ci(e2e): run Playwright from the prebuilt image instead of downloading browsers (refs #73)
All checks were successful
CI / build (pull_request) Successful in 56s
CI / mutation (pull_request) Successful in 4m6s
CI / verify-stack (pull_request) Successful in 7m3s
CI / lint (pull_request) Successful in 5m43s
CI / unit (pull_request) Successful in 1m0s
CI / frontend (pull_request) Successful in 1m50s

The verify-e2e lane downloaded ~150 MB of Chromium (npx playwright install) on
every verify-stack run. Use the official mcr.microsoft.com/playwright image with
browsers pre-baked; npm install still pins @playwright/test from tests/e2e, and
the image tag is kept in lockstep with that version. Verified the exact
create + docker cp + start flow launches the baked browser with no download.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-07-13 15:29:11 +02:00
parent 60df0845aa
commit 2b9eb5eb41
2 changed files with 14 additions and 8 deletions

View File

@@ -85,12 +85,14 @@ with the submit form (S-08c, #67); any deviation from NL DS will be recorded her
- **Runtime config.** The app fetches `/config.json` before bootstrap (`main.ts`); `appConfig` is a - **Runtime config.** The app fetches `/config.json` before bootstrap (`main.ts`); `appConfig` is a
factory. The dev default (`public/config.json`) points at `localhost:8180`; the Docker image bakes factory. The dev default (`public/config.json`) points at `localhost:8180`; the Docker image bakes
the compose value (`keycloak:8080`). One build, per-environment OIDC authority. the compose value (`keycloak:8080`). One build, per-environment OIDC authority.
- **e2e runs inside the compose network.** `infra/run-e2e-check.sh` runs Playwright in a `node` - **e2e runs inside the compose network.** `infra/run-e2e-check.sh` runs Playwright in a container on
container on `cg`, so the browser reaches Keycloak as `keycloak:8080` — the **same issuer** the BFF `cg`, so the browser reaches Keycloak as `keycloak:8080` — the **same issuer** the BFF validates
validates against (resolves the browser-vs-container mismatch, ADR-0010). Chromium is installed at against (resolves the browser-vs-container mismatch, ADR-0010). It uses the official
runtime, so there's no Playwright-image-version pinning to keep in sync. The spec is copied in `mcr.microsoft.com/playwright:<version>` image with browsers pre-baked, rather than downloading
(`docker cp`), not mounted, so it leaves nothing root-owned on the host. Wired as `verify-e2e` in ~150 MB of Chromium on every run (issue #73) — the image tag is kept in lockstep with
the `verify-stack` CI job. `tests/e2e/package.json`'s `@playwright/test` version. The spec is copied in (`docker cp`), not
mounted, so it leaves nothing root-owned on the host. Wired as `verify-e2e` in the `verify-stack`
CI job.
- **e2e treats the portal origin as secure.** In-network the portal is served over plain HTTP on a - **e2e treats the portal origin as secure.** In-network the portal is served over plain HTTP on a
non-localhost origin (`http://self-service`), which is **not a secure context**, so Web Crypto non-localhost origin (`http://self-service`), which is **not a secure context**, so Web Crypto
(`crypto.subtle`) is unavailable. angular-auth-oidc-client needs it for the PKCE code challenge, so (`crypto.subtle`) is unavailable. angular-auth-oidc-client needs it for the PKCE code challenge, so

View File

@@ -3,10 +3,14 @@
# Walking-skeleton e2e (S-08d) against an ALREADY-RUNNING full stack: drive the self-service portal # Walking-skeleton e2e (S-08d) against an ALREADY-RUNNING full stack: drive the self-service portal
# in a real browser through mock-DigiD login → submit → confirmation (login → BFF → domain). # in a real browser through mock-DigiD login → submit → confirmation (login → BFF → domain).
# #
# Runs Playwright INSIDE the compose network (a node container on `cg`), so the browser reaches # Runs Playwright INSIDE the compose network (a container on `cg`), so the browser reaches
# Keycloak by service name (keycloak:8080) — the same authority the BFF validates against, so the # Keycloak by service name (keycloak:8080) — the same authority the BFF validates against, so the
# token issuer matches (ADR-0010). The spec is copied into the container (docker cp), not mounted, # token issuer matches (ADR-0010). The spec is copied into the container (docker cp), not mounted,
# so it leaves no root-owned files on the host. The caller owns stack bring-up + teardown. # so it leaves no root-owned files on the host. The caller owns stack bring-up + teardown.
#
# Uses the official Playwright image with browsers pre-baked, instead of downloading ~150 MB of
# Chromium on every run (issue #73). The image tag MUST match tests/e2e/package.json's
# @playwright/test version — bump both together.
set -euo pipefail set -euo pipefail
here="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" here="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
@@ -19,7 +23,7 @@ echo ">> running Playwright e2e on network $net against http://self-service"
cid="$(docker create --network "$net" -w /e2e --ipc=host \ cid="$(docker create --network "$net" -w /e2e --ipc=host \
-e SELF_SERVICE_URL=http://self-service \ -e SELF_SERVICE_URL=http://self-service \
node:24 sh -c 'npm install --no-audit --no-fund && npx playwright install --with-deps chromium && npx playwright test')" mcr.microsoft.com/playwright:v1.61.1-noble sh -c 'npm install --no-audit --no-fund && npx playwright test')"
trap 'docker rm -f "$cid" >/dev/null 2>&1 || true' EXIT trap 'docker rm -f "$cid" >/dev/null 2>&1 || true' EXIT
docker cp "$root/tests/e2e/." "$cid:/e2e" >/dev/null docker cp "$root/tests/e2e/." "$cid:/e2e" >/dev/null
docker start -a "$cid" docker start -a "$cid"