feat: Replace 'session_state_path' (a string) with 'playwright_context_options' (a stringified object containing that string—and other stuff too)

Author: smockle

.github/actions/auth/README.md

@@ -23,6 +23,6 @@ Authenticate with Playwright and save session state. Supports HTTP Basic and for
 
 ### Outputs
 
-#### `session_state_path`
+#### `playwright_context_options`
 
-Path to a file containing authenticated session state.
+Stringified JSON object containing [Playwright `BrowserContext`](https://playwright.dev/docs/api/class-browsercontext) options, including `httpCredentials` and `storageState`. For example: `{"httpCredentials":{"username":"some-user",password:"correct-horse-battery-staple"},"storageState":"/tmp/.auth/12345678/sessionState.json"}`

.github/actions/auth/action.yml

@@ -13,8 +13,8 @@ inputs:
     required: true
 
 outputs:
-  session_state_path:
-    description: "Path to a file containing authenticated session state"
+  playwright_context_options:
+    description: "Stringified JSON object containing Playwright 'BrowserContext' options, including 'httpCredentials' and 'storageState'"
 
 runs:
   using: "node20"

.github/actions/auth/src/index.ts

@@ -32,8 +32,8 @@ export default async function () {
     context = await browser.newContext({
       // Try HTTP Basic authentication
       httpCredentials: {
-        username: username,
-        password: password,
+        username,
+        password,
       },
     });
     page = await context.newPage();
@@ -66,8 +66,14 @@ export default async function () {
 
     // Write authenticated session state to a file and output its path
     await context.storageState({ path: sessionStatePath });
-    core.setOutput("session_state_path", sessionStatePath);
     core.info(`Wrote authenticated session state to ${sessionStatePath}`);
+    core.setOutput(
+      "playwright_context_options",
+      JSON.stringify({
+        httpCredentials: { username, password },
+        storageState: sessionStatePath,
+      })
+    );
   } catch (error) {
     if (page) {
       core.info(`Errored at page URL: ${page.url()}`);

