ci: temporarily disable playwright report publishing (#2727)

sunker · web-flow · commit 834fb05f9d44 · 2026-06-24T10:31:12.000+02:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -495,20 +495,88 @@ jobs:
         if: steps.run-e2e-tests.outcome != 'success' || steps.run-e2e-tests-min-version.outcome != 'success'
         run: exit 1
 
-  publish-report:
-    if: ${{ always() && !cancelled() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false) }}
-    needs: [generate-plugins]
-    runs-on: ubuntu-x64
+  # TEMP DISABLED 2026-06-18: deploy-report-pages pushes an unsigned commit to gh-pages,
+  # which will be rejected once unsigned commits are blocked. Re-enable once resolved.
+  # publish-report:
+  #   if: ${{ always() && !cancelled() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false) }}
+  #   needs: [generate-plugins]
+  #   runs-on: ubuntu-x64
+  #   permissions:
+  #     contents: write
+  #     pull-requests: write
+  #   steps:
+  #     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+  #       with:
+  #         persist-credentials: false
+  #
+  #     - name: Publish report
+  #       uses: grafana/plugin-actions/playwright-gh-pages/deploy-report-pages@376226a5245b6b8bbb95127241c430ef8d6aa643 # deploy-report-pages/v1.0.1
+  #       with:
+  #         github-token: ${{ secrets.GITHUB_TOKEN }}
+  #         retention-days: 7
+
+  release:
+    runs-on: ubuntu-latest
+    needs: [test, generate-plugins]
+    if: |
+      !contains(github.event.head_commit.message, 'ci skip')
+      && !contains(github.event.head_commit.message, 'skip ci')
+      && github.actor != 'dependabot[bot]'
+      && github.event_name == 'push'
+      && github.ref == 'refs/heads/main'
+    name: Release packages
+    env:
+      NX_BRANCH: ${{ github.event.number || github.ref_name }}
     permissions:
-      contents: write
-      pull-requests: write
+      contents: read
+      id-token: write
     steps:
+      - id: get-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@f1614b210386ac420af6807a997ac7f6d96e477a # get-vault-secrets/v1.3.1
+        with:
+          # Secrets placed in the ci/repo/grafana/plugin-tools in vault
+          repo_secrets: |
+            SLACK_WEBHOOK_URL=slack_webhook_url:slack_webhook_url_fp
+            NX_CLOUD_ACCESS_TOKEN=nx_token:nx_token
+          export_env: false
+
+        # As recommended on NX docs the NX Cloud token should be set as an environment variable:
+        # https://nx.dev/ci/recipes/security/access-tokens#setting-ci-access-tokens
+      - id: add-nx-cloud-access-token-to-env
+        run: |
+          echo "NX_CLOUD_ACCESS_TOKEN=${{ fromJSON(steps.get-secrets.outputs.secrets).NX_CLOUD_ACCESS_TOKEN }}" >> $GITHUB_ENV
+
+      - name: Generate token
+        id: generate-token
+        uses: grafana/shared-workflows/actions/create-github-app-token@259ba21cb3ff07724f331e26d926d655d24b317b # create-github-app-token/v0.2.3
+        with:
+          github_app: grafana-plugins-platform-bot
+          permission_set: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && 'release' || 'default' }}
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          token: ${{ steps.generate-token.outputs.token }}
           persist-credentials: false
 
-      - name: Publish report
-        uses: grafana/plugin-actions/playwright-gh-pages/deploy-report-pages@376226a5245b6b8bbb95127241c430ef8d6aa643 # deploy-report-pages/v1.0.1
+      - name: Prepare repository
+        run: git fetch --unshallow --tags
+
+      - name: Setup nodejs
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          retention-days: 7
+          node-version-file: '.nvmrc'
+          registry-url: 'https://registry.npmjs.org'
+          # disabled caching to prevent a poisoned cache affecting releases.
+          package-manager-cache: false
+
+      - name: Install dependencies
+        run: npm ci --no-audit
+
+      - name: Build
+        run: npm run build
+
+      - name: Create Release
+        env:
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+          SLACK_WEBHOOK_URL: ${{ fromJSON(steps.get-secrets.outputs.secrets).SLACK_WEBHOOK_URL }}
+        run: npm run release
diff --git a/.github/workflows/playwright-nightly.yml b/.github/workflows/playwright-nightly.yml
@@ -102,26 +102,28 @@ jobs:
           test-outcome: ${{ steps.run-tests.outcome }}
           report-dir: packages/plugin-e2e/playwright-report
 
-  publish-report:
-    if: ${{ always() && !cancelled() }}
-    needs: [playwright-tests]
-    runs-on: ubuntu-x64
-    permissions:
-      contents: write
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Publish report
-        uses: grafana/plugin-actions/playwright-gh-pages/deploy-report-pages@5da62466881cdba091672353cf3c72ca348d01b1 # deploy-report-pages/v1.1.0
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          retention-days: 7
+  # TEMP DISABLED 2026-06-18: deploy-report-pages pushes an unsigned commit to gh-pages,
+  # which will be rejected once unsigned commits are blocked. Re-enable once resolved.
+  # publish-report:
+  #   if: ${{ always() && !cancelled() }}
+  #   needs: [playwright-tests]
+  #   runs-on: ubuntu-x64
+  #   permissions:
+  #     contents: write
+  #   steps:
+  #     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+  #       with:
+  #         persist-credentials: false
+  #
+  #     - name: Publish report
+  #       uses: grafana/plugin-actions/playwright-gh-pages/deploy-report-pages@5da62466881cdba091672353cf3c72ca348d01b1 # deploy-report-pages/v1.1.0
+  #       with:
+  #         github-token: ${{ secrets.GITHUB_TOKEN }}
+  #         retention-days: 7
 
   notify:
     if: ${{ always() }}
-    needs: [playwright-tests, publish-report]
+    needs: [playwright-tests]
     runs-on: ubuntu-x64
     permissions:
       id-token: write
diff --git a/.github/workflows/playwright.yml b/.github/workflows/playwright.yml
@@ -98,20 +98,22 @@ jobs:
           test-outcome: ${{ steps.run-tests.outcome }}
           report-dir: packages/plugin-e2e/playwright-report
 
-  publish-report:
-    if: ${{ always() && !cancelled() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false) }}
-    needs: [playwright-tests]
-    runs-on: ubuntu-x64
-    permissions:
-      contents: write
-      pull-requests: write
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Publish report
-        uses: grafana/plugin-actions/playwright-gh-pages/deploy-report-pages@5da62466881cdba091672353cf3c72ca348d01b1 # deploy-report-pages/v1.1.0
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          retention-days: 7
+  # TEMP DISABLED 2026-06-18: deploy-report-pages pushes an unsigned commit to gh-pages,
+  # which will be rejected once unsigned commits are blocked. Re-enable once resolved.
+  # publish-report:
+  #   if: ${{ always() && !cancelled() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false) }}
+  #   needs: [playwright-tests]
+  #   runs-on: ubuntu-x64
+  #   permissions:
+  #     contents: write
+  #     pull-requests: write
+  #   steps:
+  #     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+  #       with:
+  #         persist-credentials: false
+  #
+  #     - name: Publish report
+  #       uses: grafana/plugin-actions/playwright-gh-pages/deploy-report-pages@5da62466881cdba091672353cf3c72ca348d01b1 # deploy-report-pages/v1.1.0
+  #       with:
+  #         github-token: ${{ secrets.GITHUB_TOKEN }}
+  #         retention-days: 7
