added temp workflow#4317
Conversation
|
Warning Review limit reached
Next review available in: 36 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughA new GitHub Actions workflow ChangesCypress Percy Baseline Workflow
🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/cypress-percy-baseline.yml:
- Around line 77-82: The Percy command selection in the workflow is too narrow:
it only sets PERCY_COMMAND for main or non-draft PRs, so runs on the baseline
branch can leave command-prefix empty and skip baseline capture. Update the
conditional in the Percy setup step so the branch used for baseline generation
(the chore/percy-baseline ref) also sets PERCY_COMMAND, while keeping the
existing main and non-draft PR behavior intact. Use the existing Set Percy
command based on PR draft status or main branch step to locate the change.
- Around line 6-16: The path filters in this workflow still point to
cypress.yml, so changes to cypress-percy-baseline.yml will not trigger the
workflow. Update both the push.paths and pull_request.paths entries in
cypress-percy-baseline.yml to include this workflow file name, so its own edits
run the workflow. Use the workflow filename itself as the unique reference when
making the filter change.
- Around line 32-33: The Checkout steps in the Cypress Percy baseline workflow
are leaving credentials persisted, which exposes the repo token to PR-run code;
update every actions/checkout usage in this workflow by adding
persist-credentials: false. Make this change on each Checkout step so untrusted
yarn/Cypress execution cannot read the token from .git/config, and keep the
existing checkout action references intact.
- Around line 138-145: The external Cypress job is starting Cypress before the
local server is ready because the Cypress action block in the workflow lacks the
same wait step used elsewhere. Update the Cypress run step in the workflow to
include wait-on alongside the existing start command, using the same localhost
8080 URL so the job waits for http-server to be available before running tests.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: bf24a454-e766-4b41-93f3-9ba4f2825b49
📒 Files selected for processing (1)
.github/workflows/cypress-percy-baseline.yml
| - name: Checkout | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
file=".github/workflows/cypress-percy-baseline.yml"
echo "== full file with line numbers =="
cat -n "$file"
echo
echo "== checkout usages =="
rg -n "actions/checkout|persist-credentials|upload-artifact|artifact|pull_request|workflow_dispatch|checkout" "$file"Repository: Altinn/app-frontend-react
Length of output: 7741
Disable credential persistence on every checkout.
These PR-facing jobs run untrusted code and upload artifacts, so leaving the repo token in .git/config lets that code exfiltrate it during yarn/Cypress execution. Add persist-credentials: false to all actions/checkout steps (32-33, 68-69, 129-130).
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 32-33: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/cypress-percy-baseline.yml around lines 32 - 33, The
Checkout steps in the Cypress Percy baseline workflow are leaving credentials
persisted, which exposes the repo token to PR-run code; update every
actions/checkout usage in this workflow by adding persist-credentials: false.
Make this change on each Checkout step so untrusted yarn/Cypress execution
cannot read the token from .git/config, and keep the existing checkout action
references intact.
Source: Linters/SAST tools
| - name: Set Percy command based on PR draft status or main branch | ||
| shell: bash | ||
| run: | | ||
| if [ "${{ github.ref }}" == "refs/heads/main" ] || [ "${{ github.event.pull_request.draft }}" == "false" ]; then | ||
| echo "PERCY_COMMAND=percy exec --parallel -- npx" >> $GITHUB_ENV | ||
| fi |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
This disables Percy on the baseline branch.
The only push trigger here is chore/percy-baseline, but PERCY_COMMAND is only set for main or non-draft PRs. A push or manual run on the baseline branch therefore leaves command-prefix empty and records no Percy baseline, which defeats the purpose of this workflow.
Also applies to: 100-100
🧰 Tools
🪛 zizmor (1.26.1)
[error] 80-80: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/cypress-percy-baseline.yml around lines 77 - 82, The Percy
command selection in the workflow is too narrow: it only sets PERCY_COMMAND for
main or non-draft PRs, so runs on the baseline branch can leave command-prefix
empty and skip baseline capture. Update the conditional in the Percy setup step
so the branch used for baseline generation (the chore/percy-baseline ref) also
sets PERCY_COMMAND, while keeping the existing main and non-draft PR behavior
intact. Use the existing Set Percy command based on PR draft status or main
branch step to locate the change.
| - name: Cypress run | ||
| uses: cypress-io/github-action@dace029018fcdf86e0df89a31bc3cfa5b32570d8 # v7.3.0 | ||
| with: | ||
| start: 'npx http-server dist --cors="*" -p 8080' | ||
| browser: chrome | ||
| spec: test/e2e/integration | ||
| env: environment=tt02 | ||
|
|
There was a problem hiding this comment.
