Restructure GitHub Actions workflow with artifact handling

[phongphongg]

Summary by CodeRabbit

• New Features

  • Added image build and cleanup jobs plus artifact-based image delivery in CI for prebuilt images.

• Chores

  • Reworked end-to-end runs to download/load artifacts and use a Task-based deployment step instead of direct repo checkouts.
  • Host mapping now uses environment-driven domain variables; workflow outputs expanded to include per-service refs and metadata.

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[coderabbitai]

Warning

Rate limit exceeded

@phongphongg has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 7 minutes and 32 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: db33a503-22ec-48eb-af5e-df5893a8eed4

📥 Commits

Reviewing files that changed from the base of the PR and between f501521 and cd22c09.

📒 Files selected for processing (1)

• .github/workflows/playwright.yml

📝 Walkthrough

Walkthrough

Added a build-images matrix job that builds and uploads image tarball artifacts; prepare exposes additional refs; e2e waits for and downloads artifacts, loads images into Minikube, and runs Task-based deployment; cleanup job deletes run-specific artifacts; branch/ref defaults moved to v0.

Changes

Cohort / File(s)	Summary
Primary workflow .github/workflows/playwright.yml	Major CI workflow rewrite: added build-images matrix and cleanup jobs; prepare outputs expanded (platform_ref, testing_ref); triggers/refs switched to v0; e2e now depends on build-images.
Image build & artifacts .github/workflows/playwright.yml (build-images job, artifact steps)	New image build matrix (Desk, IAM, Migration), creates metadata and tarballs, uploads artifacts for consumption by downstream jobs.
E2E / deployment flow .github/workflows/playwright.yml (e2e job changes)	Replaced direct repo checkouts with artifact download/load; e2e waits for build completion, loads images into Minikube, exports per-service refs/keys, and uses a Task-based deployment step instead of heavy Helm/Gateway orchestration.
Environment & refs .github/workflows/playwright.yml (prepare, envs)	Prepare sets per-branch/ref defaults (HELM_CHART_REF, DESK_REF, PLATFORM_REF, TESTING_REF) and exposes outputs; e2e receives HELM_PATH, TESTING_PATH, TENANT_NAME, DOMAIN and uses env.DOMAIN for host mapping.
Cleanup & artifact lifecycle .github/workflows/playwright.yml (cleanup job)	Added explicit cleanup job to remove run-specific artifacts after E2E; e2e signals or depends on cleanup ordering.
Miscellaneous adjustments .github/workflows/playwright.yml	Removed multiple Helm/Gateway steps and in-repo platform/desk checkouts; introduced artifact-driven loading and per-image export logic; updated step references to environment-driven paths.

Sequence Diagram

sequenceDiagram
    autonumber
    actor Trigger as Webhook/Push
    participant Prepare as Prepare Job
    participant Build as build-images Job
    participant Artifacts as GitHub Artifacts
    participant E2E as e2e Job
    participant Minikube as Minikube
    participant Cleanup as cleanup Job

    Trigger->>Prepare: start workflow, set refs (v0)
    Prepare->>Build: provide refs / allow matrix start
    Build->>Build: build images, create metadata, tarballs
    Build->>Artifacts: upload image tarballs & metadata
    Artifacts-->>E2E: artifacts available
    E2E->>Artifacts: download artifacts
    E2E->>Minikube: load images into cluster
    E2E->>E2E: export per-service refs/outputs
    E2E->>Minikube: deploy via Task-based step, run tests
    E2E-->>Cleanup: trigger cleanup
    Cleanup->>Artifacts: delete run-specific artifacts

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related PRs

• Add code quality and E2E testing infrastructure #1 — Modifies the same .github/workflows/playwright.yml prepare/e2e flow; closely related changes around switching to artifact-driven image handling and e2e orchestration.

