Skip to content

ci: fail on trusted runs when the admin e2e secret is unavailable#238

Merged
dgjlindsay merged 2 commits into
mainfrom
two/e2e-fail-loud
Jul 4, 2026
Merged

ci: fail on trusted runs when the admin e2e secret is unavailable#238
dgjlindsay merged 2 commits into
mainfrom
two/e2e-fail-loud

Conversation

@brtkwr

@brtkwr brtkwr commented Jul 4, 2026

Copy link
Copy Markdown
Member

Summary

Follow-up to the merged e2e suite (#235). Now that the e2e WIF service account, the secretAccessor grant, the admin secret and the e2e_ci user are provisioned (the E2E_* repo vars are set), the admin-gated specs (admin-config + the minimum-order gate) can run in CI.

This makes the credentialed path fail loud instead of silently skipping:

  • On trusted events (same-repo PR / push / dispatch): the auth + secret-resolve steps run with no continue-on-error, and the resolve step exit 1s if the secret can't be read. So a green check means the admin-gated specs actually ran.
  • Fork PRs (no OIDC token / no secrets) skip the credentialed steps and run only the credential-free specs, as before.

Why

Previously the credentialed steps were continue-on-error and the specs test.skip without ADMIN_PASS, so the check could be green while the admin-config and min-order specs were quietly skipped, giving false confidence.

Scope

  • .github/workflows/playwright.yml only. No test changes.

The e2e WIF SA, secretAccessor grant, admin secret and e2e_ci user are now provisioned (E2E_* repo vars set), so the admin-gated specs run in CI. On trusted events (same-repo PR / push / dispatch) the credentialed steps now run without continue-on-error and exit non-zero if the secret can't be read, so a green check means those specs actually ran. Fork PRs (no OIDC/secrets) skip the credentialed steps and run only the credential-free specs.
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@gemini-code-assist

Copy link
Copy Markdown

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed the workflow change. Logic looks sound: the if guard correctly distinguishes trusted events (same-repo PR / push / dispatch) from fork PRs, continue-on-error is dropped only on the trusted path, and the secret-resolve step now exit 1s instead of silently skipping. No security, data-loss, or breaking-change concerns — this is a CI-only change with no application code or migrations. No critical issues found.

Ready for human approval ✅

config_tabs failed on the first credentialed run (e2e_ci): the case-sensitive nav-title match and the two_version link don't reliably resolve for that user. Re-anchor the clip on the section links that provably render, include the tab header via an offset above the General link, add auto-wait expects, and import the missing expect.

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-reviewed after the follow-up commit (locator/screenshot rework in admin-config.spec.ts), in addition to the previously-reviewed playwright.yml change.

  • playwright.yml: the trusted-event guard (github.event_name != 'pull_request' || head.repo.full_name == github.repository) correctly gates the credentialed steps, continue-on-error is dropped only on that trusted path, and the secret-resolve step now fails loud (exit 1) instead of silently skipping — matches the stated intent. Dropping 2>/dev/null only surfaces the gcloud error message on failure, not the secret itself.
  • admin-config.spec.ts: switches the config_tabs screenshot clip to anchor on section links (two_general/two_version/two_search) instead of the page-nav title, with explicit expect(...).toBeVisible() waits before reading bounding boxes. This is CI/test-only code with no effect on the production module.

No security, data-loss, or breaking-change concerns in either file.

Ready for human approval ✅

@dgjlindsay dgjlindsay merged commit 9005fae into main Jul 4, 2026
22 of 23 checks passed
@dgjlindsay dgjlindsay deleted the two/e2e-fail-loud branch July 4, 2026 15:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants