name: "🛡️ E2E Tests: Webapp Auth (full)" # Comprehensive RBAC auth test suite — see TRI-8731. Runs separately from # the smoke e2e-webapp.yml because it covers every route family with a # pass/fail matrix and would otherwise dominate per-PR CI time. # # Triggered: # - Manually via workflow_dispatch. # - Nightly via schedule. # - On pull requests touching auth-relevant files only (paths filter). permissions: contents: read on: workflow_dispatch: schedule: - cron: "0 4 * * *" # 04:00 UTC daily pull_request: paths: - "apps/webapp/app/services/routeBuilders/**" - "apps/webapp/app/services/rbac.server.ts" - "apps/webapp/app/services/apiAuth.server.ts" - "apps/webapp/app/services/personalAccessToken.server.ts" - "apps/webapp/app/services/sessionStorage.server.ts" - "apps/webapp/app/routes/api.v*.**" - "apps/webapp/app/routes/realtime.v*.**" - "apps/webapp/test/**/*.e2e.full.test.ts" - "apps/webapp/test/setup/global-e2e-full-setup.ts" - "apps/webapp/test/helpers/sharedTestServer.ts" - "apps/webapp/test/helpers/seedTestSession.ts" - "apps/webapp/vitest.e2e.full.config.ts" - "internal-packages/rbac/**" - "packages/plugins/**" - ".github/workflows/e2e-webapp-auth-full.yml" jobs: e2eAuthFull: name: "🛡️ E2E Auth Tests (full)" runs-on: warp-ubuntu-latest-x64-8x timeout-minutes: 30 env: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} steps: - name: 🔧 Disable IPv6 run: | sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1 sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1 sudo sysctl -w net.ipv6.conf.lo.disable_ipv6=1 - name: 🔧 Configure docker address pool run: | CONFIG='{ "default-address-pools" : [ { "base" : "172.17.0.0/12", "size" : 20 }, { "base" : "192.168.0.0/16", "size" : 24 } ] }' mkdir -p /etc/docker echo "$CONFIG" | sudo tee /etc/docker/daemon.json - name: 🔧 Restart docker daemon run: sudo systemctl restart docker - name: ⬇️ Checkout repo uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 # Don't leave the GITHUB_TOKEN in .git/config — this job # doesn't need to push and the persisted creds would be # readable from any subsequent step (zizmor/artipacked). persist-credentials: false - name: ⎔ Setup pnpm uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0 with: version: 10.33.2 - name: ⎔ Setup node uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 22.23.1 cache: "pnpm" - name: 🐳 Login to DockerHub if: ${{ env.DOCKERHUB_USERNAME }} uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: 🐳 Skipping DockerHub login (no secrets available) if: ${{ !env.DOCKERHUB_USERNAME }} run: echo "DockerHub login skipped because secrets are not available." - name: 🐳 Pre-pull testcontainer images if: ${{ env.DOCKERHUB_USERNAME }} run: | docker pull postgres:14 docker pull redis:7.2 docker pull testcontainers/ryuk:0.11.0 - name: 📥 Download deps run: pnpm install --frozen-lockfile - name: 📀 Generate Prisma Client run: pnpm run generate - name: 🏗️ Build Webapp run: pnpm run build --filter webapp - name: 🛡️ Run Webapp Full Auth E2E Tests run: cd apps/webapp && pnpm exec vitest run --config vitest.e2e.full.config.ts --reporter=default env: WEBAPP_TEST_VERBOSE: "1"