Poem

🐰 I stitched the images, one by one,
Packed tarballs under CI sun.
Minikube woke with a sleepy cheer,
Tasks ran, tests laughed, then cleanup near.
Hop—artifacts gone, I nibble a gear.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Restructure GitHub Actions workflow with artifact handling' accurately summarizes the main changes: restructuring the workflow and introducing artifact-based handling for build images and deployments.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch enhance/adapt-new-helm

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/playwright.yml (1)

213-217: ⚠️ Potential issue | 🟠 Major

Checkout the PR head explicitly for forked pull requests.

When a contributor forks this repository and opens a PR, the current checkout fails because testing_ref is just the branch name (from github.head_ref), but the checkout defaults to the base repository where that branch doesn't exist. For PR scenarios, use the fork's repository and head commit SHA. For push and workflow_dispatch, continue using the standard ref.

💡 One straightforward way to pin the PR checkout

       - name: Checkout workastra/testing
         uses: actions/checkout@v6
         with:
+          repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }}
           path: ${{ env.TESTING_PATH }}
-          ref: ${{ needs.prepare.outputs.testing_ref }}
+          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || needs.prepare.outputs.testing_ref }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/playwright.yml around lines 213 - 217, The checkout step
"Checkout workastra/testing" fails for forked PRs because it uses
needs.prepare.outputs.testing_ref (branch name) against the base repo; change
the step to choose the fork head explicitly for PRs by setting with.repository
to github.event.pull_request.head.repo.full_name and with.ref to
github.event.pull_request.head.sha when github.event_name == 'pull_request', and
otherwise keep using with.ref: needs.prepare.outputs.testing_ref (or github.ref)
for push/workflow_dispatch; update the actions/checkout@v6 invocation to use
these conditional repository/ref values so the fork head is checked out for PR
runs.

🧹 Nitpick comments (1)

.github/workflows/playwright.yml (1)

184-188: Keep the test base URL sourced from DOMAIN.

/etc/hosts is now updated from ${{ env.DOMAIN }}, but Line 316 still hard-codes http://workastra.com. The next domain change will update deploy/hosts and leave Playwright pointed at the old host.

♻️ Small follow-up to keep the config single-sourced

       - name: Run Playwright tests
         working-directory: ${{ env.TESTING_PATH }}
         env:
-          APP_BASE_URL: http://workastra.com
+          APP_BASE_URL: http://${{ env.DOMAIN }}
         run: pnpm run playwright:test --project=chromium

Also applies to: 290-291

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/playwright.yml around lines 184 - 188, The Playwright job
is still hard-coding the base URL as "http://workastra.com"; replace that
literal with the environment variable (use http://${{ env.DOMAIN }} or the job's
env.DOMAIN) so Playwright's baseURL is single-sourced from env.DOMAIN; update
all occurrences referenced (the base URL in the Playwright step and the other
two spots noted) to use env.DOMAIN instead of the literal host so future domain
changes only require updating DOMAIN.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/playwright.yml:
- Around line 327-331: The cleanup job currently uses needs: [e2e] and if: ${{
!cancelled() }}, which inherits success() and is skipped when e2e fails or is
skipped; update the cleanup job (named "cleanup") to use a condition that runs
regardless of e2e outcome but still avoids running on workflow cancellation,
e.g. replace the if with a combined expression that uses always() and
!cancelled() (for example: if: ${{ always() && !cancelled() }}), so the job runs
after failed or skipped e2e runs but not when the workflow is cancelled.

---

Outside diff comments:
In @.github/workflows/playwright.yml:
- Around line 213-217: The checkout step "Checkout workastra/testing" fails for
forked PRs because it uses needs.prepare.outputs.testing_ref (branch name)
against the base repo; change the step to choose the fork head explicitly for
PRs by setting with.repository to github.event.pull_request.head.repo.full_name
and with.ref to github.event.pull_request.head.sha when github.event_name ==
'pull_request', and otherwise keep using with.ref:
needs.prepare.outputs.testing_ref (or github.ref) for push/workflow_dispatch;
update the actions/checkout@v6 invocation to use these conditional
repository/ref values so the fork head is checked out for PR runs.

