Fix Playwright CLI provenance verification for tag format change#16087
Open
mitchdenny wants to merge 1 commit intomainfrom
Open
Fix Playwright CLI provenance verification for tag format change#16087mitchdenny wants to merge 1 commit intomainfrom
mitchdenny wants to merge 1 commit intomainfrom
Conversation
Contributor
|
🚀 Dogfood this PR with:
curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 16087Or
iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 16087" |
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes aspire new failures caused by a Playwright CLI tag naming convention change that broke SLSA provenance workflow ref verification.
Changes:
- Updated the Playwright CLI minimum resolved version range to
>=0.1.7. - Adjusted provenance workflow ref validation to expect tags without the
vprefix. - Added a unit test that captures and validates the workflow ref validator behavior.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/Aspire.Cli/Agents/Playwright/PlaywrightCliInstaller.cs | Updates the resolved version floor and workflow ref validation logic for provenance verification. |
| tests/Aspire.Cli.Tests/Agents/PlaywrightCliInstallerTests.cs | Adds a regression test to validate the workflow ref callback for the new tag format. |
Comment on lines
185
to
189
| ExpectedWorkflowPath, | ||
| ExpectedBuildType, | ||
| refInfo => string.Equals(refInfo.Kind, "tags", StringComparison.Ordinal) && | ||
| string.Equals(refInfo.Name, $"v{packageInfo.Version}", StringComparison.Ordinal), | ||
| string.Equals(refInfo.Name, $"{packageInfo.Version}", StringComparison.Ordinal), | ||
| cancellationToken, |
There was a problem hiding this comment.
The workflow ref validator now only accepts tag names equal to the version (e.g., "0.1.7"). However, playwrightCliVersion can override the resolved version (and may be set to <0.1.7), where provenance uses refs/tags/v{version}. With the current callback, those overrides will fail provenance verification with WorkflowRefMismatch. Consider accepting both v{version} and {version}, or choosing the expected format based on the resolved version, and add a regression test covering an override to 0.1.6.
@playwright/cli 0.1.7 changed their git tag naming convention from 'v0.1.7' to '0.1.7' (dropped the 'v' prefix). This caused our provenance verification to fail with WorkflowRefMismatch. - Accept both tag formats (with and without 'v' prefix) in the validateWorkflowRef callback for forward/backward compatibility - Add test verifying both tag formats pass validation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
mitchdenny
force-pushed
the
fix/playwright-cli-provenance-tag-format
branch
from
9f57b42 to
2ddad2b
Compare
Member
Author
|
/deployment-test |
Contributor
|
🎬 CLI E2E Test Recordings — 68 recordings uploaded (commit View recordings
📹 Recordings uploaded automatically from CI run #24304434114 |
Contributor
|
❌ Deployment E2E Tests failed — 15 passed, 15 failed, 0 cancelled View test results and recordings
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
aspire newfails with❌ Provenance verification failed for @playwright/cli@0.1.7: WorkflowRefMismatchbecause the Playwright team changed their git tag naming convention. Starting with 0.1.7, tags no longer include thevprefix (e.g.,refs/tags/0.1.7instead ofrefs/tags/v0.1.7).Our provenance verification callback in
PlaywrightCliInstallerexpectedv{version}in the tag name, which no longer matches the actual provenance attestation.Fix:
>=0.1.3to>=0.1.7so we only resolve versions using the new tag formatvalidateWorkflowRefcallback to expect tags without thevprefixValidation: All 1997 Aspire.Cli.Tests pass locally. Verified by decoding the SLSA provenance attestation payloads for both 0.1.6 (
refs/tags/v0.1.6) and 0.1.7 (refs/tags/0.1.7) from the npm registry to confirm the tag format change.Checklist