From 40e8dee3570c5da9ed91732917fea2807bdfeb04 Mon Sep 17 00:00:00 2001 From: sunghyunkang1111 <114709653+sunghyunkang1111@users.noreply.github.com> Date: Thu, 11 Jun 2026 10:59:06 -0500 Subject: [PATCH] Fix playwright token leak (#2512) * ci: route Playwright reports through private Azure Storage container Replaces the public `/playwright-reports/*` static-website uploads and all GitHub Actions artifact uploads for Playwright traces/videos/blob-reports with uploads to a new private container `playwright-reports` on the same storage account. PR comments now link to an Azure Portal blob-properties deep link (requires AAD sign-in) instead of the previously anonymous static-site URL. Fixes MSRC finding: Playwright traces captured on test failure embed Authorization: Bearer headers, and the existing publish path made them anonymously downloadable. The new private container is RBAC-gated (Storage Blob Data Reader/Contributor at container scope) and the storage account already has anonymous blob access and shared-key access disabled. * ci: TEMP smoke-test single Playwright spec to validate MSRC plumbing Reduces the Playwright matrix to 1 shard and restricts the run to a single test in the searchableDropdown component fixture on Chrome. The fixture hits the local dev server only, so no Cosmos auth and no token captures happen \u2014 isolates the smoke test to the new Azure Storage upload/download/zip/PR-comment plumbing. REVERT THIS COMMIT before merging the parent PR. * ci: grant id-token: write to merge-playwright-reports job The merge job overrides workflow-level permissions with its own block (contents: read, pull-requests: write), which silently drops the workflow-level id-token: write. Without it, Azure/login@v2 cannot fetch the federated OIDC token and fails. Bug introduced when the Az login was relocated from the deleted publish-playwright-report job (which had id-token: write) into the merge job. * ci: trigger re-run after RBAC propagation * ci: trigger re-run after E2E_TESTS_CLIENT_ID SP grant * ci: flatten downloaded shard reports before merge az storage blob download-batch preserves the full blob path, but playwright merge-reports expects .zip files directly in the target directory. Flatten with find + mv after download. * ci: switch PR comment to ContainerMenuBlade deep link BlobPropertiesBladeV2 requires undocumented 'tabToload' and 'isDeleted' params we couldn't get past the Portal's grammar validator. ContainerMenuBlade has no required params and drops users directly into the playwright-reports container, where they navigate to \{run_id}-{attempt}/report.zip\ (one extra click vs. blob-direct). * ci: make report path more prominent in PR comment Surface the {run_id}-{attempt}/report.zip path on its own line so reviewers can copy-paste it into the Portal search instead of scanning the navigation prose. * Revert "ci: TEMP smoke-test single Playwright spec to validate MSRC plumbing" This reverts commit 308005f02ba9ea7c4abc5d9f4f6c089e2ff96a85. * ci: refresh OIDC token before shard upload GitHub OIDC client assertions are valid for only 5 minutes (JWT iat -> exp window). Playwright shards that take >5 min exhaust the validity window before the upload step runs, causing AADSTS700024 'Client assertion is not within its valid time range'. Add a fresh Azure/login@v2 step right before the upload to mint a new OIDC token. --- .github/workflows/ci.yml | 125 +++++++++++++++++++++++---------------- 1 file changed, 73 insertions(+), 52 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a3ced85dc..7d58ebe85 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -299,13 +299,26 @@ jobs: run: npx playwright test --shard=${{ matrix.shardIndex }}/${{ matrix.shardTotal }} --list - name: Run test shard ${{ matrix['shardIndex'] }} of ${{ matrix['shardTotal']}} run: npx playwright test --shard=${{ matrix.shardIndex }}/${{ matrix.shardTotal }} --workers=3 - - name: Upload blob report to GitHub Actions Artifacts + - name: "Re-auth for upload (refresh OIDC token)" if: ${{ !cancelled() }} - uses: actions/upload-artifact@v4 + uses: Azure/login@v2 with: - name: blob-report-${{ matrix.shardIndex }} - path: blob-report - retention-days: 1 + client-id: ${{ secrets.E2E_TESTS_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + - name: Upload shard blob-report to Azure Storage + if: ${{ !cancelled() }} + env: + KEY: ${{ github.run_id }}-${{ github.run_attempt }} + SHARD: ${{ matrix.shardIndex }} + run: | + az storage blob upload-batch \ + --account-name ${{ secrets.PREVIEW_STORAGE_ACCOUNT_NAME }} \ + --auth-mode login \ + -d playwright-reports \ + -s blob-report \ + --destination-path "${KEY}/shards/shard-${SHARD}" \ + --overwrite true merge-playwright-reports: name: "Merge Playwright Reports" @@ -317,6 +330,7 @@ jobs: