Fix playwright token leak (#2512)

* ci: route Playwright reports through private Azure Storage container Replaces the public `/playwright-reports/*` static-website uploads and all GitHub Actions artifact uploads for Playwright traces/videos/blob-reports with uploads to a new private container `playwright-reports` on the same storage account. PR comments now link to an Azure Portal blob-properties deep link (requires AAD sign-in) instead of the previously anonymous static-site URL. Fixes MSRC finding: Playwright traces captured on test failure embed Authorization: Bearer headers, and the existing publish path made them anonymously downloadable. The new private container is RBAC-gated (Storage Blob Data Reader/Contributor at container scope) and the storage account already has anonymous blob access and shared-key access disabled. * ci: TEMP smoke-test single Playwright spec to validate MSRC plumbing Reduces the Playwright matrix to 1 shard and restricts the run to a single test in the searchableDropdown component fixture on Chrome. The fixture hits the local dev server only, so no Cosmos auth and no token captures happen \u2014 isolates the smoke test to the new Azure Storage upload/download/zip/PR-comment plumbing. REVERT THIS COMMIT before merging the parent PR. * ci: grant id-token: write to merge-playwright-reports job The merge job overrides workflow-level permissions with its own block (contents: read, pull-requests: write), which silently drops the workflow-level id-token: write. Without it, Azure/login@v2 cannot fetch the federated OIDC token and fails. Bug introduced when the Az login was relocated from the deleted publish-playwright-report job (which had id-token: write) into the merge job. * ci: trigger re-run after RBAC propagation * ci: trigger re-run after E2E_TESTS_CLIENT_ID SP grant * ci: flatten downloaded shard reports before merge az storage blob download-batch preserves the full blob path, but playwright merge-reports expects .zip files directly in the target directory. Flatten with find + mv after download. * ci: switch PR comment to ContainerMenuBlade deep link BlobPropertiesBladeV2 requires undocumented 'tabToload' and 'isDeleted' params we couldn't get past the Portal's grammar validator. ContainerMenuBlade has no required params and drops users directly into the playwright-reports container, where they navigate to \{run_id}-{attempt}/report.zip\ (one extra click vs. blob-direct). * ci: make report path more prominent in PR comment Surface the {run_id}-{attempt}/report.zip path on its own line so reviewers can copy-paste it into the Portal search instead of scanning the navigation prose. * Revert "ci: TEMP smoke-test single Playwright spec to validate MSRC plumbing" This reverts commit 308005f02b. * ci: refresh OIDC token before shard upload GitHub OIDC client assertions are valid for only 5 minutes (JWT iat -> exp window). Playwright shards that take >5 min exhaust the validity window before the upload step runs, causing AADSTS700024 'Client assertion is not within its valid time range'. Add a fresh Azure/login@v2 step right before the upload to mint a new OIDC token.
2026-06-12 15:37:27 +01:00 · 2026-06-11 10:59:06 -05:00
parent 4f9a987d28
commit 40e8dee357
1 changed files with 73 additions and 52 deletions
@@ -299,13 +299,26 @@ jobs:
        run: npx playwright test --shard=${{ matrix.shardIndex }}/${{ matrix.shardTotal }} --list
      - name: Run test shard ${{ matrix['shardIndex'] }} of ${{ matrix['shardTotal']}}
        run: npx playwright test --shard=${{ matrix.shardIndex }}/${{ matrix.shardTotal }} --workers=3
-      - name: Upload blob report to GitHub Actions Artifacts
+      - name: "Re-auth for upload (refresh OIDC token)"
        if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@v4
+        uses: Azure/login@v2
        with:
-          name: blob-report-${{ matrix.shardIndex }}
+          client-id: ${{ secrets.E2E_TESTS_CLIENT_ID }}
-          path: blob-report
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-          retention-days: 1
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
      - name: Upload shard blob-report to Azure Storage
        if: ${{ !cancelled() }}
        env:
          KEY: ${{ github.run_id }}-${{ github.run_attempt }}
          SHARD: ${{ matrix.shardIndex }}
        run: |
          az storage blob upload-batch \
            --account-name ${{ secrets.PREVIEW_STORAGE_ACCOUNT_NAME }} \
            --auth-mode login \
            -d playwright-reports \
            -s blob-report \
            --destination-path "${KEY}/shards/shard-${SHARD}" \
            --overwrite true
  merge-playwright-reports:
    name: "Merge Playwright Reports"
@@ -317,6 +330,7 @@ jobs:
    permissions:
      contents: read
      pull-requests: write
      id-token: write
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
@@ -325,29 +339,67 @@ jobs:
      - name: Install dependencies
        run: npm ci
-      - name: Download blob reports from GitHub Actions Artifacts
+      - name: "Az CLI login"
-        uses: actions/download-artifact@v4
+        uses: Azure/login@v2
        with:
-          path: all-blob-reports
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
-          pattern: blob-report-*
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-          merge-multiple: true
+          subscription-id: ${{ secrets.PREVIEW_SUBSCRIPTION_ID }}
      - name: Download all shard reports from Azure Storage
        env:
          KEY: ${{ github.run_id }}-${{ github.run_attempt }}
        run: |
          mkdir -p all-blob-reports
          az storage blob download-batch \
            --account-name ${{ secrets.PREVIEW_STORAGE_ACCOUNT_NAME }} \
            --auth-mode login \
            -s playwright-reports \
            --pattern "${KEY}/shards/*" \
            -d ./all-blob-reports
          find ./all-blob-reports -type f -name "*.zip" -exec mv -t ./all-blob-reports {} +
          find ./all-blob-reports -type d -empty -delete
          ls -la ./all-blob-reports
      - name: Merge into HTML Report
        run: npx playwright merge-reports --reporter html ./all-blob-reports
-      - name: Upload HTML report
+      - name: Bundle merged report into a single zip
-        uses: actions/upload-artifact@v4
+        run: |
-        with:
+          cd playwright-report
-          name: html-report--attempt-${{ github.run_attempt }}
+          zip -r ../report.zip .
