ci: run Playwright e2e suite on every PR#21996
Open
GirlBossRush wants to merge 12 commits intomainfrom
Open
Conversation
✅ Deploy Preview for authentik-integrations ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for authentik-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
GirlBossRush
force-pushed
the
issue-21994-on-corepack
branch
from
68d394b to
e5f0ff8
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #21996 +/- ##
==========================================
- Coverage 93.16% 93.13% -0.04%
==========================================
Files 1024 1024
Lines 59287 59287
Branches 400 400
==========================================
- Hits 55236 55216 -20
- Misses 4051 4071 +20
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
✅ Deploy Preview for authentik-storybook ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Contributor
|
authentik PR Installation instructions Instructions for docker-composeAdd the following block to your AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-13d167e8d5c2317d071016b16415a9b7427c33d1
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)sAfterwards, run the upgrade commands from the latest release notes. Instructions for KubernetesAdd the following block to your authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-13d167e8d5c2317d071016b16415a9b7427c33d1Afterwards, run the upgrade commands from the latest release notes. |
GirlBossRush
force-pushed
the
issue-21994-on-corepack
branch
3 times, most recently
from
2bb7e35 to
6fee629
Compare
Contributor
Playwright e2e — ✅ Passed
Workflow run · HTML report hosting is gated off until the |
GirlBossRush
force-pushed
the
issue-21994-on-corepack
branch
from
90f27f9 to
a7337a3
Compare
dominic-r
reviewed
May 2, 2026
| if: ${{ !cancelled() && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && vars.PLAYWRIGHT_S3_ENABLED == 'true' }} | ||
| uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 | ||
| with: | ||
| role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik" |
Member
There was a problem hiding this comment.
this might open us to more exposure/risk, I'd keep this as an env var
Contributor
Author
There was a problem hiding this comment.
rissson
changed the title
GirlBossRush
force-pushed
the
issue-21994-on-corepack
branch
from
38f04f6 to
13d167e
Compare
Boots the full authentik stack (postgres + Go server + Rust worker) inside the existing ci-web workflow, applies migrations and the test-admin user blueprint, then runs `corepack npm run --prefix web test:e2e` against http://localhost:9000. Uploads the HTML report, traces/videos, and authentik logs as artifacts on failure so reviewers can debug without rerunning locally. Also enables the HTML reporter and screenshot/video capture on CI in playwright.config.js, and updates the full dev-environment docs to point at the same npm scripts CI uses so local and CI runs stay in lockstep. Closes #21994 Co-Authored-By: Agent (authentik-i21994-better-mobile-tangelo) <279763771+playpen-agent@users.noreply.github.com> ci/web: make test-admin blueprint self-contained The previous blueprint used !Find to look up the authentik Admins group, which raced against system/bootstrap.yaml and resolved to None when the explicit apply_blueprint step ran before the worker had applied bootstrap. The serializer rejected groups: [None] with Invalid pk "None". Define the group in the same blueprint with state: present and reference it via !KeyOf, so the test admin setup does not depend on any pre-existing data. If bootstrap has already created the group, state: present is a no-op on the identifiers; otherwise the group is created here. Co-Authored-By: Agent (authentik-i21994-better-mobile-tangelo) <279763771+playpen-agent@users.noreply.github.com> ci/web: format test-admin-user.yaml with prettier Pick up the 4-space indent that web/'s prettier config enforces. The file was added under issue #21994 with 2-space indent and tripped the ci-web format check on push. Co-Authored-By: Agent (authentik-i21994-better-mobile-tangelo) <279763771+playpen-agent@users.noreply.github.com> Use parallelism. Remove guard. Reorder tests. Ignore playwright-traces. Update expected path. Always parallel. Flesh out types. ci/web: post Playwright result comment + gated S3 upload + !cancelled() guards Three reviewer-facing improvements to the e2e job: 1. Idempotent PR comment summarising Playwright pass/fail/flaky/skipped counts. Marker `<!-- playwright-result -->` lets re-runs edit the same comment instead of piling up. Skipped on fork PRs where the default GITHUB_TOKEN is read-only. 2. Optional S3 publish of the HTML report to `s3://authentik-playwright-artifacts/pr-<n>/run-<id>/attempt-<n>/`, gated behind `vars.PLAYWRIGHT_S3_ENABLED == 'true'`. The bucket is pending infra provisioning; the public URL pattern is already wired into the comment so flipping the variable on later requires no workflow changes. Borrows the OIDC + IAM role plumbing from `.github/workflows/release-publish.yml`. 3. Switch the failure-guarded reporting/upload steps to `!cancelled()` so a superseded (cancelled) run no longer emits failure-shaped noise, and so successful runs still produce the artifact bundle reviewers expect. Adds the Playwright JSON reporter so the parse step can pull pass/fail counts from `playwright-report/results.json` for the comment body. Co-Authored-By: Agent (authentik-i21996-internal-achievable-raisin) <279763771+playpen-agent@users.noreply.github.com> web/e2e: fix three regressions blocking the parallel suite Locally and in CI the new `e2e (playwright)` job appeared to "hang" under `fullyParallel: true` + `workers: "50%"`. The hang was actually five tests sharing two unrelated bugs that all manifest as 30s test timeouts; the cluster only *looks* like a parallelism issue because multiple workers stall on the same wall-clock window. With these three fixes the full suite is green in 1m48s on `--workers=2` (was: 5 failed / 17 passed in 5m30s). 1. `web/test/browser/600-providers.test.ts` PR #21647 dropped the `to:` argument on the `session.login()` call in this file's `beforeEach`. Without it, `SessionFixture.login()` waits for the auth-flow URL pattern to re-appear — which it does immediately, since we just navigated there — so the helper returns *before* the post-login redirect lands. The wizard buttons probed afterward live on `/if/admin/#/core/providers`, which the user never actually reaches; every test in the file then hits the 30s `beforeEach` timeout. Pin the destination explicitly, matching the shape of every other test file. 2. `web/src/admin/roles/ak-role-list.ts` The role-list row anchor had no aria-label, so its accessible name was the (random, generated) role name. `500-roles.test.ts` searches for that anchor with `getByRole("link", { name: "view details" })` — the same selector `400-groups.test.ts` uses against the group list, where `GroupListPage.row()` *does* set `aria-label="View details of group ..."`. Bring the role row to parity with groups; the test wasn't wrong, the UI was missing the accessibility hook. 3. `web/test/browser/500-roles.test.ts` ("Edit role from view page") The post-edit verification used `page.getByText(updatedName)`, but on the role view page the new name renders in two places (the "Role <name>" page-navbar heading and the description-list value), so the bare text match resolves to two elements and trips strict-mode. Add `{ exact: true }` so we assert the canonical value the edit wrote rather than the heading template. Co-Authored-By: Agent (authentik-i21996-internal-achievable-raisin) <279763771+playpen-agent@users.noreply.github.com> Use headless.
GirlBossRush
force-pushed
the
issue-21994-on-corepack
branch
from
13d167e to
e4ef898
Compare
dominic-r
reviewed
May 5, 2026
| - name: Publish package | ||
| working-directory: gen-ts-api/ | ||
| run: | | ||
| npm i |
Member
There was a problem hiding this comment.
would there be a reason why we would need corepack'd npm in this file?
Member
There was a problem hiding this comment.
i'm thinking publish wise if anything changes and really making sure all our stuff uses the same version, no matter what it is
dominic-r
reviewed
May 5, 2026
| - name: Build authentik worker (Rust) | ||
| run: | # shell | ||
| cargo build --release --bin authentik | ||
| sudo install -m 0755 ./target/release/authentik /usr/local/bin/authentik |
Member
There was a problem hiding this comment.
Suggested change
| sudo install -m 0755 ./target/release/authentik /usr/local/bin/authentik | |
| sudo install -m 0755 ./target/release/authentik /usr/local/bin/authentik-worker |
dominic-r
reviewed
May 5, 2026
| working-directory: web | ||
| run: | # shell | ||
| if [ "${{ steps.playwright-cache.outputs.cache-hit }}" = "true" ]; then | ||
| corepack npm exec -- playwright install-deps chromium |
Member
There was a problem hiding this comment.
does this use the project's playwright version or the one of npm? Also, I don't see an install step, but it might be handled by the setup action? If that's the case, it would use the project version, right?
dominic-r
reviewed
May 5, 2026
| if [ "${{ steps.playwright-cache.outputs.cache-hit }}" = "true" ]; then | ||
| corepack npm exec -- playwright install-deps chromium | ||
| else | ||
| corepack npm exec -- playwright install --with-deps chromium |
Member
There was a problem hiding this comment.
do we want to dare to test firefox based browsers as well? as we have encountered a few strange/unique bugs on there as well
dominic-r
reviewed
May 5, 2026
| done' | ||
| timeout 300 bash -c ' | ||
| until curl -fsS http://localhost:9000/if/flow/default-authentication-flow/ \ | ||
| | grep -q "ak-flow-executor"; do |
Member
There was a problem hiding this comment.
this feels a bit hacky? also, usually, would this be present even if no js is loaded client side via the bundles? mabye just check for the inline presence of a brand config since that's a pretty permanent item?
dominic-r
reviewed
May 5, 2026
| aws s3 cp \ | ||
| --recursive \ | ||
| --acl=public-read \ | ||
| --cache-control "public, max-age=600" \ |
Member
There was a problem hiding this comment.
how likely are the reports to change once imported? i'd go for a longer cache control
dominic-r
reviewed
May 5, 2026
| if: ${{ !cancelled() && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && vars.PLAYWRIGHT_S3_ENABLED == 'true' }} | ||
| env: | ||
| S3_BUCKET: authentik-playwright-artifacts | ||
| S3_KEY_PREFIX: pr-${{ github.event.pull_request.number }}/run-${{ github.run_id }}/attempt-${{ github.run_attempt }} |
Member
There was a problem hiding this comment.
ci-web also runs on main and version branches, wouldn't there be an issue with the key prefix to contain the pr number
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Depends on
Summary
Wires up the existing
web/test/browser/Playwright suite as its own job inci-web.yml, closing #21994.Boots the full authentik stack from source (postgres + Go server + Rust worker) inside the workflow, applies migrations and the test-admin blueprint, then runs
corepack npm run --prefix web test:e2eagainsthttp://localhost:9000. On failure, uploads the HTML report, traces/videos, and server + worker logs as artifacts so reviewers can debug without rerunning locally.Also enables the HTML reporter and screenshot/video capture on CI in
playwright.config.js, and updates the full dev-environment docs to point at the same npm scripts CI uses so local and CI runs stay in lockstep.Stacking
This PR targets
npm-corepack(#20400) intentionally — the new job usescorepack-prefixed npm calls and the compositesetup-nodeaction that #20400 introduces. Will rebase ontomainonce #20400 lands.Notes for reviewer
Cargo.lock). 60-min job timeout chosen with that in mind.ci-web-mark.needs— runs in parallel with lint/build to avoid cascading the heavy job into vitest. Branch protection should adde2e (playwright)directly as a required status check after the first green run.ci-web.yml.tests/e2e/is untouched; both suites coexist as the issue requests.Test plan
e2e (playwright)status checkCloses #21994
🤖 Generated with Claude Code