---

Nitpick comments:
In @.github/workflows/playwright.yml:
- Around line 184-188: The Playwright job is still hard-coding the base URL as
"http://workastra.com"; replace that literal with the environment variable (use
http://${{ env.DOMAIN }} or the job's env.DOMAIN) so Playwright's baseURL is
single-sourced from env.DOMAIN; update all occurrences referenced (the base URL
in the Playwright step and the other two spots noted) to use env.DOMAIN instead
of the literal host so future domain changes only require updating DOMAIN.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7ed6b37d-7819-4306-a2c9-b42a096dd1a0

📥 Commits

Reviewing files that changed from the base of the PR and between fc45ef9 and 508f40e.

📒 Files selected for processing (1)

• .github/workflows/playwright.yml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

GitHub Actions job needs dependency skip behavior always() condition

💡 Result:

In GitHub Actions, a job that has needs: implicitly has a default condition of if: success(). That means if any needed job is skipped, success() evaluates false and the dependent job is skipped too—unless you override the job’s if. [1]

To get “dependency skip behavior” (run even when dependencies are skipped), set a job-level if: that starts with always() and then explicitly allow the dependency results you want via needs.<job_id>.result (success|failure|cancelled|skipped). [1]

Example: run deploy if build succeeded or was skipped (but not if it failed/cancelled):

jobs:
  build:
    runs-on: ubuntu-latest
    if: ${{ github.ref == 'refs/heads/main' }}
    steps:
      - run: echo build

  deploy:
    runs-on: ubuntu-latest
    needs: [build]
    if: ${{ always() && (needs.build.result == 'success' || needs.build.result == 'skipped') }}
    steps:
      - run: echo deploy

Notes:

• always() is what forces evaluation even when a needs job didn’t “succeed” (including skipped). [1][2]
• If you want “run unless workflow was cancelled”, use if: ${{ !cancelled() && (...) }} (since always() also runs on cancellation). [1]

Sources: GitHub Docs on needs.<job_id>.result and job if functions [1]; community/StackOverflow discussion of downstream jobs being skipped unless always() + needs.*.result checks are used [2].

[1] https://docs.github.com/en/actions/reference/contexts-reference
[2] https://stackoverflow.com/questions/76750973/how-to-execute-a-job-that-needs-a-job-that-was-skipped

---

Run cleanup after failed/skipped e2e runs too.

With needs: [e2e] and if: ${{ !cancelled() }}, this job inherits the implicit if: success() condition and is skipped when e2e fails or is skipped, so the build-* artifacts remain on disk when cleanup matters most.

🧹 Suggested condition

   cleanup:
     runs-on: ubuntu-latest
     name: Cleanup
     needs: [e2e]
-    if: ${{ !cancelled() }}
+    if: ${{ always() && !cancelled() }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	cleanup:
	runs-on: ubuntu-latest
	name: Cleanup
	needs: [e2e]
	if: ${{ !cancelled() }}
	cleanup:
	runs-on: ubuntu-latest
	name: Cleanup
	needs: [e2e]
	if: ${{ always() && !cancelled() }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/playwright.yml around lines 327 - 331, The cleanup job
currently uses needs: [e2e] and if: ${{ !cancelled() }}, which inherits
success() and is skipped when e2e fails or is skipped; update the cleanup job
(named "cleanup") to use a condition that runs regardless of e2e outcome but
still avoids running on workflow cancellation, e.g. replace the if with a
combined expression that uses always() and !cancelled() (for example: if: ${{
always() && !cancelled() }}), so the job runs after failed or skipped e2e runs
but not when the workflow is cancelled.

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/playwright.yml (1)

336-340: ⚠️ Potential issue | 🟡 Minor

Make cleanup run after failed/skipped e2e runs.

