -->|No passkeys publish| I[Run normal changesets release]
  H -->|Passkeys publish pending| J[Download latest successful manual artifact for main]
  J --> K[Verify downloaded platform packages contain binaries]
  K --> L[changesets publishes wrapper and platform packages]

Loading

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other: release pipeline

Summary by CodeRabbit

Summary by CodeRabbit

• New Features

  • Added native passkey (WebAuthn) support to Clerk’s Electron SDK, including prebuilt binaries for macOS (arm64, x64) and Windows (arm64, x64).

• Build & Release Automation

  • Added an automated workflow to build native binaries and assemble platform-specific artifacts.
  • Updated the main release flow to conditionally prepare and verify native binaries when publishing.

• Quality & Validation

  • Added checks to ensure each platform package contains exactly one native binary.
  • Expanded automated tests to cover binary validation and error messaging.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Jun 23, 2026 2:56pm
swingset	Ready	Preview, Comment	Jun 23, 2026 2:56pm

[changeset-bot]

🦋 Changeset detected

Latest commit: e7caae9

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 6 packages

Name	Type
@clerk/electron-passkeys	Patch
@clerk/electron	Patch
@clerk/electron-passkeys-darwin-arm64	Patch
@clerk/electron-passkeys-darwin-x64	Patch
@clerk/electron-passkeys-win32-arm64-msvc	Patch
@clerk/electron-passkeys-win32-x64-msvc	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a native binary CI pipeline for @clerk/electron-passkeys. A new reusable GitHub Actions workflow builds .node binaries for macOS and Windows targets. The release workflow gains detection, gating, and artifact download steps. New scripts handle publish detection and binary verification. Snapshot and canary flows exclude electron-passkeys packages.

Changes

Electron Passkeys Native Binary Pipeline

Layer / File(s)	Summary
Package predicate and changeset wiring scripts/common.mjs, .changeset/config.json, .changeset/electron-passkeys-native-binaries.md	Adds isElectronPasskeysPackage predicate, populates the changeset fixed array with all five electron-passkeys platform package variants, and adds the patch-level changeset entry for native binary support.
Snapshot and canary exclusion scripts/snapshot.mjs, scripts/canary.mjs	Both scripts import isElectronPasskeysPackage and filter matching packages from the workspace package lists used to generate snapshot and canary releases.
Binary verification script and tests scripts/check-electron-passkeys-binaries.mjs, scripts/check-electron-passkeys-binaries.test.mjs	Exports findMissingBinaries to locate platform directories with a count other than exactly one .node file, a CLI main() that exits 1 on mismatch, and a Vitest suite covering the zero, one, and multiple file cases.
Publish detection script scripts/detect-electron-passkeys-publish.mjs	Reads the local package version, queries npm view for the published version, and outputs should-build=true|false for CI consumption.
Native build CI workflow .github/workflows/electron-passkeys.yml	Defines a reusable workflow with a matrix build job (macOS aarch64/x86_64, Windows x86_64/aarch64) that compiles the Rust native module, runs host-native smoke tests, and uploads per-target artifacts; a package job then assembles and verifies platform npm packages.
Release workflow gating and artifact download .github/workflows/release.yml	Updates permissions to include actions: read, and inserts conditional steps that use the publish-detection script output to optionally download electron-passkeys-npm and verify binaries before publishing.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐇 Hop, hop, little binaries fly,
Arm64 and x64 reaching the sky!
macOS munching, Windows compiling away,
Native passkeys arrive fresh today.
No toolchain needed—just install and play! 🎉

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the primary change: implementing a native binary release pipeline for electron-passkeys on production releases.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

---

_{Comment @coderabbitai help to get the list of available commands.}

[pkg-pr-new]

