π§ chore(ci): cache Playwright browsers + bump npm-ci timeout to 15m#397
Merged
Conversation
s-b-e-n-s-o-n
requested review from
ALARGECOMPANY and
biggest-littlest
as code owners
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
biggest-littlest
previously approved these changes
May 28, 2026
Member
biggest-littlest
left a comment
biggest-littlest
left a comment
There was a problem hiding this comment.
Approving: cache + timeout fix for the chromium-download CDN throttle.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Codecov Reportβ All modified and coverable lines are covered by tests. π’ Thoughts on this report? Let us know! |
Three consecutive Playwright runs (rc.28 PR + main post-merge + retry) failed with the same shape: @playwright/browser-chromium's postinstall hits cdn.playwright.dev under throttling, chromium download reaches 100% at ~9 min 30 s, then `node install.js` SIGTERMs at the 10-min wall-clock. Two-part fix: - actions/cache for ~/.cache/ms-playwright keyed on e2e/package-lock so the binary survives across runs. Cold cache only hits once per lockfile change. - timeout_minutes 10 -> 15 covers the worst observed throttled download with margin to spare. The dedicated `Install Playwright Chromium` step that runs after this keeps its own 10-min retry budget and now hits the warm cache.
s-b-e-n-s-o-n
dismissed stale reviews from ALARGECOMPANY and biggest-littlest
via
b4b11a8
s-b-e-n-s-o-n
force-pushed
the
fix/ci-playwright-cache
branch
from
ab8a833 to
b4b11a8
Compare
biggest-littlest
approved these changes
May 28, 2026
Member
biggest-littlest
left a comment
biggest-littlest
left a comment
There was a problem hiding this comment.
Re-approving after zizmor pragma placement fix.
ALARGECOMPANY
approved these changes
May 28, 2026
Member
ALARGECOMPANY
left a comment
ALARGECOMPANY
left a comment
There was a problem hiding this comment.
LGTM, pragma now adjacent to the flagged line.
This was referenced May 28, 2026
s-b-e-n-s-o-n
added a commit
that referenced
this pull request
May 28, 2026
β¦ browsers
The cucumber job actually launches a real browser via @playwright/test
(features/ui.feature β ensureBrowser β chromium.launch). Setting
PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1 at the workflow level made `npm ci`
skip the chromium postinstall, so every "Authenticated UI view renders
in a browser" scenario failed with:
browserType.launch: Executable doesn't exist at
/home/runner/.cache/ms-playwright/chromium_headless_shell-1223/...
The original commit message claimed "no job here uses Playwright" β that
was wrong about cucumber. Fix:
- Drop the workflow-level env.
- Add `PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1` as job-level env on the three
load-test jobs (Artillery only, no browser).
- Add an actions/cache step on the cucumber job for ~/.cache/ms-playwright,
using the same per-ref scoping pattern as quality-mutation-monthly.yml so
an untrusted PR can't poison main's binary. Cold cache pays the 167 MiB
cdn.playwright.dev fetch once per branch; subsequent runs short-circuit.
- Bump the cucumber `npm ci` retry timeout 5m β 15m so a throttled cold-
cache fetch still finishes inside its budget (mirrors e2e-playwright.yml
PR #397).
Update the workflow test that asserted the now-removed workflow-level env
to assert the inverted invariant: skip lives on load-test jobs, cucumber
caches instead.
s-b-e-n-s-o-n
added a commit
that referenced
this pull request
May 28, 2026
β¦or rc.28 prep (#399) ## Summary Consolidates **45 commits** of CI hardening, security scanner improvements, dependency bumps, and the resulting test fixes onto `main` so rc.28 can be cut cleanly. Builds on top of the already-merged #396 (rc.28 app code) and #397/#398 (Playwright cache/runner-image fixes). **Theme breakdown:** - π¦ **Dependency bumps** (12) β Biome, Vitest, Playwright, Artillery, Codecov, CodeQL, Snyk, Nuclei, ZAP, cosign, Docker actions, zizmor - π **Security workflow hardening** (14) β Scorecard, ZAP/Snyk SARIF uploads, Nuclei DAST, CodeQL query pack pin, Crowdin sync, DAST credential masking, Harden Runner coverage, Renovate scoping, release SBOM attestation/verification with pinned Trivy, Docker build metadata standardization, release retry normalization - π§ **Workflow hygiene** (8) β Playwright host-install download skip, mutation artifact layout verification, Stryker shard dashboards, Artillery advisory gates, Crowdin emoji prefix, Playwright image sync, share runtime path filters, move workflow tests out of the app suite - β‘ **Performance** (1) β split load test profiles into parallel jobs - π§ͺ **Test coverage** (5) β ZAP SARIF converter branches, Playwright retry artifact retention, workflow tests (release metadata, action pin fixtures, retry attempts, Playwright download env), script tests wired into local + CI gates - π **Follow-up fixes from this consolidation** (3): - `π¨ style(lint): apply Biome auto-fixes after bumped rules` β bumped Biome flagged pre-existing literal-key / template-string / formatter issues - `π fix(ci): drop invalid artifact-metadata permission scope` β `artifact-metadata` isn't a real GHA scope; `attestations: write` already covers it - `π§ͺ test(ui): align crowdin-config invariant with single-source-of-truth` β `377b6bdf` moved language scoping into `crowdin.yml`, so the pre-existing UI test had to flip its assertion Local pre-push pipeline all green (clean-tree β biome β qlty β qlty-smells β scripts-test β workflow-tests β typecheck-ui β coverage 100% sharded β build sharded β zizmor). ## Test plan - [ ] CI Verify (`ci-verify.yml`) passes β load-test and cucumber jobs now skip the Playwright postinstall download - [ ] E2E Playwright (`e2e-playwright.yml`) passes inside the official Playwright container (#398 carry-forward) - [ ] Mutation slices unchanged from main + new mutation artifact layout check passes - [ ] CodeQL + Scorecard + zizmor + qlty all green - [ ] Workflow tests (`.github/tests/`, 26 tests) pass in CI - [ ] After merge: `gh workflow run release-cut.yml --ref main -f release_tag=v1.5.0-rc.28`
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three consecutive Playwright runs failed at the same step on
cdn.playwright.devCDN throttling:bca0b7bb)bca0b7bb)7dc8b2d3) β blocking release-cut for v1.5.0-rc.28Each attempt: chromium download reaches 100% at ~9m30s, then
node install.jsSIGTERMs at the 10-min wall clock. Same workflow file, same package versions β CDN throttling is currently routing each runner pool through a slow edge.Changes
~/.cache/ms-playwrightkeyed on lockfile hash +github.ref_name. Each branch gets its own cache namespace (matches the scoping pattern inquality-mutation-monthly.yml). After the first cold-cache run, subsequent runs short-circuit the postinstall download.npm installpost-extraction work.# zizmor: ignore[cache-poisoning]pragma with rationale; the workflow's push:main + PR triggers cause zizmor to flag any actions/cache as a poisoning risk regardless of key scope.The dedicated
Install Playwright Chromiumstep that runs afternpm cikeeps its 10-min retry budget and will now hit the warm cache on every run.Test plan
7dc8b2d3(which won't have the fix on its tree but will share the cache β chromium binary persists), OR re-dispatch release-cut against the new merge commit