ci: required-check anchors for cypress-matrix and playwright-tests (unblock docs-only PRs)

[rusackas]

SUMMARY

Follow-up to #40772. Docs-only PRs currently can't merge — they hang on
cypress-matrix (0, chrome), cypress-matrix (1, chrome), and
playwright-tests (chromium) showing "Expected — Waiting for status to be
reported" (e.g. #38108).

Root cause (same as #40772): cypress-matrix and playwright-tests are
matrix jobs gated on change detection (python || frontend). On a PR that
touches neither group — a docs-only PR — they're skipped at the job level,
which happens before matrix expansion, so the per-combination contexts are
never produced. Branch protection requires them → it waits forever.

The frontend Dependabot case (#40772) didn't expose this for the e2e jobs
because a frontend change sets frontend=true, so cypress/playwright run.
Only docs-only / neither-group PRs hit it — and the docs "build" people expect
(the Netlify Deploy Preview) does run and pass; it just isn't a required GHA
check, so the orphaned cypress/playwright contexts are what actually gate.

Fix: add always-running cypress-matrix-required / playwright-tests-required
anchors that pass when the underlying job is success or skipped, and
require those instead of the matrix-expanded names. A single
cypress-matrix-required replaces both shard contexts. The matrix jobs stay
fully skipped on unrelated PRs.

.asf.yaml:

• cypress-matrix (0, chrome) + cypress-matrix (1, chrome) → cypress-matrix-required
• playwright-tests (chromium) → playwright-tests-required

With this, every required matrix job (unit-tests, test-postgres via #40772;
cypress-matrix, playwright-tests here) has a stable anchor, so PRs of any
shape — python, frontend, or docs-only — can satisfy branch protection.

TESTING INSTRUCTIONS

• Docs-only PR: cypress/playwright skip; the anchors run and pass → mergeable.
• Code PR: the matrix jobs run; the anchors pass after them (and fail if any
  shard genuinely fails).

ADDITIONAL INFORMATION

• Has associated issue:
• Changes UI
• Includes DB Migration
• Introduces new feature or API
• Removes existing feature or API

🤖 Generated with Claude Code

[bito-code-review]

Code Review Agent Run #230117

Actionable Suggestions - 0

Review Details

• Files reviewed - 1 · Commit Range: 980cb0b..980cb0b

  • .asf.yaml
• Files skipped - 1

  • .github/workflows/superset-e2e.yml - Reason: Filter setting
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[bito-code-review]

The security warning regarding overly broad permissions in .github/workflows/superset-e2e.yml refers to the newly added cypress-matrix-required and playwright-tests-required jobs. These jobs currently run with default permissions, which include broad access to the repository. To address this, you should explicitly define the permissions block for these jobs to follow the principle of least privilege, typically by setting permissions: contents: read.

.github/workflows/superset-e2e.yml

cypress-matrix-required:
    needs: [changes, cypress-matrix]
    if: always()
    runs-on: ubuntu-24.04
    permissions:
      contents: read
    timeout-minutes: 5

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.07%. Comparing base (80a3df3) to head (67c316a).
⚠️ Report is 28 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #40780   +/-   ##
=======================================
  Coverage   64.07%   64.07%           
=======================================
  Files        2664     2664           
  Lines      143786   143786           
  Branches    33072    33072           
=======================================
  Hits        92125    92125           
  Misses      50054    50054           
  Partials     1607     1607           

Flag	Coverage Δ
javascript	67.59% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[rusackas]

Addressed the zizmor finding in 5a6bee5 — added permissions: {} (deny-all) to both cypress-matrix-required and playwright-tests-required. They only read the needs context to inspect a result string (no checkout, no API calls), so least-privilege here is no permissions at all. Confirmed clean with zizmor .github/workflows/superset-e2e.yml locally (the only remaining warnings are pre-existing ref-version-mismatch notes on the shared actions/checkout pin, unrelated to this PR).