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8955

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8955

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8955

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8955

@clerk/electron

npm i https://pkg.pr.new/@clerk/electron@8955

@clerk/electron-passkeys

npm i https://pkg.pr.new/@clerk/electron-passkeys@8955

@clerk/eslint-plugin

npm i https://pkg.pr.new/@clerk/eslint-plugin@8955

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8955

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8955

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8955

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8955

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8955

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8955

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8955

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8955

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8955

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8955

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8955

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8955

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8955

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8955

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8955

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8955

commit: e7caae9

[wobsoriano]

all five packages must publish at the same version number. The four platform packages are optionalDependencies of the wrapper at an exact version, and napi-rs's native loader matches the .node binary by the package version it was built with

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/electron-passkeys.yml:
- Around line 11-20: The workflow file has a duplicate permissions key defined
in the YAML structure, which causes a parsing error. Remove the second
permissions block that only contains contents: read and keep only the first
permissions block that includes both contents: read and actions: read. This will
resolve the YAML syntax error and allow the workflow to parse correctly.

In @.github/workflows/release.yml:
- Around line 46-52: Navigate to the `.github/workflows/electron-passkeys.yml`
reusable workflow file and locate the duplicate `permissions` key that is
causing the YAML parsing error. Remove one of the duplicate `permissions` blocks
so that only a single `permissions` definition remains in the file. This will
resolve the syntax error and allow the workflow call in the build-native job to
execute successfully.

In `@scripts/check-electron-passkeys-binaries.mjs`:
- Around line 27-45: The main function lacks error handling for the
findMissingBinaries call, which means any thrown errors will result in unhandled
rejections instead of GitHub annotations. Wrap the await
findMissingBinaries(npmDir) call in a try-catch block and use console.error with
the ::error:: format to report caught exceptions. Additionally, the error
message template is inaccurate as it always says "empty package" regardless of
the count value; update the message logic to correctly indicate that the issue
is having an incorrect number of binaries (not exactly 1), adjusting the text
appropriately when count is greater than 1 versus when count is 0.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 935b7c82-ea09-45c8-a2d9-eae66f8d7961

📥 Commits

Reviewing files that changed from the base of the PR and between 52d310c and 9a80889.

📒 Files selected for processing (10)

• .changeset/config.json
• .changeset/electron-passkeys-native-binaries.md
• .github/workflows/electron-passkeys.yml
• .github/workflows/release.yml
• scripts/canary.mjs
• scripts/check-electron-passkeys-binaries.mjs
• scripts/check-electron-passkeys-binaries.test.mjs
• scripts/common.mjs
• scripts/detect-electron-passkeys-publish.mjs
• scripts/snapshot.mjs

[wobsoriano]

This workflow is manual because native passkey releases are rare. The release workflow consumes the artifact only when publish is pending.

[wobsoriano]

This only enables the binary download path when @clerk/electron-passkeys is actually about to publish

[wobsoriano]

Pulls the latest successful manual native-build artifact for this branch so changesets can publish the platform packages with their .node files

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 75-91: The workflow downloads electron-passkeys binaries without
verifying they were built from the same commit as the release. The "Download
electron-passkeys native binaries" step retrieves artifacts by branch and build
success but doesn't validate the source commit, and the "Verify
electron-passkeys binaries are present" step only checks for file presence, not
provenance. Add a verification step between these two that captures the source
commit SHA of the downloaded artifact and compares it against the current
release commit (accessible via github.sha or github.ref_name context). Only
proceed with subsequent steps if the commit SHAs match, preventing mismatched
binaries from being published.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 7554401e-7ff6-4ce4-a600-57648f32ebd6

📥 Commits

Reviewing files that changed from the base of the PR and between 3fcfb27 and e7caae9.

📒 Files selected for processing (4)

• .github/workflows/electron-passkeys.yml
• .github/workflows/release.yml
• scripts/check-electron-passkeys-binaries.mjs
• scripts/check-electron-passkeys-binaries.test.mjs

🚧 Files skipped from review as they are similar to previous changes (3)

• scripts/check-electron-passkeys-binaries.test.mjs
• .github/workflows/electron-passkeys.yml
• scripts/check-electron-passkeys-binaries.mjs

[wobsoriano]

required because we need to read workflow runs and artifacts from electron-passkeys.yml