With needs: [e2e], GitHub Actions skips downstream jobs when the needed job fails or is skipped unless the job-level condition uses always(). if: ${{ !cancelled() }} is therefore still not enough to guarantee artifact cleanup. (docs.github.com)

🧹 Suggested change

   cleanup:
     runs-on: ubuntu-latest
     name: Cleanup
     needs: [e2e]
-    if: ${{ !cancelled() }}
+    if: ${{ always() && !cancelled() }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/playwright.yml around lines 336 - 340, The cleanup job
currently uses needs: [e2e] and if: ${{ !cancelled() }}, which prevents it from
running when e2e fails or is skipped; update the job-level condition on the
cleanup job (job name "cleanup", which currently has needs: [e2e] and if: ${{
!cancelled() }}) to use always() combined with the cancelled check (for example:
if: ${{ always() && !cancelled() }}), so the cleanup runs even when the e2e job
fails or is skipped.

🧹 Nitpick comments (2)

.github/workflows/playwright.yml (2)

191-195: Consider deriving APP_BASE_URL from DOMAIN too.

DOMAIN is now the source of truth for the host mapping, but Line 325 still hardcodes http://workastra.com. Since playwright.config.ts:13-21 reads APP_BASE_URL, wiring that env from DOMAIN would keep the workflow and test config from drifting.

♻️ Suggested change

       - name: Run Playwright tests
         working-directory: ${{ env.TESTING_PATH }}
         env:
-          APP_BASE_URL: http://workastra.com
+          APP_BASE_URL: http://${{ env.DOMAIN }}
         run: pnpm run playwright:test --project=chromium

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/playwright.yml around lines 191 - 195, The workflow
hardcodes APP_BASE_URL separately from DOMAIN; update the env block so
APP_BASE_URL is derived from DOMAIN (e.g., construct "http://"+DOMAIN or include
scheme as needed) so tests read the same host as the DOMAIN source of truth;
change the env assignment that currently hardcodes APP_BASE_URL to use the
DOMAIN value and ensure APP_BASE_URL is exported to the Playwright job so
playwright.config.ts can rely on APP_BASE_URL consistently.

---

167-175: Give each image build its own GHA cache scope.

Both cache lines use the default gha scope. Docker documents that this defaults to buildkit, and that building multiple images with that default causes each build to overwrite the previous cache object. In this matrix, that means Desk/IAM/Migration will churn the same cache instead of benefiting from the split build job. (docs.docker.com)

♻️ Suggested change

-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: type=gha,scope=${{ steps.meta.outputs.artifact_name }}
+          cache-to: type=gha,mode=max,scope=${{ steps.meta.outputs.artifact_name }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/playwright.yml around lines 167 - 175, The GHA Docker
cache is using the default 'gha' scope and is being shared across matrix builds;
update the docker/build-push-action step where cache-from and cache-to are set
so each image gets its own scope (e.g., add scope=${{ matrix.path }} or another
matrix identifier) — change cache-from: type=gha to cache-from:
type=gha,scope=${{ matrix.path }} and cache-to: type=gha,mode=max to cache-to:
type=gha,mode=max,scope=${{ matrix.path }} (or use
matrix.docker.file/matrix.name if more appropriate) so builds like
Desk/IAM/Migration do not overwrite each other.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/playwright.yml:
- Around line 336-340: The cleanup job currently uses needs: [e2e] and if: ${{
!cancelled() }}, which prevents it from running when e2e fails or is skipped;
update the job-level condition on the cleanup job (job name "cleanup", which
currently has needs: [e2e] and if: ${{ !cancelled() }}) to use always() combined
with the cancelled check (for example: if: ${{ always() && !cancelled() }}), so
the cleanup runs even when the e2e job fails or is skipped.

---

Nitpick comments:
In @.github/workflows/playwright.yml:
- Around line 191-195: The workflow hardcodes APP_BASE_URL separately from
DOMAIN; update the env block so APP_BASE_URL is derived from DOMAIN (e.g.,
construct "http://"+DOMAIN or include scheme as needed) so tests read the same
host as the DOMAIN source of truth; change the env assignment that currently
hardcodes APP_BASE_URL to use the DOMAIN value and ensure APP_BASE_URL is
exported to the Playwright job so playwright.config.ts can rely on APP_BASE_URL
consistently.
- Around line 167-175: The GHA Docker cache is using the default 'gha' scope and
is being shared across matrix builds; update the docker/build-push-action step
where cache-from and cache-to are set so each image gets its own scope (e.g.,
add scope=${{ matrix.path }} or another matrix identifier) — change cache-from:
type=gha to cache-from: type=gha,scope=${{ matrix.path }} and cache-to:
type=gha,mode=max to cache-to: type=gha,mode=max,scope=${{ matrix.path }} (or
use matrix.docker.file/matrix.name if more appropriate) so builds like
Desk/IAM/Migration do not overwrite each other.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 46b17685-c964-48e6-b594-3d0d2ccb2660

