random-mirrors/cosmos-explorer
1
0
Fork 0
mirror of https://github.com/Azure/cosmos-explorer.git synced 2026-06-12 15:37:27 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
53044b629c155be999b162947dec7bb5f2dbcd2d
cosmos-explorer/.github/workflows
T
History
sunghyunkang1111 40e8dee357 Fix playwright token leak (#2512) 
* ci: route Playwright reports through private Azure Storage container

Replaces the public `/playwright-reports/*` static-website uploads and all GitHub Actions artifact uploads for Playwright traces/videos/blob-reports with uploads to a new private container `playwright-reports` on the same storage account. PR comments now link to an Azure Portal blob-properties deep link (requires AAD sign-in) instead of the previously anonymous static-site URL.

Fixes MSRC finding: Playwright traces captured on test failure embed Authorization: Bearer headers, and the existing publish path made them anonymously downloadable. The new private container is RBAC-gated (Storage Blob Data Reader/Contributor at container scope) and the storage account already has anonymous blob access and shared-key access disabled.

* ci: TEMP smoke-test single Playwright spec to validate MSRC plumbing

Reduces the Playwright matrix to 1 shard and restricts the run to a single test in the searchableDropdown component fixture on Chrome. The fixture hits the local dev server only, so no Cosmos auth and no token captures happen \u2014 isolates the smoke test to the new Azure Storage upload/download/zip/PR-comment plumbing.

REVERT THIS COMMIT before merging the parent PR.

* ci: grant id-token: write to merge-playwright-reports job

The merge job overrides workflow-level permissions with its own block (contents: read, pull-requests: write), which silently drops the workflow-level id-token: write. Without it, Azure/login@v2 cannot fetch the federated OIDC token and fails.

Bug introduced when the Az login was relocated from the deleted publish-playwright-report job (which had id-token: write) into the merge job.

* ci: trigger re-run after RBAC propagation

* ci: trigger re-run after E2E_TESTS_CLIENT_ID SP grant

* ci: flatten downloaded shard reports before merge

az storage blob download-batch preserves the full blob path, but playwright merge-reports expects .zip files directly in the target directory. Flatten with find + mv after download.

* ci: switch PR comment to ContainerMenuBlade deep link

BlobPropertiesBladeV2 requires undocumented 'tabToload' and 'isDeleted' params we couldn't get past the Portal's grammar validator. ContainerMenuBlade has no required params and drops users directly into the playwright-reports container, where they navigate to \{run_id}-{attempt}/report.zip\ (one extra click vs. blob-direct).

* ci: make report path more prominent in PR comment

Surface the {run_id}-{attempt}/report.zip path on its own line so reviewers can copy-paste it into the Portal search instead of scanning the navigation prose.

* Revert "ci: TEMP smoke-test single Playwright spec to validate MSRC plumbing"

This reverts commit 308005f02b.

* ci: refresh OIDC token before shard upload

GitHub OIDC client assertions are valid for only 5 minutes (JWT iat -> exp window). Playwright shards that take >5 min exhaust the validity window before the upload step runs, causing AADSTS700024 'Client assertion is not within its valid time range'. Add a fresh Azure/login@v2 step right before the upload to mint a new OIDC token.
2026-06-11 10:59:06 -05:00
..
ci.yml
Fix playwright token leak (#2512)
2026-06-11 10:59:06 -05:00
cleanup.yml
Fix playwright tests (#2325)
2026-04-03 11:34:10 -07:00