chore(repo): Build and publish native passkeys binaries on production releases

.changeset/config.json

@@ -8,7 +8,15 @@
   ],
   "commit": false,
   "ignore": [],
-  "fixed": [],
+  "fixed": [
+    [
+      "@clerk/electron-passkeys",
+      "@clerk/electron-passkeys-darwin-arm64",
+      "@clerk/electron-passkeys-darwin-x64",
+      "@clerk/electron-passkeys-win32-arm64-msvc",
+      "@clerk/electron-passkeys-win32-x64-msvc"
+    ]
+  ],
   "linked": [],
   "access": "public",
   "baseBranch": "origin/main",

.changeset/electron-passkeys-native-binaries.md

@@ -0,0 +1,5 @@
+---
+'@clerk/electron-passkeys': patch
+---
+
+Introduce native passkey (WebAuthn) support for Clerk's Electron SDK, with prebuilt binaries for macOS (arm64 and x64) and Windows (arm64 and x64). Installing the package automatically pulls in the matching platform binary, so passkeys work without a local build toolchain.

.github/workflows/electron-passkeys.yml

@@ -0,0 +1,113 @@
+name: Electron Passkeys Native Build
+
+on:
+  workflow_call:
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - 'packages/electron-passkeys/**'
+      - '.github/workflows/electron-passkeys.yml'
+
+permissions:
+  contents: read
+  actions: read
+
+concurrency:
+  group: electron-passkeys-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build ${{ matrix.settings.target }}
+    runs-on: ${{ matrix.settings.host }}
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        settings:
+          - host: macos-14
+            target: aarch64-apple-darwin
+          - host: macos-14
+            target: x86_64-apple-darwin
+          - host: windows-latest
+            target: x86_64-pc-windows-msvc
+          - host: windows-latest
+            target: aarch64-pc-windows-msvc
+    defaults:
+      run:
+        working-directory: packages/electron-passkeys
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 24
+
+      - uses: pnpm/action-setup@v4
+
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: ${{ matrix.settings.target }}
+
+      - uses: Swatinem/rust-cache@v2
+        with:
+          workspaces: packages/electron-passkeys
+
+      - name: Install dependencies
+        run: pnpm install --filter @clerk/electron-passkeys... --frozen-lockfile --ignore-scripts
+        working-directory: .
+
+      - name: Build native module
+        run: pnpm build:native --target ${{ matrix.settings.target }}
+
+      - name: Smoke test (host-native targets only)
+        if: matrix.settings.target == 'aarch64-apple-darwin' || matrix.settings.target == 'x86_64-pc-windows-msvc'
+        run: node -e "const m = require('./index.js'); console.log('isAvailable:', m.isAvailable(), 'capabilities:', JSON.stringify(m.capabilities())); if (!m.isAvailable()) throw new Error('the loader did not find the freshly built native binary');"
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: bindings-${{ matrix.settings.target }}
+          path: packages/electron-passkeys/electron-passkeys.*.node
+          if-no-files-found: error
+
+  package:
+    name: Assemble platform packages
+    needs: build
+    runs-on: blacksmith-8vcpu-ubuntu-2204
+    timeout-minutes: 10
+    defaults:
+      run:
+        working-directory: packages/electron-passkeys
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 24
+
+      - uses: pnpm/action-setup@v4
+
+      - name: Install dependencies
+        run: pnpm install --filter @clerk/electron-passkeys... --frozen-lockfile --ignore-scripts
+        working-directory: .
+
+      - uses: actions/download-artifact@v4
+        with:
+          path: packages/electron-passkeys/artifacts
+
+      - name: Move binaries into per-platform npm packages
+        run: pnpm artifacts
+
+      - name: Verify every platform package contains its binary
+        run: node scripts/check-electron-passkeys-binaries.mjs packages/electron-passkeys/npm
+        working-directory: .
+
+      - name: Upload assembled platform binaries
+        uses: actions/upload-artifact@v4
+        with:
+          name: electron-passkeys-npm
+          path: packages/electron-passkeys/npm/**/*.node
+          if-no-files-found: error