📥 Commits

Reviewing files that changed from the base of the PR and between 508f40e and cbd178f.

📒 Files selected for processing (1)

• .github/workflows/playwright.yml

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/playwright.yml (1)

362-366: ⚠️ Potential issue | 🟠 Major

Make cleanup wait for build-images and ignore e2e failures.

With needs: [e2e], this job can start before build-images has finished uploading if e2e dies early. And with if: ${{ !cancelled() }}, it still inherits the default success() gate, so a failed or skipped e2e prevents cleanup from running at all. GitHub documents both behaviors: downstream jobs are skipped after a failed/skipped dependency unless the job-level condition includes a status function like always(), and needs only covers explicitly declared dependencies. (docs.github.com)

🧹 Suggested fix

   cleanup:
     runs-on: ubuntu-latest
     name: Cleanup
-    needs: [e2e]
-    if: ${{ !cancelled() }}
+    needs: [e2e, build-images]
+    if: ${{ always() && !cancelled() }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/playwright.yml around lines 362 - 366, The cleanup job
currently only declares needs: [e2e] and uses if: ${{ !cancelled() }} which lets
it start before build-images finishes if e2e exits early and still inherits the
success() gate; update the cleanup job (cleanup) to depend on both e2e and
build-images (needs: [e2e, build-images]) and change its condition to run
regardless of upstream success but not when the workflow is cancelled by using
if: ${{ always() && !cancelled() }} so cleanup waits for build-images and
ignores e2e failures.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/playwright.yml:
- Around line 226-250: The loop waiting for the "Build image" matrix jobs
incorrectly treats terminal non-success conclusions as still-running; update the
check around the RESULTS array (mapfile -t RESULTS ...) to first detect any
terminal failures (e.g., "failure", "cancelled", "timed_out") and immediately
echo a failure message and exit 1, then only treat non-terminal/missing
conclusions as "still waiting" (sleep and retry), and finally break when all
entries are "success". Modify the block that currently uses grep -qv '^success$'
to implement this two-step check against terminal conclusions before waiting.

---

Duplicate comments:
In @.github/workflows/playwright.yml:
- Around line 362-366: The cleanup job currently only declares needs: [e2e] and
uses if: ${{ !cancelled() }} which lets it start before build-images finishes if
e2e exits early and still inherits the success() gate; update the cleanup job
(cleanup) to depend on both e2e and build-images (needs: [e2e, build-images])
and change its condition to run regardless of upstream success but not when the
workflow is cancelled by using if: ${{ always() && !cancelled() }} so cleanup
waits for build-images and ignores e2e failures.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4e30a18b-c485-44e9-926d-a3ca1aabb9c0

📥 Commits

Reviewing files that changed from the base of the PR and between cbd178f and 15d2ad7.

📒 Files selected for processing (1)

• .github/workflows/playwright.yml

[coderabbitai]

♻️ Duplicate comments (2)

.github/workflows/playwright.yml (2)

367-367: ⚠️ Potential issue | 🟡 Minor

Make cleanup run after failed/skipped E2E runs too.

Line 367 currently allows cleanup to be skipped when e2e is not successful, which leaves build-* artifacts behind.

