random-mirrors/cosmos-explorer
1
0
Fork 0
mirror of https://github.com/Azure/cosmos-explorer.git synced 2026-06-12 15:37:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix playwright token leak (#2512)

Browse Source 
* ci: route Playwright reports through private Azure Storage container

Replaces the public `/playwright-reports/*` static-website uploads and all GitHub Actions artifact uploads for Playwright traces/videos/blob-reports with uploads to a new private container `playwright-reports` on the same storage account. PR comments now link to an Azure Portal blob-properties deep link (requires AAD sign-in) instead of the previously anonymous static-site URL.

Fixes MSRC finding: Playwright traces captured on test failure embed Authorization: Bearer headers, and the existing publish path made them anonymously downloadable. The new private container is RBAC-gated (Storage Blob Data Reader/Contributor at container scope) and the storage account already has anonymous blob access and shared-key access disabled.

* ci: TEMP smoke-test single Playwright spec to validate MSRC plumbing

Reduces the Playwright matrix to 1 shard and restricts the run to a single test in the searchableDropdown component fixture on Chrome. The fixture hits the local dev server only, so no Cosmos auth and no token captures happen \u2014 isolates the smoke test to the new Azure Storage upload/download/zip/PR-comment plumbing.

REVERT THIS COMMIT before merging the parent PR.

* ci: grant id-token: write to merge-playwright-reports job

The merge job overrides workflow-level permissions with its own block (contents: read, pull-requests: write), which silently drops the workflow-level id-token: write. Without it, Azure/login@v2 cannot fetch the federated OIDC token and fails.

Bug introduced when the Az login was relocated from the deleted publish-playwright-report job (which had id-token: write) into the merge job.

* ci: trigger re-run after RBAC propagation

* ci: trigger re-run after E2E_TESTS_CLIENT_ID SP grant

* ci: flatten downloaded shard reports before merge

az storage blob download-batch preserves the full blob path, but playwright merge-reports expects .zip files directly in the target directory. Flatten with find + mv after download.

* ci: switch PR comment to ContainerMenuBlade deep link

BlobPropertiesBladeV2 requires undocumented 'tabToload' and 'isDeleted' params we couldn't get past the Portal's grammar validator. ContainerMenuBlade has no required params and drops users directly into the playwright-reports container, where they navigate to \{run_id}-{attempt}/report.zip\ (one extra click vs. blob-direct).

* ci: make report path more prominent in PR comment

Surface the {run_id}-{attempt}/report.zip path on its own line so reviewers can copy-paste it into the Portal search instead of scanning the navigation prose.

* Revert "ci: TEMP smoke-test single Playwright spec to validate MSRC plumbing"

This reverts commit 308005f02b.

