ci: fail on trusted runs when the admin e2e secret is unavailable#238
Conversation
The e2e WIF SA, secretAccessor grant, admin secret and e2e_ci user are now provisioned (E2E_* repo vars set), so the admin-gated specs run in CI. On trusted events (same-repo PR / push / dispatch) the credentialed steps now run without continue-on-error and exit non-zero if the secret can't be read, so a green check means those specs actually ran. Fork PRs (no OIDC/secrets) skip the credentialed steps and run only the credential-free specs.
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
There was a problem hiding this comment.
Reviewed the workflow change. Logic looks sound: the if guard correctly distinguishes trusted events (same-repo PR / push / dispatch) from fork PRs, continue-on-error is dropped only on the trusted path, and the secret-resolve step now exit 1s instead of silently skipping. No security, data-loss, or breaking-change concerns — this is a CI-only change with no application code or migrations. No critical issues found.
Ready for human approval ✅
config_tabs failed on the first credentialed run (e2e_ci): the case-sensitive nav-title match and the two_version link don't reliably resolve for that user. Re-anchor the clip on the section links that provably render, include the tab header via an offset above the General link, add auto-wait expects, and import the missing expect.
There was a problem hiding this comment.
Re-reviewed after the follow-up commit (locator/screenshot rework in admin-config.spec.ts), in addition to the previously-reviewed playwright.yml change.
playwright.yml: the trusted-event guard (github.event_name != 'pull_request' || head.repo.full_name == github.repository) correctly gates the credentialed steps,continue-on-erroris dropped only on that trusted path, and the secret-resolve step now fails loud (exit 1) instead of silently skipping — matches the stated intent. Dropping2>/dev/nullonly surfaces the gcloud error message on failure, not the secret itself.admin-config.spec.ts: switches theconfig_tabsscreenshot clip to anchor on section links (two_general/two_version/two_search) instead of the page-nav title, with explicitexpect(...).toBeVisible()waits before reading bounding boxes. This is CI/test-only code with no effect on the production module.
No security, data-loss, or breaking-change concerns in either file.
Ready for human approval ✅
Summary
Follow-up to the merged e2e suite (#235). Now that the e2e WIF service account, the
secretAccessorgrant, the admin secret and thee2e_ciuser are provisioned (theE2E_*repo vars are set), the admin-gated specs (admin-config + the minimum-order gate) can run in CI.This makes the credentialed path fail loud instead of silently skipping:
continue-on-error, and the resolve stepexit 1s if the secret can't be read. So a green check means the admin-gated specs actually ran.Why
Previously the credentialed steps were
continue-on-errorand the specstest.skipwithoutADMIN_PASS, so the check could be green while the admin-config and min-order specs were quietly skipped, giving false confidence.Scope
.github/workflows/playwright.ymlonly. No test changes.