🧹 Suggested condition

-    if: ${{ !cancelled() }}
+    if: ${{ always() && !cancelled() }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/playwright.yml at line 367, The cleanup step currently
uses the condition "if: ${{ !cancelled() }}" so it skips when the e2e job fails
or is skipped; update the condition for the cleanup step (look for the workflow
step/job named cleanup) to run even after failures by changing the expression to
"if: ${{ always() && !cancelled() }}", which ensures cleanup runs on success,
failure, or skipped runs but still respects cancellation.

---

244-246: ⚠️ Potential issue | 🟠 Major

Fail fast on terminal matrix failures in the wait loop.

Line 244 treats terminal failures the same as “still waiting,” so the loop can burn time until timeout instead of exiting immediately.

🛠️ Suggested fix

-            if printf '%s\n' "${RESULTS[@]}" | grep -qv '^success$'; then
-              echo "Some jobs not successful yet or failed"
+            if printf '%s\n' "${RESULTS[@]}" | grep -Eq '^(failure|cancelled|timed_out|startup_failure|action_required)$'; then
+              echo "At least one build-images job finished unsuccessfully"
+              exit 1
+            elif printf '%s\n' "${RESULTS[@]}" | grep -qv '^success$'; then
+              echo "Waiting for remaining build-images jobs..."
               sleep 10
             else
               echo "All build matrix jobs succeeded"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/playwright.yml around lines 244 - 246, The wait loop
currently treats terminal failures like transient “not success,” so add an early
check on the RESULTS array for terminal failure strings (e.g., "failure" or
whatever terminal status your matrix uses) and exit immediately with a non-zero
status instead of sleeping; locate the block referencing RESULTS and the grep
check and insert a conditional that searches RESULTS for "failure" (or the
terminal marker your jobs emit) and calls echo + exit 1 before the existing
sleep, or alternatively change the grep logic to only continue sleeping when
entries are "waiting" (not when any "failure" is present).

🧹 Nitpick comments (3)

.github/workflows/playwright.yml (3)

194-195: DOMAIN is introduced but not actually driving Playwright base URL.

Lines 194-195 suggest domain configurability, but tests still run with hard-coded APP_BASE_URL: http://workastra.com, so changing DOMAIN won’t affect browser target.

🔧 Suggested follow-up in this workflow

       - name: Run Playwright tests
         working-directory: ${{ env.TESTING_PATH }}
         env:
-          APP_BASE_URL: http://workastra.com
+          APP_BASE_URL: http://${{ env.DOMAIN }}
         run: pnpm run playwright:test --project=chromium

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/playwright.yml around lines 194 - 195, The workflow
defines DOMAIN but Playwright still uses a hard-coded APP_BASE_URL; update the
GitHub Actions workflow so APP_BASE_URL is derived from DOMAIN (and optionally
TENANT_NAME) instead of a literal URL. Locate the environment block that sets
APP_BASE_URL in .github/workflows/playwright.yml and replace the hard-coded
value with a reference to the DOMAIN variable (for example construct the URL
from DOMAIN or combine TENANT_NAME and DOMAIN as needed) so changing DOMAIN
actually changes the Playwright base URL used by tests.

---

188-190: Prefer native dependency wiring over custom polling.

Line 190 comments out build-images from needs, which forces the custom GH CLI wait loop. This is more brittle than native DAG orchestration and error propagation.

♻️ Suggested simplification

   e2e:
     timeout-minutes: 60
     runs-on: ubuntu-latest
     name: E2E
     needs:
       - prepare
-      # - build-images
+      - build-images

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/playwright.yml around lines 188 - 190, The workflow
currently comments out the `build-images` dependency in the `needs:` block
(leaving `needs: - prepare` only), which forces a custom GH CLI polling/wait
loop; restore native DAG wiring by re-adding `build-images` to the `needs` list
so the job depends on `build-images` (remove the comment token on
`build-images`), and then delete or disable the custom GH CLI wait loop code so
the workflow relies on the native dependency ordering and error propagation
instead of polling.

---

260-283: Validate expected artifact metadata count before exporting image outputs.

If metadata files are missing/partial, this step silently emits incomplete outputs and fails later in deployment with less actionable errors.