* ci: refresh OIDC token before shard upload

GitHub OIDC client assertions are valid for only 5 minutes (JWT iat -> exp window). Playwright shards that take >5 min exhaust the validity window before the upload step runs, causing AADSTS700024 'Client assertion is not within its valid time range'. Add a fresh Azure/login@v2 step right before the upload to mint a new OIDC token.
This commit is contained in:
sunghyunkang1111
2026-06-11 10:59:06 -05:00
committed by GitHub
parent 4f9a987d28
commit 40e8dee357
1 changed files with 73 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/ci.yml
+73 -52
View File
@@ -299,13 +299,26 @@ jobs:
run: npx playwright test --shard=${{ matrix.shardIndex }}/${{ matrix.shardTotal }} --list
- name: Run test shard ${{ matrix['shardIndex'] }} of ${{ matrix['shardTotal']}}
run: npx playwright test --shard=${{ matrix.shardIndex }}/${{ matrix.shardTotal }} --workers=3
- name: Upload blob report to GitHub Actions Artifacts
- name: "Re-auth for upload (refresh OIDC token)"
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
uses: Azure/login@v2
with:
name: blob-report-${{ matrix.shardIndex }}
path: blob-report
retention-days: 1
client-id: ${{ secrets.E2E_TESTS_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Upload shard blob-report to Azure Storage
if: ${{ !cancelled() }}
env:
KEY: ${{ github.run_id }}-${{ github.run_attempt }}
SHARD: ${{ matrix.shardIndex }}
run: |
az storage blob upload-batch \
--account-name ${{ secrets.PREVIEW_STORAGE_ACCOUNT_NAME }} \
--auth-mode login \
-d playwright-reports \
-s blob-report \
--destination-path "${KEY}/shards/shard-${SHARD}" \
--overwrite true
merge-playwright-reports:
name: "Merge Playwright Reports"
@@ -317,6 +330,7 @@ jobs:
permissions:
contents: read
pull-requests: write
id-token: write
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
@@ -325,29 +339,67 @@ jobs:
- name: Install dependencies
run: npm ci
- name: Download blob reports from GitHub Actions Artifacts
uses: actions/download-artifact@v4
- name: "Az CLI login"
uses: Azure/login@v2
with:
path: all-blob-reports
pattern: blob-report-*
merge-multiple: true
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.PREVIEW_SUBSCRIPTION_ID }}
- name: Download all shard reports from Azure Storage
env:
KEY: ${{ github.run_id }}-${{ github.run_attempt }}
run: |
mkdir -p all-blob-reports
az storage blob download-batch \
--account-name ${{ secrets.PREVIEW_STORAGE_ACCOUNT_NAME }} \
--auth-mode login \
-s playwright-reports \
--pattern "${KEY}/shards/*" \
-d ./all-blob-reports
find ./all-blob-reports -type f -name "*.zip" -exec mv -t ./all-blob-reports {} +
find ./all-blob-reports -type d -empty -delete
ls -la ./all-blob-reports
- name: Merge into HTML Report
run: npx playwright merge-reports --reporter html ./all-blob-reports
- name: Upload HTML report
uses: actions/upload-artifact@v4
with:
name: html-report--attempt-${{ github.run_attempt }}
path: playwright-report
retention-days: 14
- name: Bundle merged report into a single zip
run: |
cd playwright-report
zip -r ../report.zip .
cd ..
- name: Upload report.zip to Azure Storage
env:
KEY: ${{ github.run_id }}-${{ github.run_attempt }}
run: |
az storage blob upload \
--account-name ${{ secrets.PREVIEW_STORAGE_ACCOUNT_NAME }} \
--auth-mode login \
-c playwright-reports \
-n "${KEY}/report.zip" \
-f report.zip \
--overwrite
- name: Clean up shard intermediates from Azure Storage
if: ${{ always() }}
env:
KEY: ${{ github.run_id }}-${{ github.run_attempt }}
run: |
az storage blob delete-batch \
--account-name ${{ secrets.PREVIEW_STORAGE_ACCOUNT_NAME }} \
--auth-mode login \
-s playwright-reports \
--pattern "${KEY}/shards/*"
- name: Comment Playwright results on PR
if: ${{ !cancelled() && github.event_name == 'pull_request' }}
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR: ${{ github.event.pull_request.number }}
REPORT_URL: https://dataexplorerpreview.z5.web.core.windows.net/playwright-reports/${{ github.run_id }}-${{ github.run_attempt }}/index.html
SA_ID: /subscriptions/${{ secrets.PREVIEW_SUBSCRIPTION_ID }}/resourceGroups/dataexplorer-preview/providers/Microsoft.Storage/storageAccounts/dataexplorerpreview
KEY: ${{ github.run_id }}-${{ github.run_attempt }}
RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
run: |
PLAYWRIGHT_JSON_OUTPUT_NAME=results.json npx playwright merge-reports --reporter json ./all-blob-reports
@@ -355,6 +407,8 @@ jobs:
BROKEN=$(gh api "repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }}/jobs" \
--jq '[.jobs[] | select(.name | startswith("Run Playwright Tests")) | select(.conclusion == "failure")] | length')
if [ "$FAILED" -gt 0 ] || [ "$BROKEN" -gt 0 ]; then ICON="❌ failed"; else ICON="✅ passed"; fi
SA_ENC=$(printf '%s' "$SA_ID" | jq -sRr @uri)
CONTAINER_URL="https://portal.azure.com/#view/Microsoft_Azure_Storage/ContainerMenuBlade/~/overview/storageAccountId/${SA_ENC}/path/playwright-reports"
NOTE=""
[ "$BROKEN" -gt 0 ] && NOTE="
@@ -365,38 +419,5 @@ jobs:
| :---: | :---: | :---: | :---: |
| $PASSED | $FAILED | $FLAKY | ${DURATION}s |
📊 [Open full report]($REPORT_URL) · [Workflow run]($RUN_URL)$NOTE"
publish-playwright-report:
name: "Publish Playwright Report to Blob"
if: ${{ !cancelled() }}
needs: [merge-playwright-reports]
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: Download HTML report artifact
uses: actions/download-artifact@v4
with:
name: html-report--attempt-${{ github.run_attempt }}
path: playwright-report
- name: "Az CLI login"
uses: Azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.PREVIEW_SUBSCRIPTION_ID }}
- name: Upload Playwright report to blob storage
env:
KEY: ${{ github.run_id }}-${{ github.run_attempt }}
BASE: https://dataexplorerpreview.z5.web.core.windows.net
run: |
az storage blob upload-batch -d '$web' -s playwright-report \
--destination-path "playwright-reports/${KEY}" \
--account-name ${{ secrets.PREVIEW_STORAGE_ACCOUNT_NAME }} \
--auth-mode login --overwrite true
echo "📊 [Open Playwright report](${BASE}/playwright-reports/${KEY}/index.html)" >> $GITHUB_STEP_SUMMARY
📁 **Report:** \`${KEY}/report.zip\`
[Open container]($CONTAINER_URL) (Azure sign-in required) → click into \`${KEY}\` folder → click \`report.zip\` → **Download** → unzip → open \`index.html\` · [Workflow run]($RUN_URL)$NOTE"