.github/workflows/release.yml

@@ -20,9 +20,47 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
+  detect-native:
+    name: Detect electron-passkeys publish
+    if: ${{ github.event_name == 'push' && github.repository == 'clerk/javascript' }}
+    runs-on: ${{ vars.RUNNER_NORMAL || 'ubuntu-latest' }}
+    timeout-minutes: 5
+    permissions:
+      contents: read
+    outputs:
+      should-build: ${{ steps.detect.outputs.should-build }}
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
+          fetch-depth: 1
+          fetch-tags: false
+          filter: 'blob:none'
+          show-progress: false
+
+      - name: Determine whether electron-passkeys is about to publish
+        id: detect
+        run: node scripts/detect-electron-passkeys-publish.mjs >> "$GITHUB_OUTPUT"
+
+  build-native:
+    name: Build electron-passkeys native binaries
+    needs: detect-native
+    if: ${{ needs.detect-native.outputs.should-build == 'true' }}
+    permissions:
+      contents: read
+    uses: ./.github/workflows/electron-passkeys.yml
+
   release:
     name: Release
-    if: ${{ github.event_name == 'push' && github.repository == 'clerk/javascript' }}
+    needs: [detect-native, build-native]
+    if: >-
+      always()
+      && github.event_name == 'push'
+      && github.repository == 'clerk/javascript'
+      && needs.detect-native.result == 'success'
+      && needs.build-native.result != 'failure'
+      && needs.build-native.result != 'cancelled'
     runs-on: ${{ vars.RUNNER_NORMAL || 'ubuntu-latest' }}
     timeout-minutes: ${{ vars.TIMEOUT_MINUTES_NORMAL && fromJSON(vars.TIMEOUT_MINUTES_NORMAL) || 10 }}
 
@@ -67,6 +105,17 @@ jobs:
       - name: Build release
         run: pnpm turbo build $TURBO_ARGS --force
 
+      - name: Download electron-passkeys native binaries
+        if: ${{ needs.detect-native.outputs.should-build == 'true' }}
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
+        with:
+          name: electron-passkeys-npm
+          path: packages/electron-passkeys/npm
+
+      - name: Verify electron-passkeys binaries are present
+        if: ${{ needs.detect-native.outputs.should-build == 'true' }}
+        run: node scripts/check-electron-passkeys-binaries.mjs packages/electron-passkeys/npm
+
       - name: Create Release PR
         id: changesets
         uses: changesets/action@63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b # v1

scripts/canary.mjs

@@ -2,10 +2,18 @@
 
 import { $, echo } from 'zx';
 
-import { constants, getChangesetIgnoredPackages, getPackageNames, pinWorkspaceDeps } from './common.mjs';
+import {
+  constants,
+  getChangesetIgnoredPackages,
+  getPackageNames,
+  isElectronPasskeysPackage,
+  pinWorkspaceDeps,
+} from './common.mjs';
 
 const ignoredPackages = await getChangesetIgnoredPackages();
-const packageNames = (await getPackageNames()).filter(name => !ignoredPackages.has(name));
+const packageNames = (await getPackageNames()).filter(
+  name => !ignoredPackages.has(name) && !isElectronPasskeysPackage(name),
+);
 const packageEntries = packageNames.map(name => `'${name}': patch`).join('\n');
 
 const snapshot = `---

scripts/check-electron-passkeys-binaries.mjs

@@ -0,0 +1,46 @@
+#!/usr/bin/env node
+
+import { readdir } from 'node:fs/promises';
+import { resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+export const DEFAULT_NPM_DIR = 'packages/electron-passkeys/npm';
+
+export async function findMissingBinaries(npmDir) {
+  const entries = await readdir(npmDir, { withFileTypes: true });
+  const platformDirs = entries.filter(entry => entry.isDirectory()).sort((a, b) => a.name.localeCompare(b.name));
+  const missing = [];
+
+  for (const platformDir of platformDirs) {
+    const dir = resolve(npmDir, platformDir.name);
+    const files = await readdir(dir, { withFileTypes: true });
+    const count = files.filter(file => file.isFile() && file.name.endsWith('.node')).length;
+
+    if (count !== 1) {
+      missing.push({ dir, count });
+    }
+  }
+
+  return missing;
+}
+
+async function main() {
+  const npmDir = process.argv[2] || DEFAULT_NPM_DIR;
+  const missing = await findMissingBinaries(npmDir);
+
+  if (missing.length > 0) {
+    for (const { dir, count } of missing) {
+      console.error(
+        `::error::${dir} has ${count} .node binaries (expected exactly 1); publishing it would ship an empty package`,
+      );
+    }
+
+    process.exit(1);
+  }
+
+  console.log('All electron-passkeys platform packages contain exactly one .node binary.');
+}
+
+if (process.argv[1] && fileURLToPath(import.meta.url) === resolve(process.argv[1])) {
+  await main();
+}

