Merge pull request #1 from co-cddo/f-playwright

feat: wrangle playwright tests into shape

Author: edwardlonsdale

.github/workflows/ci.yml

@@ -10,37 +10,49 @@ on:
 
 permissions:
   contents: read
-  packages: write
-  id-token: write
-  attestations: write
+  pull-requests: read
 
 jobs:
   gitleaks:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
-      - uses: gitleaks/gitleaks-action@v2
+          persist-credentials: false
+      - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
 
+  zizmor:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
+      - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        with:
+          advanced-security: false
+
   commitlint:
     if: github.event_name == 'pull_request'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
-      - uses: wagoid/commitlint-github-action@v6
+          persist-credentials: false
+      - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6
 
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
+      - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version-file: .nvmrc
           cache: pnpm
@@ -50,9 +62,11 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
+      - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version-file: .nvmrc
           cache: pnpm
@@ -63,9 +77,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 60
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
       - run: docker compose --profile test up e2e-test --build --abort-on-container-exit
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         if: always()
         with:
           name: playwright-report
@@ -75,16 +91,23 @@ jobs:
   build:
     needs: [lint, test, e2e]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
     steps:
-      - uses: actions/checkout@v4
-      - uses: docker/setup-buildx-action@v3
-      - uses: docker/login-action@v3
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
+      - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
+      - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         if: github.event_name == 'push'
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: docker/build-push-action@v6
+      - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
         with:
           push: ${{ github.event_name == 'push' }}
           provenance: ${{ github.event_name == 'push' }}
@@ -97,13 +120,14 @@ jobs:
 
   check:
     if: always()
-    needs: [gitleaks, commitlint, lint, test, e2e, build]
+    needs: [gitleaks, zizmor, commitlint, lint, test, e2e, build]
     runs-on: ubuntu-latest
     steps:
       - name: Verify all jobs passed
         run: |
           results=( \
             "${{ needs.gitleaks.result }}" \
+            "${{ needs.zizmor.result }}" \
             "${{ needs.commitlint.result }}" \
             "${{ needs.lint.result }}" \
             "${{ needs.test.result }}" \

.github/workflows/release-please.yml

@@ -12,6 +12,6 @@ jobs:
   release-please:
     runs-on: ubuntu-latest
     steps:
-      - uses: googleapis/release-please-action@v4
+      - uses: googleapis/release-please-action@5c625bfb5d1ff62eadeeb3772007f7f66fdcf071 # v4
         with:
           release-type: node

.gitignore

@@ -9,4 +9,5 @@ playwright-report/
 test-results/
 .DS_Store
 coverage/
-.nyc_output/
+.nyc_output/
+.pnpm-store/

.husky/pre-commit

@@ -1,2 +1,3 @@
 npx lint-staged
 gitleaks git --pre-commit --staged --verbose
+zizmor .github/

Dockerfile

@@ -27,6 +27,7 @@ RUN apt-get update && apt-get install -y \
     libnss3 libnspr4 libdbus-1-3 libatk1.0-0 libatk-bridge2.0-0 \
     libcups2 libdrm2 libxkbcommon0 libxcomposite1 libxdamage1 \
     libxfixes3 libxrandr2 libgbm1 libasound2 \
+    curl \
   && rm -rf /var/lib/apt/lists/*
 
 COPY --from=chromium /pw-browsers /pw-browsers

docker-compose.yml

@@ -15,27 +15,59 @@ services:
       timeout: 5s
       retries: 5
 
-  app:
+  oidc-mock:
+    image: ghcr.io/navikt/mock-oauth2-server:2.1.10
+    ports:
+      - "8090:8090"
+    environment:
+      SERVER_PORT: "8090"
+      JSON_CONFIG: |
+        {
+          "interactiveLogin": false,
+          "tokenCallbacks": [{
+            "issuerId": "default",
+            "requestMappings": [{
+              "requestParam": "scope",
+              "match": "*",
+              "claims": {
+                "sub": "test-user",
+                "email": "test@example.gov.uk",
+                "email_verified": true,
+                "display_name": "Test User",
+                "name": "Test User"
+              }
+            }]
+          }]
+        }
+
+  compliance-scraper:
     build: .
     depends_on:
       postgres:
         condition: service_healthy
+      oidc-mock:
+        condition: service_started
     env_file:
-      - .env
+      - path: .env
+        required: false
     environment:
       DATABASE_URL: postgres://scraper:scraper@postgres:5432/compliance_scraper
       AWS_REGION: eu-west-2
       BEDROCK_MODEL_ID: eu.anthropic.claude-haiku-4-5-20251001-v1:0
       SERVICES_JSON_PATH: /app/services.json
       SEED_DATABASE: "true"
       NODE_ENV: development
-      APP_URL: http://localhost:3000
-      NODE_EXTRA_CA_CERTS: /etc/ssl/cert.pem
-    volumes:
-      - ~/.aws:/home/node/.aws:ro
-      - ./local/cert.pem:/etc/ssl/cert.pem:ro
+      APP_URL: http://compliance-scraper:3000
+      SSO_ISSUER: http://oidc-mock:8090/default
+      SSO_CLIENT_ID: test-client
+      SSO_CLIENT_SECRET: test-secret
     ports:
       - "3000:3000"
+    healthcheck:
+      test: curl -f http://localhost:3000/health || exit 1
+      interval: 5s
+      timeout: 5s
+      retries: 5
 
