fix: Pre-install Playwright browsers before AWF firewall starts

[Copilot]

Playwright MCP server fails to start within the AWF firewall because browser installation requires apt access, which Squid proxy blocks. This wastes 2+ minutes (two 60-second timeouts) per workflow run.

Changes

• New file: pkg/workflow/playwright_browser_install.go

  • HasPlaywrightMCPServer() - Checks if workflow uses Playwright
  • ShouldPreinstallPlaywrightBrowsers() - Returns true when Playwright configured AND firewall enabled
  • GeneratePlaywrightBrowserInstallStep() - Creates the npx playwright install --with-deps chromium step

• Modified: pkg/workflow/copilot_engine.go

  • Adds browser pre-install step to GetInstallationSteps() after Copilot CLI install, before firewall starts

Generated step

- name: Pre-install Playwright browsers
  run: |
    echo "Installing Playwright browsers (version 0.0.48)..."
    # Install Playwright browsers with system dependencies before firewall starts
    npx playwright@0.0.48 install --with-deps chromium
    echo "Playwright browsers installed successfully"

Impact

• Adds ~40-80s to setup (browser install)
• Saves 2+ minutes in execution (eliminates timeout waits)
• Net improvement: 1-1.5 minutes per workflow

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

you are tasked to fix Playwright MCP Server Timeout in AWF Firewall

Problem Summary

The Playwright MCP server fails to start within the AWF firewall, causing 2 minutes of wasted time (two 60-second timeouts) before the agent can begin working.

Root cause: Playwright's browser installer tries to install system dependencies via apt, which fails due to Squid proxy returning HTTP 400 errors for Ubuntu repository requests, despite domains being in the allowlist.

Impact: 47% of execution time in smoke-copilot test is waiting for Playwright timeouts.

---

Recommended Solution: Pre-install Playwright Browsers

Install Playwright browsers during the setup phase (before firewall starts) where we have full network access.

Strategy: Add a conditional setup step that runs npx playwright install --with-deps chromium after installing Copilot CLI but before starting the firewall.

Net impact: Adds ~40-80 seconds to setup, but saves 2+ minutes in execution (net savings of 1-1.5 minutes per workflow run).

---

Implementation Plan

1. Create New File: pkg/workflow/playwright_browser_install.go

Purpose: Core browser pre-installation logic with proper error handling and logging.

Key functions:

• ShouldPreinstallPlaywrightBrowsers(config *WorkflowConfig) bool - Checks if Playwright is configured
• PreinstallPlaywrightBrowsers(ctx context.Context, logger *Logger) error - Runs installation
• getPlaywrightMCPVersion() string - Returns version from constants for compatibility

Implementation details:

// Uses npx playwright install --with-deps chromium
// --with-deps flag installs system dependencies via apt-get
// chromium only (not all browsers) for speed
// Version matches @playwright/mcp version for compatibility
// Graceful degradation: logs warning but doesn't fail workflow

2. Modify: pkg/workflow/copilot_engine.go

Location: In GetInstallationSteps() function around line 790-800

Changes:

1. After "Install GitHub Copilot CLI" step
2. Add conditional browser pre-installation step:

   if ShouldPreinstallPlaywrightBrowsers(config) {
       steps = append(steps, InstallationStep{
           Name: "Pre-install Playwright browsers",
           Commands: []string{
               "npx playwright install --with-deps chromium",
           },
           LogMessage: "Installing Playwright browsers before firewall...",
       })
   }

3. Modify: pkg/workflow/mcp_servers.go

Add helper function:

// HasPlaywrightMCPServer checks if workflow uses Playwright MCP
func HasPlaywrightMCPServer(config *WorkflowConfig) bool {
    // Check tools configuration for playwright entry
    // Return true if found, false otherwise
}

4. Add Integration Test: pkg/cli/workflows/test-playwright-browser-preinstall.md

Test workflow:

---
prompt: Test Playwright browser pre-installation
tools:
  playwright:
    version: "v1.57.0"
network:
  allowed: ["defaults", "playwright"]
---
# Test that browsers are pre-installed before firewall starts
# Verify no timeout occurs during MCP server startup

---

Implementation Checklist

Phase 1: Core Implementation

• Create pkg/workflow/playwright_browser_install.go with installation logic
• Add browser pre-installation check in copilot_engine.go
• Add helper function to mcp_servers.go
• Add unit tests for new functions

Phase 2: Integration & Testing

• Create integration test workflow
• Test with smoke-copilot workflow
• Verify timing improvements (measure before/after)
• Test edge case: workflow without Playwright (should skip)
• Test edge case: installation failure (should not block workflow)

Phase 3: Documentation

• Add code comments explaining the approach
• Document the timing trade-off in relevant places
• Update any workflow documentation if needed

---

Critical Files to Modify

1. pkg/workflow/playwright_browser_install.go (NEW, ~100 lines)

   • Core installation logic
   • Version compatibility handling
   • Error handling and logging

2. pkg/workflow/copilot_engine.go (MODIFY, +5-7 lines)

   • Add conditional pre-installation step
   • Location: GetInstallationSteps() function

3. pkg/workflow/mcp_servers.go (MODIFY, +10 lines)

   • Add HasPlaywrightMCPServer() helper function

4. pkg/workflow/playwright_browser_install_test.go (NEW, ~50 lines)

   • Unit tests for installation logic

5. pkg/cli/workflows/test-playwright-browser-preinstall.md (NEW)

   • Integration test workflow

---

Key Design Decisions

Version Compatibility:

• Use same @playwright/mcp version for browser installation
• Ensures installed browsers match MCP server expectations
• Version sourced from pkg/constants/constants.go

Browser Selection:

• Install only Chromium (not all browsers)
• Chromium is most commonly used and fastest to install
• Can be expanded to support multiple brows...

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[pelikhan]

@copilot pre install should happen after runtime setup steps

[github-actions]

✅ Agentic Changeset Generator completed successfully.