freedak/invisible_playwright
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

ci: pin actions to SHA + single-source the playwright pin (audit B6/B4)

Browse Source 
B6: pin every third-party action in the build/publish path to an immutable
commit SHA (a retagged actions/checkout or action-gh-release would otherwise
inject code into the binary users download). The other workflows (tests, webrtc,
launch-matrix) handle no secrets, so they're left on tags.

B4: the playwright pin lived in two workflow files with no shared source. Move
it to scripts/playwright_pin.txt that both read, so they can't drift. The drive
gate already ENFORCES playwright<->juggler compatibility (an incompatible pin
fails the launch/drive and nothing publishes); the file is the single bump point
when the juggler is re-synced.
This commit is contained in:
feder-cr
2026-06-09 15:59:18 +02:00
parent 5dac302938
commit 62cdf626a0
3 changed files with 21 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
scripts/playwright_pin.txt
+1
View File
@@ -0,0 +1 @@
1.55.0