Migrate to playwright for e2e testing #394
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Setup | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| branch: ${{ steps.extract_branch.outputs.branch }} | ||
| steps: | ||
|
|
||
| - name: Extract branch name | ||
| shell: bash | ||
| run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT | ||
| id: extract_branch | ||
|
|
||
| bluehost: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 12 days ago
To fix this issue, you should add a permissions block to the workflow file, ideally at the top/root so it applies to all jobs, and grant the minimal necessary privileges. Given the jobs as shown only extract a branch name and call another workflow—actions that typically only require read access to repository content—set permissions: contents: read at the top of the file, just after name: (or after on: if you prefer), to follow least-privilege principles. If later you find specific jobs need more, you can override at the job level, but starting with contents: read is safest for CI/test flows.
The change is a one-line insertion at the root of the YAML workflow, likely after the name or on block.
| @@ -1,4 +1,6 @@ | ||
| name: Build and Test Module Updates in Brand Plugins (Playwright tests) | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| pull_request: | ||
| types: [ opened, reopened, ready_for_review, synchronize ] |
| name: Bluehost Build and Test Playwright | ||
| needs: setup | ||
| uses: newfold-labs/workflows/.github/workflows/module-plugin-test-playwright.yml@add/playwright-module-test | ||
| with: | ||
| module-repo: ${{ github.repository }} | ||
| module-branch: ${{ needs.setup.outputs.branch }} | ||
| plugin-repo: 'newfold-labs/wp-plugin-bluehost' | ||
| plugin-branch: 'add/playwright' | ||
| secrets: inherit |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 12 days ago
To fix the problem, we should add a permissions block explicitly to the workflow YAML file, specifying only the privileges necessary for the jobs. The best way to implement this is to set the block at the root level of the file (after the name: declaration and before jobs are declared) to apply least privilege to the entire workflow. If any job (such as the external reusable workflow in the bluehost job) needs write access to specific resources (e.g., pull-requests: write), you can add those to the list; otherwise, default to contents: read. The change applies only to .github/workflows/brand-plugin-test-playwright.yml.
No new imports or dependencies are needed, as this is a YAML configuration change.
| @@ -1,4 +1,6 @@ | ||
| name: Build and Test Module Updates in Brand Plugins (Playwright tests) | ||
| permissions: | ||
| contents: read | ||
| on: | ||
| pull_request: | ||
| types: [ opened, reopened, ready_for_review, synchronize ] |
Proposed changes
This rewrites the cypress test as a playwright test and sets up the workflow to run tests in the module PRs.
Type of Change
Production
Development
Visual
Checklist
Further comments