.github/actions/find/README.md

@@ -15,9 +15,9 @@ https://primer.style
 https://primer.style/octicons/
 ```
 
-#### `session_state_path`
+#### `playwright_context_options`
 
-**Optional** Path to a file containing authenticated session state.
+**Optional** Stringified JSON object containing [Playwright `BrowserContext`](https://playwright.dev/docs/api/class-browsercontext) options, including `httpCredentials` and `storageState`. For example: `{"httpCredentials":{"username":"some-user",password:"correct-horse-battery-staple"},"storageState":"/tmp/.auth/12345678/sessionState.json"}`
 
 ### Outputs
 

.github/actions/find/action.yml

@@ -6,8 +6,8 @@ inputs:
     description: "Newline-delimited list of URLs to check for accessibility issues"
     required: true
     multiline: true
-  session_state_path:
-    description: "Path to a file containing authenticated session state"
+  playwright_context_options:
+    description: "Stringified JSON object containing Playwright 'BrowserContext' options, including 'httpCredentials' and 'storageState'"
     required: false
 
 outputs:
@@ -20,4 +20,4 @@ runs:
 
 branding:
   icon: "compass"
-  color: "blue"
+  color: "blue"

.github/actions/find/src/findForUrl.ts

@@ -2,9 +2,9 @@ import type { Finding } from './types.d.js';
 import AxeBuilder from '@axe-core/playwright'
 import playwright from 'playwright';
 
-export async function findForUrl(url: string, sessionStatePath?: string): Promise<Finding[]> {
+export async function findForUrl(url: string, playwrightContextOptions?: playwright.BrowserContextOptions): Promise<Finding[]> {
   const browser = await playwright.chromium.launch({ headless: true, executablePath: process.env.CI ? '/usr/bin/google-chrome' : undefined });
-  const context = await browser.newContext({ storageState: !!sessionStatePath ? sessionStatePath : undefined });
+  const context = await browser.newContext(playwrightContextOptions);
   const page = await context.newPage();
   await page.goto(url);
 

.github/actions/find/src/index.ts

@@ -1,17 +1,22 @@
+import type playwright from "playwright";
 import core from "@actions/core";
 import { findForUrl } from "./findForUrl.js";
 
 export default async function () {
   core.info("Starting 'find' action");
-  const urls = core.getMultilineInput('urls', { required: true });
+  const urls = core.getMultilineInput("urls", { required: true });
   core.debug(`Input: 'urls: ${JSON.stringify(urls)}'`);
-  const sessionStatePath = core.getInput('session_state_path', { required: false });
-  core.debug(`Input: 'session_state_path: ${sessionStatePath}'`);
+  const playwrightContextOptions: playwright.BrowserContextOptions = JSON.parse(
+    core.getInput("playwright_context_options", { required: false }) ?? "{}"
+  );
+  if (playwrightContextOptions?.httpCredentials?.password) {
+    core.setSecret(playwrightContextOptions.httpCredentials.password);
+  }
 
   let findings = [];
   for (const url of urls) {
-    core.info(`Scanning ${url}`)
-    const findingsForUrl = await findForUrl(url, sessionStatePath);
+    core.info(`Scanning ${url}`);
+    const findingsForUrl = await findForUrl(url, playwrightContextOptions);
     if (findingsForUrl.length === 0) {
       core.info(`No accessibility gaps were found on ${url}`);
       continue;

README.md

@@ -100,7 +100,7 @@ Trigger the workflow manually or automatically based on your configuration. The
 | `login_url` | No | If scanned pages require authentication, the URL of the login page | `https://github.com/login` |
 | `username` | No | If scanned pages require authentication, the username to use for login | `some-user` |
 | `password` | No | If scanned pages require authentication, the password to use for login | `correct-horse-battery-staple` |
-| `session_state_path` | No | If scanned pages require authentication, the path to a file containing authenticated session state | `/tmp/.auth/12345678/sessionState.json` |
+| `playwright_context_options` | No | If scanned pages require authentication, a stringified JSON object containing [Playwright `BrowserContext`](https://playwright.dev/docs/api/class-browsercontext) options | `{"storageState":"/tmp/.auth/12345678/sessionState.json"}` |
 | `skip_copilot_assignment` | No | Whether to skip assigning filed issues to Copilot | `true` |
 
 ---
@@ -109,7 +109,7 @@ Trigger the workflow manually or automatically based on your configuration. The
 
 If access to a page requires logging-in first, and logging-in requires only a username and password, then provide the `login_url`, `username`, and `password` inputs.
 
-If your login flow is more complex—if it requires two-factor authentication, single sign-on, passkeys, etc.–and you have a custom action that [authenticates with Playwright](https://playwright.dev/docs/auth) and persists authenticated session state to a file, then provide the `session_state_path` input. (If `session_state_path` is provided, `login_url`, `username`, and `password` will be ignored.)
+If your login flow is more complex—if it requires two-factor authentication, single sign-on, passkeys, etc.–and you have a custom action that [authenticates with Playwright](https://playwright.dev/docs/auth) and persists authenticated session state to a file, then provide the `playwright_context_options` input. (If `playwright_context_options` is provided, `login_url`, `username`, and `password` will be ignored.)
 
 > [!IMPORTANT]
 > Don’t put passwords in your workflow as plain text; instead reference a [repository secret](https://docs.github.com/en/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets#creating-secrets-for-a-repository).

action.yml

@@ -24,8 +24,8 @@ inputs:
   password:
     description: "If scanned pages require authentication, the password to use for login"
     required: false
-  session_state_path:
-    description: "If scanned pages require authentication, the path to a file containing authenticated session state"
+  playwright_context_options:
+    description: "If scanned pages require authentication, a stringified JSON object containing Playwright 'BrowserContext' options"
     required: false
   skip_copilot_assignment:
     description: "Whether to skip assigning filed issues to Copilot"
@@ -51,7 +51,7 @@ runs:
       with:
         key: ${{ steps.cache_key.outputs.cache_key }}
         token: ${{ inputs.token }}
-    - if: ${{ inputs.login_url && inputs.username && inputs.password && !inputs.session_state_path }}
+    - if: ${{ inputs.login_url && inputs.username && inputs.password && !inputs.playwright_context_options }}
       name: Authenticate
       id: auth
       uses: ./.github/actions/auth
@@ -64,7 +64,7 @@ runs:
       uses: ./.github/actions/find
       with:
         urls: ${{ inputs.urls }}
-        session_state_path:  ${{ inputs.session_state_path || steps.auth.outputs.session_state_path }}
+        playwright_context_options: ${{ inputs.playwright_context_options || steps.auth.outputs.playwright_context_options }}
     - name: File
       id: file
       uses: ./.github/actions/file
@@ -90,4 +90,4 @@ runs:
 
 branding:
   icon: "compass"
-  color: "blue"
+  color: "blue"