ci: speed up pipeline — NuGet cache + prebuilt Playwright image #74
@@ -23,6 +23,16 @@ jobs:
|
||||
- uses: https://github.com/actions/setup-dotnet@v4
|
||||
with:
|
||||
dotnet-version: '10.0.x'
|
||||
# Cache the NuGet package store so each .NET job restores from disk, not the network. There are
|
||||
# no lock files (so setup-dotnet's built-in cache doesn't apply); key on the project files. @v3
|
||||
# avoids the GHES guard that breaks @v4 on Gitea (gitea-actions-gotchas.md); cache is best-effort
|
||||
# — a miss just restores from the network. See issue #73.
|
||||
- uses: https://github.com/actions/cache@v3
|
||||
with:
|
||||
path: ~/.nuget/packages
|
||||
key: nuget-${{ runner.os }}-${{ hashFiles('**/*.csproj') }}
|
||||
restore-keys: |
|
||||
nuget-${{ runner.os }}-
|
||||
- run: make lint
|
||||
|
||||
build:
|
||||
@@ -32,6 +42,12 @@ jobs:
|
||||
- uses: https://github.com/actions/setup-dotnet@v4
|
||||
with:
|
||||
dotnet-version: '10.0.x'
|
||||
- uses: https://github.com/actions/cache@v3
|
||||
with:
|
||||
path: ~/.nuget/packages
|
||||
key: nuget-${{ runner.os }}-${{ hashFiles('**/*.csproj') }}
|
||||
restore-keys: |
|
||||
nuget-${{ runner.os }}-
|
||||
- run: make build
|
||||
|
||||
unit:
|
||||
@@ -41,6 +57,12 @@ jobs:
|
||||
- uses: https://github.com/actions/setup-dotnet@v4
|
||||
with:
|
||||
dotnet-version: '10.0.x'
|
||||
- uses: https://github.com/actions/cache@v3
|
||||
with:
|
||||
path: ~/.nuget/packages
|
||||
key: nuget-${{ runner.os }}-${{ hashFiles('**/*.csproj') }}
|
||||
restore-keys: |
|
||||
nuget-${{ runner.os }}-
|
||||
- run: make unit
|
||||
|
||||
# Frontend (Nx/Angular) lane: install with pnpm, then Nx lint + test + build.
|
||||
@@ -64,6 +86,12 @@ jobs:
|
||||
- uses: https://github.com/actions/setup-dotnet@v4
|
||||
with:
|
||||
dotnet-version: '10.0.x'
|
||||
- uses: https://github.com/actions/cache@v3
|
||||
with:
|
||||
path: ~/.nuget/packages
|
||||
key: nuget-${{ runner.os }}-${{ hashFiles('**/*.csproj') }}
|
||||
restore-keys: |
|
||||
nuget-${{ runner.os }}-
|
||||
- run: make mutation
|
||||
# Publish the Stryker HTML reports. `if: always()` uploads them even when the
|
||||
# ratchet fails — that is exactly when you want to inspect the survivors.
|
||||
|
||||
@@ -85,12 +85,14 @@ with the submit form (S-08c, #67); any deviation from NL DS will be recorded her
|
||||
- **Runtime config.** The app fetches `/config.json` before bootstrap (`main.ts`); `appConfig` is a
|
||||
factory. The dev default (`public/config.json`) points at `localhost:8180`; the Docker image bakes
|
||||
the compose value (`keycloak:8080`). One build, per-environment OIDC authority.
|
||||
- **e2e runs inside the compose network.** `infra/run-e2e-check.sh` runs Playwright in a `node`
|
||||
container on `cg`, so the browser reaches Keycloak as `keycloak:8080` — the **same issuer** the BFF
|
||||
validates against (resolves the browser-vs-container mismatch, ADR-0010). Chromium is installed at
|
||||
runtime, so there's no Playwright-image-version pinning to keep in sync. The spec is copied in
|
||||
(`docker cp`), not mounted, so it leaves nothing root-owned on the host. Wired as `verify-e2e` in
|
||||
the `verify-stack` CI job.
|
||||
- **e2e runs inside the compose network.** `infra/run-e2e-check.sh` runs Playwright in a container on
|
||||
`cg`, so the browser reaches Keycloak as `keycloak:8080` — the **same issuer** the BFF validates
|
||||
against (resolves the browser-vs-container mismatch, ADR-0010). It uses the official
|
||||
`mcr.microsoft.com/playwright:<version>` image with browsers pre-baked, rather than downloading
|
||||
~150 MB of Chromium on every run (issue #73) — the image tag is kept in lockstep with
|
||||
`tests/e2e/package.json`'s `@playwright/test` version. The spec is copied in (`docker cp`), not
|
||||
mounted, so it leaves nothing root-owned on the host. Wired as `verify-e2e` in the `verify-stack`
|
||||
CI job.
|
||||
- **e2e treats the portal origin as secure.** In-network the portal is served over plain HTTP on a
|
||||
non-localhost origin (`http://self-service`), which is **not a secure context**, so Web Crypto
|
||||
(`crypto.subtle`) is unavailable. angular-auth-oidc-client needs it for the PKCE code challenge, so
|
||||
|
||||
@@ -3,10 +3,14 @@
|
||||
# Walking-skeleton e2e (S-08d) against an ALREADY-RUNNING full stack: drive the self-service portal
|
||||
# in a real browser through mock-DigiD login → submit → confirmation (login → BFF → domain).
|
||||
#
|
||||
# Runs Playwright INSIDE the compose network (a node container on `cg`), so the browser reaches
|
||||
# Runs Playwright INSIDE the compose network (a container on `cg`), so the browser reaches
|
||||
# Keycloak by service name (keycloak:8080) — the same authority the BFF validates against, so the
|
||||
# token issuer matches (ADR-0010). The spec is copied into the container (docker cp), not mounted,
|
||||
# so it leaves no root-owned files on the host. The caller owns stack bring-up + teardown.
|
||||
#
|
||||
# Uses the official Playwright image with browsers pre-baked, instead of downloading ~150 MB of
|
||||
# Chromium on every run (issue #73). The image tag MUST match tests/e2e/package.json's
|
||||
# @playwright/test version — bump both together.
|
||||
set -euo pipefail
|
||||
|
||||
here="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
@@ -19,7 +23,7 @@ echo ">> running Playwright e2e on network $net against http://self-service"
|
||||
|
||||
cid="$(docker create --network "$net" -w /e2e --ipc=host \
|
||||
-e SELF_SERVICE_URL=http://self-service \
|
||||
node:24 sh -c 'npm install --no-audit --no-fund && npx playwright install --with-deps chromium && npx playwright test')"
|
||||
mcr.microsoft.com/playwright:v1.61.1-noble sh -c 'npm install --no-audit --no-fund && npx playwright test')"
|
||||
trap 'docker rm -f "$cid" >/dev/null 2>&1 || true' EXIT
|
||||
docker cp "$root/tests/e2e/." "$cid:/e2e" >/dev/null
|
||||
docker start -a "$cid"
|
||||
|
||||
Reference in New Issue
Block a user