permissions: contents: read pull-requests: write + id-token: write steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 @@ -325,29 +339,67 @@ jobs: - name: Install dependencies run: npm ci - - name: Download blob reports from GitHub Actions Artifacts - uses: actions/download-artifact@v4 + - name: "Az CLI login" + uses: Azure/login@v2 with: - path: all-blob-reports - pattern: blob-report-* - merge-multiple: true + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.PREVIEW_SUBSCRIPTION_ID }} + + - name: Download all shard reports from Azure Storage + env: + KEY: ${{ github.run_id }}-${{ github.run_attempt }} + run: | + mkdir -p all-blob-reports + az storage blob download-batch \ + --account-name ${{ secrets.PREVIEW_STORAGE_ACCOUNT_NAME }} \ + --auth-mode login \ + -s playwright-reports \ + --pattern "${KEY}/shards/*" \ + -d ./all-blob-reports + find ./all-blob-reports -type f -name "*.zip" -exec mv -t ./all-blob-reports {} + + find ./all-blob-reports -type d -empty -delete + ls -la ./all-blob-reports - name: Merge into HTML Report run: npx playwright merge-reports --reporter html ./all-blob-reports - - name: Upload HTML report - uses: actions/upload-artifact@v4 - with: - name: html-report--attempt-${{ github.run_attempt }} - path: playwright-report - retention-days: 14 + - name: Bundle merged report into a single zip + run: | + cd playwright-report + zip -r ../report.zip . + cd .. + + - name: Upload report.zip to Azure Storage + env: + KEY: ${{ github.run_id }}-${{ github.run_attempt }} + run: | + az storage blob upload \ + --account-name ${{ secrets.PREVIEW_STORAGE_ACCOUNT_NAME }} \ + --auth-mode login \ + -c playwright-reports \ + -n "${KEY}/report.zip" \ + -f report.zip \ + --overwrite + + - name: Clean up shard intermediates from Azure Storage + if: ${{ always() }} + env: + KEY: ${{ github.run_id }}-${{ github.run_attempt }} + run: | + az storage blob delete-batch \ + --account-name ${{ secrets.PREVIEW_STORAGE_ACCOUNT_NAME }} \ + --auth-mode login \ + -s playwright-reports \ + --pattern "${KEY}/shards/*" - name: Comment Playwright results on PR if: ${{ !cancelled() && github.event_name == 'pull_request' }} env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} PR: ${{ github.event.pull_request.number }} - REPORT_URL: https://dataexplorerpreview.z5.web.core.windows.net/playwright-reports/${{ github.run_id }}-${{ github.run_attempt }}/index.html + SA_ID: /subscriptions/${{ secrets.PREVIEW_SUBSCRIPTION_ID }}/resourceGroups/dataexplorer-preview/providers/Microsoft.Storage/storageAccounts/dataexplorerpreview + KEY: ${{ github.run_id }}-${{ github.run_attempt }} RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} run: | PLAYWRIGHT_JSON_OUTPUT_NAME=results.json npx playwright merge-reports --reporter json ./all-blob-reports @@ -355,6 +407,8 @@ jobs: BROKEN=$(gh api "repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }}/jobs" \ --jq '[.jobs[] | select(.name | startswith("Run Playwright Tests")) | select(.conclusion == "failure")] | length') if [ "$FAILED" -gt 0 ] || [ "$BROKEN" -gt 0 ]; then ICON="โŒ failed"; else ICON="โœ… passed"; fi + SA_ENC=$(printf '%s' "$SA_ID" | jq -sRr @uri) + CONTAINER_URL="https://portal.azure.com/#view/Microsoft_Azure_Storage/ContainerMenuBlade/~/overview/storageAccountId/${SA_ENC}/path/playwright-reports" NOTE="" [ "$BROKEN" -gt 0 ] && NOTE=" @@ -365,38 +419,5 @@ jobs: | :---: | :---: | :---: | :---: | | $PASSED | $FAILED | $FLAKY | ${DURATION}s | - ๐Ÿ“Š [Open full report]($REPORT_URL) ยท [Workflow run]($RUN_URL)$NOTE" - - publish-playwright-report: - name: "Publish Playwright Report to Blob" - if: ${{ !cancelled() }} - needs: [merge-playwright-reports] - - runs-on: ubuntu-latest - permissions: - id-token: write - contents: read - steps: - - name: Download HTML report artifact - uses: actions/download-artifact@v4 - with: - name: html-report--attempt-${{ github.run_attempt }} - path: playwright-report - - - name: "Az CLI login" - uses: Azure/login@v2 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.PREVIEW_SUBSCRIPTION_ID }} - - - name: Upload Playwright report to blob storage - env: - KEY: ${{ github.run_id }}-${{ github.run_attempt }} - BASE: https://dataexplorerpreview.z5.web.core.windows.net - run: | - az storage blob upload-batch -d '$web' -s playwright-report \ - --destination-path "playwright-reports/${KEY}" \ - --account-name ${{ secrets.PREVIEW_STORAGE_ACCOUNT_NAME }} \ - --auth-mode login --overwrite true - echo "๐Ÿ“Š [Open Playwright report](${BASE}/playwright-reports/${KEY}/index.html)" >> $GITHUB_STEP_SUMMARY + ๐Ÿ“ **Report:** \`${KEY}/report.zip\` + [Open container]($CONTAINER_URL) (Azure sign-in required) โ†’ click into \`${KEY}\` folder โ†’ click \`report.zip\` โ†’ **Download** โ†’ unzip โ†’ open \`index.html\` ยท [Workflow run]($RUN_URL)$NOTE"