scripts/check-electron-passkeys-binaries.test.mjs

@@ -0,0 +1,52 @@
+import { mkdir, mkdtemp, rm, writeFile } from 'node:fs/promises';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+
+import { afterEach, describe, expect, test } from 'vitest';
+
+import { findMissingBinaries } from './check-electron-passkeys-binaries.mjs';
+
+const roots = [];
+
+async function createRoot() {
+  const root = await mkdtemp(join(tmpdir(), 'electron-passkeys-binaries-'));
+  roots.push(root);
+  return root;
+}
+
+async function createPlatformDir(root, name, nodeFiles) {
+  const dir = join(root, name);
+  await mkdir(dir, { recursive: true });
+
+  await Promise.all(nodeFiles.map(file => writeFile(join(dir, file), '')));
+
+  return dir;
+}
+
+afterEach(async () => {
+  await Promise.all(roots.splice(0).map(root => rm(root, { force: true, recursive: true })));
+});
+
+describe('findMissingBinaries', () => {
+  test('returns [] when every platform dir has exactly one .node', async () => {
+    const root = await createRoot();
+    await createPlatformDir(root, 'darwin-arm64', ['passkeys.node']);
+    await createPlatformDir(root, 'linux-x64', ['passkeys.node']);
+
+    await expect(findMissingBinaries(root)).resolves.toEqual([]);
+  });
+
+  test('flags a dir with no .node files', async () => {
+    const root = await createRoot();
+    await createPlatformDir(root, 'darwin-arm64', ['README.md']);
+
+    await expect(findMissingBinaries(root)).resolves.toEqual([{ dir: join(root, 'darwin-arm64'), count: 0 }]);
+  });
+
+  test('flags a dir with more than one .node file', async () => {
+    const root = await createRoot();
+    await createPlatformDir(root, 'darwin-arm64', ['passkeys.node', 'other.node']);
+
+    await expect(findMissingBinaries(root)).resolves.toEqual([{ dir: join(root, 'darwin-arm64'), count: 2 }]);
+  });
+});

scripts/common.mjs

@@ -34,6 +34,10 @@ export async function getPackageNames() {
   return packageNames.sort();
 }
 
+export function isElectronPasskeysPackage(name) {
+  return name === '@clerk/electron-passkeys' || name.startsWith('@clerk/electron-passkeys-');
+}
+
 /**
  * Converts `workspace:^` to `workspace:*` for all @clerk/* dependencies.
  * This ensures that snapshot/canary releases use exact versions instead of

scripts/detect-electron-passkeys-publish.mjs

@@ -0,0 +1,39 @@
+#!/usr/bin/env node
+
+import { execFile } from 'node:child_process';
+import { readFile } from 'node:fs/promises';
+import { resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { promisify } from 'node:util';
+
+const execFileAsync = promisify(execFile);
+
+const WRAPPER_PACKAGE = '@clerk/electron-passkeys';
+const WRAPPER_MANIFEST = 'packages/electron-passkeys/package.json';
+
+async function readInTreeVersion() {
+  const manifest = JSON.parse(await readFile(WRAPPER_MANIFEST, 'utf8'));
+  return manifest.version;
+}
+
+async function readLatestPublishedVersion() {
+  try {
+    const { stdout } = await execFileAsync('npm', ['view', WRAPPER_PACKAGE, 'version']);
+    return stdout.trim();
+  } catch {
+    return '';
+  }
+}
+
+async function main() {
+  const inTreeVersion = await readInTreeVersion();
+  const latestPublishedVersion = await readLatestPublishedVersion();
+  // npm versions are immutable, so a differing in-tree version means a publish is pending and needs binaries.
+  const shouldBuild = inTreeVersion !== latestPublishedVersion;
+
+  console.log(`should-build=${shouldBuild}`);
+}
+
+if (process.argv[1] && fileURLToPath(import.meta.url) === resolve(process.argv[1])) {
+  await main();
+}

scripts/snapshot.mjs

@@ -2,10 +2,18 @@
 
 import { $, argv, echo } from 'zx';
 
-import { constants, getChangesetIgnoredPackages, getPackageNames, pinWorkspaceDeps } from './common.mjs';
+import {
+  constants,
+  getChangesetIgnoredPackages,
+  getPackageNames,
+  isElectronPasskeysPackage,
+  pinWorkspaceDeps,
+} from './common.mjs';
 
 const ignoredPackages = await getChangesetIgnoredPackages();
-const packageNames = (await getPackageNames()).filter(name => !ignoredPackages.has(name));
+const packageNames = (await getPackageNames()).filter(
+  name => !ignoredPackages.has(name) && !isElectronPasskeysPackage(name),
+);
 const packageEntries = packageNames.map(name => `'${name}': patch`).join('\n');
 
 const snapshot = `---