-          path: playwright-report
+          cd ..
-          retention-days: 14
+
      - name: Upload report.zip to Azure Storage
        env:
          KEY: ${{ github.run_id }}-${{ github.run_attempt }}
        run: |
          az storage blob upload \
            --account-name ${{ secrets.PREVIEW_STORAGE_ACCOUNT_NAME }} \
            --auth-mode login \
            -c playwright-reports \
            -n "${KEY}/report.zip" \
            -f report.zip \
            --overwrite
      - name: Clean up shard intermediates from Azure Storage
        if: ${{ always() }}
        env:
          KEY: ${{ github.run_id }}-${{ github.run_attempt }}
        run: |
          az storage blob delete-batch \
            --account-name ${{ secrets.PREVIEW_STORAGE_ACCOUNT_NAME }} \
            --auth-mode login \
            -s playwright-reports \
            --pattern "${KEY}/shards/*"
      - name: Comment Playwright results on PR
        if: ${{ !cancelled() && github.event_name == 'pull_request' }}
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PR: ${{ github.event.pull_request.number }}
-          REPORT_URL: https://dataexplorerpreview.z5.web.core.windows.net/playwright-reports/${{ github.run_id }}-${{ github.run_attempt }}/index.html
+          SA_ID: /subscriptions/${{ secrets.PREVIEW_SUBSCRIPTION_ID }}/resourceGroups/dataexplorer-preview/providers/Microsoft.Storage/storageAccounts/dataexplorerpreview
          KEY: ${{ github.run_id }}-${{ github.run_attempt }}
          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
        run: |
          PLAYWRIGHT_JSON_OUTPUT_NAME=results.json npx playwright merge-reports --reporter json ./all-blob-reports
@@ -355,6 +407,8 @@ jobs:
          BROKEN=$(gh api "repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }}/jobs" \
            --jq '[.jobs[] | select(.name | startswith("Run Playwright Tests")) | select(.conclusion == "failure")] | length')
          if [ "$FAILED" -gt 0 ] || [ "$BROKEN" -gt 0 ]; then ICON="❌ failed"; else ICON="✅ passed"; fi
          SA_ENC=$(printf '%s' "$SA_ID" | jq -sRr @uri)
          CONTAINER_URL="https://portal.azure.com/#view/Microsoft_Azure_Storage/ContainerMenuBlade/~/overview/storageAccountId/${SA_ENC}/path/playwright-reports"
          NOTE=""
          [ "$BROKEN" -gt 0 ] && NOTE="
@@ -365,38 +419,5 @@ jobs:
          | :---: | :---: | :---: | :---: |
          | $PASSED | $FAILED | $FLAKY | ${DURATION}s |
-          📊 [Open full report]($REPORT_URL) · [Workflow run]($RUN_URL)$NOTE"
+          📁 **Report:** \`${KEY}/report.zip\`
-
+          [Open container]($CONTAINER_URL) (Azure sign-in required) → click into \`${KEY}\` folder → click \`report.zip\` → **Download** → unzip → open \`index.html\` · [Workflow run]($RUN_URL)$NOTE"
  publish-playwright-report:
    name: "Publish Playwright Report to Blob"
    if: ${{ !cancelled() }}
    needs: [merge-playwright-reports]
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - name: Download HTML report artifact
        uses: actions/download-artifact@v4
        with:
          name: html-report--attempt-${{ github.run_attempt }}
          path: playwright-report
      - name: "Az CLI login"
        uses: Azure/login@v2
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.PREVIEW_SUBSCRIPTION_ID }}
      - name: Upload Playwright report to blob storage
        env:
          KEY: ${{ github.run_id }}-${{ github.run_attempt }}
          BASE: https://dataexplorerpreview.z5.web.core.windows.net
        run: |
          az storage blob upload-batch -d '$web' -s playwright-report \
            --destination-path "playwright-reports/${KEY}" \
            --account-name ${{ secrets.PREVIEW_STORAGE_ACCOUNT_NAME }} \
            --auth-mode login --overwrite true
          echo "📊 [Open Playwright report](${BASE}/playwright-reports/${KEY}/index.html)" >> $GITHUB_STEP_SUMMARY