Skip to content
E2E Tests

chore: update WhatsApp Web version to v2.3000.1041353304 (#542) #41

Sign in to view logs

chore: update WhatsApp Web version to v2.3000.1041353304 (#542)

chore: update WhatsApp Web version to v2.3000.1041353304 (#542) #41

Workflow file for this run

.github/workflows/e2e.yml at 17f7941
name: E2E Tests
# SECURITY (PR #490 review — GHSL-2021-004):
# This workflow used `pull_request_target` upstream, which runs in the BASE
# repository context WITH secrets. Combined with `checkout @ pr.head.sha` and
# `yarn install` (postinstall scripts) + `yarn test:e2e` (arbitrary code), any
# fork PR could exfiltrate the `BARTENDER_GHCR_TOKEN` secret.
#
# PR #493 review P2-001: original fix dropped the PR-time trigger entirely
# (`if: github.event_name == 'push'`), but that left PRs without any pre-merge
# E2E validation. New design:
# - `push` to master (post-merge, trusted code): runs automatically with
# `BARTENDER_GHCR_TOKEN` credentialed mock-server.
# - `workflow_dispatch` (manual): a maintainer can trigger the job against
# ANY ref (branch / PR head) from the Actions tab. This re-enables
# pre-merge E2E validation, but ONLY when a maintainer explicitly opts
# in — fork PRs cannot self-trigger and thus cannot exfiltrate the
# secret unprompted.
# - `pull_request` to master: still received, but the job-level guard
# keeps the GHCR-credentialed mock-server OFF for those events. The
# workflow still appears in the PR checks list (as a skipped status),
# so reviewers can see at a glance that E2E is gated behind a manual
# trigger.
on:
push:
branches:
- master
pull_request:
branches:
- master
workflow_dispatch:
inputs:
ref:
description: "Ref (branch / PR head SHA) to run E2E against. Defaults to the current branch."
required: false
default: ""
permissions:
contents: read
jobs:
e2e:
name: E2E Tests
runs-on: ubuntu-latest
timeout-minutes: 10
# Run on push to master (trusted post-merge code) OR on explicit
# maintainer-triggered workflow_dispatch (also trusted — only collaborators
# with write access can dispatch workflows by default).
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
services:
mock-server:
image: ghcr.io/whiskeysockets-devtools/bartender:latest
credentials:
username: ${{ github.actor }}
password: ${{ secrets.BARTENDER_GHCR_TOKEN }}
ports:
- 8080:8080
env:
CHATSTATE_TTL_SECS: "3"
ADV_SECRET_KEY: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
options: --log-driver none
steps:
- name: Checkout (dispatch ref override)
if: github.event_name == 'workflow_dispatch' && inputs.ref != ''
uses: actions/checkout@v4
with:
ref: ${{ inputs.ref }}
- name: Checkout (default)
if: github.event_name != 'workflow_dispatch' || inputs.ref == ''
uses: actions/checkout@v4
- name: Setup Node.js and Corepack
uses: actions/setup-node@v4
with:
node-version: 20.x
- name: Enable Corepack and Set Yarn Version
run: |
corepack enable
corepack prepare yarn@4.x --activate
- name: Restore Yarn Cache
uses: actions/cache@v4
with:
path: .yarn/cache
key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-yarn-
- name: Install dependencies
run: yarn install --immutable
- name: Wait for mock server
run: |
for i in $(seq 1 30); do
if curl -sk https://localhost:8080/ > /dev/null 2>&1; then
echo "Mock server is ready"
exit 0
fi
sleep 1
done
echo "Mock server failed to become ready"
exit 1
- name: Run E2E tests
env:
SOCKET_URL: "wss://127.0.0.1:8080/ws/chat"
ADV_SECRET_KEY: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
run: yarn test:e2e