ci: add zizmor workflow and update playwright [backport to v4]#10663
Open
hi-ogawa wants to merge 5 commits into
Open
ci: add zizmor workflow and update playwright [backport to v4]#10663hi-ogawa wants to merge 5 commits into
hi-ogawa wants to merge 5 commits into
Conversation
Co-authored-by: OpenCode (claude-opus-4-8) <noreply@opencode.ai>
Apply workflow hardening to satisfy zizmor: - add persist-credentials: false to checkouts in ci.yml and cr.yml - drop the debug 'Print versions' step (template-injection) from setup-playwright action - add .github/zizmor.yml to ignore concurrency-limits for publish.yml Remove repo-management workflows that only run from the default branch (main) and never execute on v4, so they only produced zizmor noise: ecosystem-ci-trigger, issue-close-require, lock-closed-issues, issue-labeled, pr-labeled-automated. Co-authored-by: OpenCode (claude-opus-4-8) <noreply@opencode.ai>
The push trigger is inert on v4 (push events use the branch's own workflow file, filtered to main), but gating relies on the pull_request trigger, which works regardless. Keeping the file identical to main avoids drift. Co-authored-by: OpenCode (claude-opus-4-8) <noreply@opencode.ai>
Playwright <1.60.0 hangs after the browser zip download completes on Node.js 24.16.0 due to a Node regression in zip extraction (nodejs/node#63487, microsoft/playwright#41000). This stalls the node-24 browser CI jobs on v4 until they time out. Bump to ^1.61.0, matching main, where the issue is resolved. Co-authored-by: OpenCode (claude-opus-4-8) <noreply@opencode.ai>
hi-ogawa
changed the title
Playwright 1.60+ run-server binds to ::1 (IPv6) when host is localhost, so the test's 'Listening on ws://localhost:9898' wait never matches the 'ws://[::1]:9898/' output and times out. Pass --host 127.0.0.1 --unsafe and use 127.0.0.1 everywhere, matching main (vitest-dev#10426). Co-authored-by: OpenCode (claude-opus-4-8) <noreply@opencode.ai>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
v4 branch merge (e.g. #10661) is blocked by missing zizmor https://github.com/vitest-dev/vitest/settings/rules/16737607
Let's try adding back zizmor to v4.
To make zizmor pass easily, workflows that are useless on backport v4 branches yml are removed like the ones with old issues-helper.
Also updated playwright since playwright 1.59 + node 24 hangs install.
Please don't delete this checklist! Before submitting the PR, please make sure you do the following:
pnpm-lock.yamlunless you introduce a new test example.Tests
pnpm test:ci.Documentation
pnpm run docscommand.Changesets
feat:,fix:,perf:,docs:, orchore:.