🩺 Stability & Availability | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the workflow around the referenced lines
sed -n '120,165p' .github/workflows/cypress-percy-baseline.yml
# Find other Cypress action usages and any wait-on settings in the repo
rg -n "cypress-io/github-action|wait-on|http-server dist --cors" .github/workflows . -g '!**/node_modules/**'
# Pull the action docs from the source as available in the repo if referenced
rg -n "wait-on" .github . -g '!**/node_modules/**'Repository: Altinn/app-frontend-react
Length of output: 2934
🌐 Web query:
cypress-io/github-action wait-on start command default behavior documentation
💡 Result:
In the cypress-io/github-action, the wait-on parameter is used to pause the execution of Cypress tests until a specified local server or service is ready [1][2]. Its behavior is as follows: - Purpose: When you provide a start command to run your application in the background, the action needs to ensure the application has finished booting up before attempting to execute Cypress tests [1][3]. The wait-on parameter specifies the URL (or multiple comma-separated URLs) the action should ping until it receives a response [1][2]. - Default Timeout: By default, the wait-on process will retry for 60 seconds [1][4]. - Configuration: You can override the default retry duration by using the wait-on-timeout parameter, which accepts a value in seconds [1][2]. - Relationship to Start Command: The wait-on parameter does not automatically run a start command; rather, it is a mechanism used in conjunction with the start parameter [1][5]. The action executes the start command first, then uses wait-on to verify the application's availability before starting the Cypress test process [1][2]. If you do not specify a wait-on parameter, the action will proceed to run Cypress tests immediately after executing the start command (if one is provided), which may lead to connection errors if your application requires time to initialize [1].
Citations:
- 1: https://github.com/cypress-io/github-action?tab=readme-ov-file
- 2: https://github.com/marketplace/actions/cypress-io
- 3: https://www.npmjs.com/package/@cypress/github-action
- 4: https://github.com/cypress-io/github-action/tree/v6
- 5: https://github.com/cypress-io/github-action/blob/master/action.yml
Add wait-on to the external Cypress job.
cypress-io/github-action runs Cypress immediately after start unless wait-on is set, so this fork-PR path can race http-server startup and fail intermittently. Add the same wait-on: 'http://localhost:8080' used elsewhere.
Suggested fix
- name: Cypress run
uses: cypress-io/github-action@dace029018fcdf86e0df89a31bc3cfa5b32570d8 # v7.3.0
with:
start: 'npx http-server dist --cors="*" -p 8080'
+ wait-on: 'http://localhost:8080'
browser: chrome
spec: test/e2e/integration
env: environment=tt02📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Cypress run | |
| uses: cypress-io/github-action@dace029018fcdf86e0df89a31bc3cfa5b32570d8 # v7.3.0 | |
| with: | |
| start: 'npx http-server dist --cors="*" -p 8080' | |
| browser: chrome | |
| spec: test/e2e/integration | |
| env: environment=tt02 | |
| - name: Cypress run | |
| uses: cypress-io/github-action@dace029018fcdf86e0df89a31bc3cfa5b32570d8 # v7.3.0 | |
| with: | |
| start: 'npx http-server dist --cors="*" -p 8080' | |
| wait-on: 'http://localhost:8080' | |
| browser: chrome | |
| spec: test/e2e/integration | |
| env: environment=tt02 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/cypress-percy-baseline.yml around lines 138 - 145, The
external Cypress job is starting Cypress before the local server is ready
because the Cypress action block in the workflow lacks the same wait step used
elsewhere. Update the Cypress run step in the workflow to include wait-on
alongside the existing start command, using the same localhost 8080 URL so the
job waits for http-server to be available before running tests.
Description
Adds a workflow that will run a single time in order to establish a percy baseline in monorepo.
Related Issue(s)
Verification/QA
kind/*andbackport*label to this PR for proper release notes groupingSummary by CodeRabbit