fix: Fix selector-purity violation and E2E impact analysis in CI#26410
Merged
shortstacked merged 6 commits intomasterfrom Mar 2, 2026
Merged
fix: Fix selector-purity violation and E2E impact analysis in CI#26410shortstacked merged 6 commits intomasterfrom
shortstacked merged 6 commits intomasterfrom
Conversation
…ector-purity violation
![aikido-pr-checks[bot]](https://avatars.githubusercontent.com/in/898896?s=60&v=4){kind=small}
| return this.page.locator('.rename-prompt'); | ||
| } | ||
|
|
||
| getRenameInput(): Locator { |
Contributor
There was a problem hiding this comment.
CanvasPage.ts exceeds recommended size; adding getRenameInput increases an already large class. Consider moving related locator helpers into a smaller, focused helper or component file.
Details
✨ AI Reasoning
A small accessor method (getRenameInput) was added, increasing the file's size. Large files that mix many Playwright page helpers and component wrappers are harder to navigate and maintain. Adding additional methods to an already large, single-responsibility Page class further concentrates unrelated surface-area in one file, making future changes and discovery of related helpers more difficult for maintainers.
🔧 How do I fix it?
Split large files into smaller, focused modules. Each file should have a single responsibility.
Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
shortstacked
changed the title
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
No issues found across 2 files
Architecture diagram
sequenceDiagram
participant Test as canvas-zoom.spec.ts
participant POM as CanvasPage (POM)
participant Engine as Playwright / Browser
Note over Test, Engine: E2E Rename Workflow Flow
Test->>Engine: keyboard.type('Y')
rect rgb(23, 37, 84)
Note right of Test: Verification Phase
Test->>POM: CHANGED: getRenameInput()
POM->>POM: getRenamePrompt()
POM->>Engine: NEW: locator('.rename-prompt').locator('input')
Engine-->>POM: Locator Object
POM-->>Test: Return Locator
end
Test->>Engine: expect(locator).toHaveValue('X: Y')
Engine-->>Test: Assertion Result
Test->>Engine: keyboard.press('Enter')
Test->>POM: nodeByName('X: Y')
POM->>Engine: locator logic
Engine-->>Test: Element Attached Confirmation
When playwright-only mode detects no affected specs, the fallback was emitting a sentinel matrix entry with empty specs, causing all 746 tests to run on a single shard — far worse than the normal 16-shard run. - Add skip:true to the no-specs sentinel in distribute-tests.mjs - Capture skip-tests output from prepare job in test-e2e-ci-reusable.yml - Skip multi-main-e2e entirely when skip-tests=true (uses needs context, which is valid at job-level if unlike matrix context) - Forward janitor stderr to CI output so impact analysis stats are visible Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
shortstacked
changed the title
…lity The three-dot syntax (origin/master...HEAD) requires finding a merge base, which fails with fatal: no merge base on shallow CI checkouts. This caused getChangedFiles to silently return [], making impact analysis report no changed files even when specs were directly modified. Switch to fetch + FETCH_HEAD two-dot diff, matching the approach used by the ci-filter action across the rest of the repo. Remove the now-redundant 'Fetch base branch' step from test-e2e-ci-reusable.yml since the janitor handles the fetch internally. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Instead of having the janitor derive changed files from git internally (fetch + diff), the CI workflow now computes the file list and passes it directly via --files. This decouples the janitor from git operations in CI: - Add 'Get changed files' step in test-e2e-ci-reusable.yml that fetches the base branch and diffs FETCH_HEAD HEAD for the file list - Pass comma-separated file list to distribute-tests.mjs via --files= instead of --base=origin/master - distribute-tests.mjs threads --files= through to the janitor CLI - If the diff returns nothing (git failure), falls back to --impact only and the janitor handles it via its own git fallback The janitor's --base path remains intact for local use. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
If playwright-only=true, ci-filter already confirmed files changed using the same fetch+diff approach, so CHANGED_FILES will never be empty. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
1 issue found across 2 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="packages/testing/playwright/scripts/distribute-tests.mjs">
<violation number="1" location="packages/testing/playwright/scripts/distribute-tests.mjs:49">
P1: Custom agent: **Security Review**
Unsanitized `--files` input is interpolated into an `execSync` shell command, creating a command-injection path. Escape or safely quote the value before composing the command string (or use a non-shell argument API).</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
shortstacked
changed the title
Replace execSync (shell string) with execFileSync (args array) to prevent command injection via unsanitized --files input. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Collaborator
Author
|
Fixed in 80b4f99 — switched from |
shortstacked
changed the title
Matsuuu
approved these changes
Mar 2, 2026
Contributor
|
Got released with |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
What started as a small janitor fix uncovered two bugs in the CI impact analysis pipeline. This PR fixes all three issues:
1. Selector-purity violation (
canvas-zoom.spec.ts)Moved a chained
.locator('input')call out of the test and intoCanvasPageasgetRenameInput(), fixing theselector-purityerror caught by the janitor.2. Broken
playwright-onlyfallback in CIWhen impact analysis found no affected specs,
distribute-tests.mjsemitted a sentinel matrix entry with emptyspecs, causing Playwright to run all 746 tests on a single shard — far worse than the normal 16-shard run. Fixed by:skip: trueto the no-specs sentinelskip-testsoutput from thepreparejob and using it to skipmulti-main-e2eentirely vianeedscontext3. Impact analysis silently returning no changed files
git diff --name-only origin/master...HEAD(three-dot) requires a merge base, which fails withfatal: no merge baseon shallow CI checkouts. The janitor'sgetChangedFileswas catching the exception and returning[], making everyplaywright-onlyrun report no affected specs.The CI workflow now computes the changed file list itself (fetch +
FETCH_HEAD HEADtwo-dot diff, matching the approach used byci-filteracross the rest of the repo) and passes it directly to the janitor via--files=. This decouples the janitor from git operations in CI entirely — impact analysis is now pure AST. The janitor's--basepath is preserved for local use.Related Linear tickets, Github issues, and Community forum posts
Review / Merge checklist
release/backport(if the PR is an urgent fix that needs to be backported)