✅ Guardrail suggestion

       - name: Load images into minikube
         id: images
         run: |
+          EXPECTED=3
+          FOUND=$(find "${{ runner.temp }}/artifacts" -name "metadata.json" | wc -l | tr -d ' ')
+          if [ "$FOUND" -ne "$EXPECTED" ]; then
+            echo "Expected $EXPECTED metadata.json files, found $FOUND"
+            exit 1
+          fi
+
           while IFS= read -r -d '' meta_file; do
             dir=$(dirname "$meta_file")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/playwright.yml around lines 260 - 283, The step "Load
images into minikube" currently loops over metadata.json files and writes
outputs without validating the found artifacts; modify this block to first
collect and count the metadata files found under "${{ runner.temp }}/artifacts"
(the results of find ... -name "metadata.json"), verify the count matches an
expected number or at least is >0, and if validation fails emit a clear error
and exit non‑zero before loading images; only after successful validation should
the script iterate each metadata.json, parse REPO/TAG/IMG/TAR, load the tar via
minikube image load, and then write outputs to GITHUB_OUTPUT (using KEY, TAG,
REPO) so you avoid emitting incomplete outputs when artifacts are missing.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/playwright.yml:
- Line 367: The cleanup step currently uses the condition "if: ${{ !cancelled()
}}" so it skips when the e2e job fails or is skipped; update the condition for
the cleanup step (look for the workflow step/job named cleanup) to run even
after failures by changing the expression to "if: ${{ always() && !cancelled()
}}", which ensures cleanup runs on success, failure, or skipped runs but still
respects cancellation.
- Around line 244-246: The wait loop currently treats terminal failures like
transient “not success,” so add an early check on the RESULTS array for terminal
failure strings (e.g., "failure" or whatever terminal status your matrix uses)
and exit immediately with a non-zero status instead of sleeping; locate the
block referencing RESULTS and the grep check and insert a conditional that
searches RESULTS for "failure" (or the terminal marker your jobs emit) and calls
echo + exit 1 before the existing sleep, or alternatively change the grep logic
to only continue sleeping when entries are "waiting" (not when any "failure" is
present).

---

Nitpick comments:
In @.github/workflows/playwright.yml:
- Around line 194-195: The workflow defines DOMAIN but Playwright still uses a
hard-coded APP_BASE_URL; update the GitHub Actions workflow so APP_BASE_URL is
derived from DOMAIN (and optionally TENANT_NAME) instead of a literal URL.
Locate the environment block that sets APP_BASE_URL in
.github/workflows/playwright.yml and replace the hard-coded value with a
reference to the DOMAIN variable (for example construct the URL from DOMAIN or
combine TENANT_NAME and DOMAIN as needed) so changing DOMAIN actually changes
the Playwright base URL used by tests.
- Around line 188-190: The workflow currently comments out the `build-images`
dependency in the `needs:` block (leaving `needs: - prepare` only), which forces
a custom GH CLI polling/wait loop; restore native DAG wiring by re-adding
`build-images` to the `needs` list so the job depends on `build-images` (remove
the comment token on `build-images`), and then delete or disable the custom GH
CLI wait loop code so the workflow relies on the native dependency ordering and
error propagation instead of polling.
- Around line 260-283: The step "Load images into minikube" currently loops over
metadata.json files and writes outputs without validating the found artifacts;
modify this block to first collect and count the metadata files found under "${{
runner.temp }}/artifacts" (the results of find ... -name "metadata.json"),
verify the count matches an expected number or at least is >0, and if validation
fails emit a clear error and exit non‑zero before loading images; only after
successful validation should the script iterate each metadata.json, parse
REPO/TAG/IMG/TAR, load the tar via minikube image load, and then write outputs
to GITHUB_OUTPUT (using KEY, TAG, REPO) so you avoid emitting incomplete outputs
when artifacts are missing.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d740f730-4732-4901-8bc0-2a09fa20e2c6

📥 Commits

Reviewing files that changed from the base of the PR and between 15d2ad7 and f501521.

📒 Files selected for processing (1)

• .github/workflows/playwright.yml