Add scheduled workflow to bump bundled Playwright (fixes #9362)#9666
Conversation
Dependabot discovers Microsoft.Playwright.MSTest.v4 and computes the 1.60->1.61 update, but drops the change at PR-assembly time for this package, so no PR is ever opened (unlike Aspire, which shares the same anchor pattern). Confirmed by running the real dependabot-updater-nuget container against the repo. Replace that one flow with a small scheduled workflow + script that looks up the latest stable release on nuget.org and rewrites both coupled values in Directory.Packages.props (the MicrosoftPlaywrightVersion property and the literal PackageVersion) so _ValidateBundledSdkFeatureVersions stays in sync, then opens a PR. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR works around a Dependabot limitation where the MSTest.Sdk-bundled Microsoft.Playwright.MSTest.v4 package is discovered and computed but never actually turned into a PR at Dependabot's PR-assembly step (issue #9362, after prior anchor reworks in #9365/#9422/#9452/#9508). It replaces that broken flow with a self-contained scheduled workflow plus a Python helper that bumps the bundled Playwright version and opens a PR. It intentionally does not change the bundled version (still 1.60.0), only adds the automation.
Changes:
- Adds
.github/scripts/update_bundled_playwright.pythat queries nuget.org for the latest stable release and rewrites both theMicrosoftPlaywrightVersionproperty and the coupled literalPackageVersioninDirectory.Packages.props(keeping_ValidateBundledSdkFeatureVersionsgreen), with anupdatemode and a network-freecheckself-test mode. - Adds
.github/workflows/update-bundled-playwright.yml: weekly + manual runs apply the update and open a PR via a pinnedpeter-evans/create-pull-request;pull_requestruns only self-test the script.
Show a summary per file
| File | Description |
|---|---|
.github/scripts/update_bundled_playwright.py |
New script to look up the latest stable Playwright package and rewrite the two coupled version values in Directory.Packages.props; also validates they stay in sync. |
.github/workflows/update-bundled-playwright.yml |
New scheduled/manual workflow that applies the bump and opens a PR, and self-tests the script on relevant pull_request changes. |
Review details
- Files reviewed: 2/2 changed files
- Comments generated: 1
- Review effort level: Medium
There was a problem hiding this comment.
Note
🤖 Automated review by GitHub Copilot. Posted via a maintainer's GitHub token, so it appears under their account — the account owner did not write or approve this content personally. Generated by the Expert Code Review workflow. To request a follow-up action, reply by tagging @copilot directly.
✅ 22/22 dimensions clean — no findings.
Applicable dimensions reviewed (9/22):
| Dimension | Notes |
|---|---|
| Algorithmic Correctness | Regex patterns verified against actual Directory.Packages.props — both match and substitute correctly. Version tuple comparison is lexicographic and handles variable segment counts properly. |
| Security & IPC | Actions pinned to SHA, top-level permissions: contents: read with least-privilege elevation only in the update job, no injection vectors in output handling. |
| Defensive Coding | Pre-flight sync check rejects updates when property/PackageVersion already disagree; RuntimeError on missing regex matches; nuget.org timeout set. |
| Test Completeness | self-test job validates check mode on every PR touching the script/workflow. |
| Build Infrastructure | Workflow well-structured: concurrency group prevents races, peter-evans/create-pull-request pinned to SHA, labels applied. |
| Scope & PR Discipline | Single concern, references #9362, clear rationale in description. |
| Code Structure | Clean, idiomatic Python; good separation of check/update modes. |
| Naming & Conventions | Descriptive names, clear docstring with mode descriptions. |
| Documentation Accuracy | Excellent module docstring explaining the Dependabot limitation and the dual-value coupling. |
Remaining 13 dimensions (Threading, Public API, Performance, Cross-TFM, Resource Management, Localization, Test Isolation, Assertion Quality, Flakiness, Data-Driven, Analyzer Quality, IPC Wire, PowerShell Hygiene) are N/A — this is a Python CI script with no C# code, no public API, and no test files.
The workflow-level concurrency group also gated the read-only pull_request self-test job. Move it to the update job so branch-race protection is kept without queuing PR self-tests behind the weekly/manual update runs. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Why
Microsoft.Playwright.MSTest.v4(bundled by MSTest.Sdk when<EnablePlaywright>is set) has been stuck at an old version because Dependabot never opens a PR for it, despite #9365 / #9422 / #9452 / #9508 all reworking the anchor.Root cause (confirmed by running the real Dependabot engine)
The prior PRs all fixed the discovery step — which already works. I ran the actual
ghcr.io/dependabot/dependabot-updater-nugetcontainer (viadependabot-cli) against this repo at HEAD. The logs show Dependabot:Microsoft.Playwright.MSTest.v4via the Fix Dependabot discovery of bundled Playwright; bump to 1.61.0 #9508 anchor ✅Updated Microsoft.Playwright.MSTest.v4 from 1.60.0 to 1.61.0 in /Directory.Packages.props✅create_pull_request(no dependencies, no file diff) right after fetching the package's release notes → no PR.Aspire.Hosting.Testinguses a byte-for-byte identical anchor + SDK-target pattern and updates fine, and production Dependabot is otherwise healthy (it opened #9559, #9561, …). So this is a Playwright-specific edge-case bug at Dependabot's PR-assembly step that no in-repo anchor change can fix.What this does
Replaces that one Dependabot flow with a small scheduled workflow + script:
.github/scripts/update_bundled_playwright.py— looks up the latest stableMicrosoft.Playwright.MSTest.v4on nuget.org and, when newer, rewrites both coupled values inDirectory.Packages.props(theMicrosoftPlaywrightVersionproperty and the literalPackageVersion) so_ValidateBundledSdkFeatureVersionsstays green. Has acheckmode used as a PR self-test..github/workflows/update-bundled-playwright.yml— weekly (+ manual dispatch) run that applies the update and opens a PR viapeter-evans/create-pull-request(same action/pin ascopilot-curate-update.yml). Onpull_requestit only runs the script self-test.This PR intentionally does not change the bundled version itself (that's #9578's job); it only adds the automation, whose first run will reconcile whatever is on
main.Notes
copilot-curate-update.yml).Fixes #9362.