   adminer:
     image: adminer:latest
@@ -47,43 +79,16 @@ services:
     ports:
       - "8080:8080"
 
-  test-app:
-    profiles: [test]
-    build:
-      context: .
-      dockerfile: Dockerfile
-    ports:
-      - "3001:3000"
-    depends_on:
-      postgres:
-        condition: service_healthy
-    environment:
-      DATABASE_HOST: postgres
-      DATABASE_PORT: 5432
-      DATABASE_USER: scraper
-      DATABASE_PASSWORD: scraper
-      DATABASE_NAME: compliance_scraper
-      NODE_ENV: test
-      SEED_DATABASE: "true"
-      SERVICES_JSON_PATH: /app/services.json
-      AWS_REGION: eu-west-2
-      BEDROCK_MODEL_ID: eu.anthropic.claude-haiku-4-5-20251001-v1:0
-    healthcheck:
-      test: ["CMD-SHELL", "wget --spider -q http://127.0.0.1:3000/health"]
-      interval: 5s
-      timeout: 5s
-      retries: 10
-
   e2e-test:
     profiles: [test]
-    image: mcr.microsoft.com/playwright:v1.50.0-noble
+    image: mcr.microsoft.com/playwright:v1.59.1-noble
     working_dir: /app
     depends_on:
-      test-app:
+      compliance-scraper:
         condition: service_healthy
     environment:
       CI: "true"
-      PLAYWRIGHT_BASE_URL: http://test-app:3000
+      PLAYWRIGHT_BASE_URL: http://compliance-scraper:3000
     volumes:
       - .:/app
       - e2e-node-modules:/app/node_modules

eslint.config.mjs

@@ -4,6 +4,6 @@ import tseslint from 'typescript-eslint';
 export default tseslint.config(
   eslint.configs.recommended,
   ...tseslint.configs.recommended,
-  { ignores: ['dist/', 'node_modules/'] },
+  { ignores: ['dist/', 'node_modules/', 'playwright-report/', 'test-results/'] },
   { files: ['**/*.js'], languageOptions: { globals: { module: 'readonly', require: 'readonly' } } }
 );

package.json

@@ -15,7 +15,8 @@
     "dev:watch": "nodemon --watch src --ext ts,njk --exec ts-node src/main.ts",
     "dev:server": "ts-node src/server/index.ts",
     "lint": "eslint .",
-    "test": "echo 'No unit tests yet' && exit 0",
+    "test": "node --require ts-node/register --test $(find tests/unit -name '*.test.ts')",
+    "test:e2e": "playwright test",
     "db:migrate": "ts-node src/db/migrate.ts",
     "db:seed": "ts-node src/db/seed.ts",
     "fetch-services": "bash scripts/fetch-services.sh",
@@ -35,6 +36,7 @@
   },
   "devDependencies": {
     "@eslint/js": "^10.0.1",
+    "@playwright/test": "^1.59.1",
     "@types/connect-pg-simple": "^7.0.3",
     "@types/express": "^4.17.25",
     "@types/express-session": "^1.19.0",

playwright.config.ts

@@ -0,0 +1,28 @@
+/// <reference types="node" />
+import { defineConfig } from "@playwright/test";
+
+export default defineConfig({
+  testDir: "./tests/e2e",
+  fullyParallel: true,
+  forbidOnly: !!process.env.CI,
+  retries: process.env.CI ? 2 : 0,
+  workers: process.env.CI ? 1 : undefined,
+  reporter: "html",
+  use: {
+    baseURL: process.env.PLAYWRIGHT_BASE_URL || "http://localhost:3000",
+    trace: "on-first-retry",
+  },
+  projects: [
+    {
+      name: "chromium",
+      use: {},
+    },
+  ],
+  webServer: process.env.PLAYWRIGHT_BASE_URL
+    ? undefined
+    : {
+        command: "npm start",
+        url: "http://localhost:3000/health",
+        reuseExistingServer: !process.env.CI,
+      },
+});