test: part 1 of adding the appium-playwright framework #23671

christopherferreira9 · 2025-12-04T12:21:14Z

Description

WebdriverIO/Playwright POC
Adds an appium framework that leverages @playwright/test as a test runner.

Key Features

Is ready to me migrated to Appium 3 and its respective drivers
Uses local driver management via yarn dependency

Changelog

CHANGELOG entry:

Related issues

Fixes:

Manual testing steps

Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]

Screenshots/Recordings

Before

After

Pre-merge author checklist

I’ve followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
I've completed the PR template to the best of my ability
I’ve included tests if applicable
I’ve documented my code using JSDoc format if applicable
I’ve applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

Note

Adds a new Appium/WebdriverIO E2E stack powered by Playwright, including a unified element API, providers (emulator/BrowserStack), config/fixtures, and CI/env wiring.

E2E Framework (Appium/WebdriverIO + Playwright)
- Add unified element API: EncapsulatedElement, FrameworkDetector, PlatformDetector, helpers (asPlaywrightElement, asDetoxElement).
- Implement Playwright layer: PlaywrightAdapter, PlaywrightMatchers, PlaywrightGestures, Utilities.boxedStep.
- Add providers and services: Emulator and BrowserStack providers, Appium server controls, config builder/factory, common types/interfaces.
- Introduce Playwright config and fixtures: e2e/playwright.config.ts, framework/config/*, framework/fixture/index.ts, enhanced fixture helpers/utils to handle ports/platform detection.
- Tests: comprehensive unit tests for EncapsulatedElement.
CI/Env
- Add E2E_FRAMEWORK env var (default via examples); set E2E_FRAMEWORK='detox' in build/run workflows to preserve current flows.
Dependencies
- Add @playwright/test and webdriverio and update lockfile.

^{Written by Cursor Bugbot for commit a2ed7c9. This will update automatically on new commits. Configure here.}

github-actions · 2025-12-04T12:21:24Z

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

socket-security · 2025-12-04T12:22:42Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Package	Supply Chain Security	Quality
npm/@types/node@20.14.11 ⏵ 20.19.25	⁺¹	⁺¹
npm/webdriverio@9.21.0
npm/@playwright/test@1.55.1 ⏵ 1.57.0

View full report

socket-security · 2025-12-04T12:22:43Z

Warning

MetaMask internal reviewing guidelines:

Do not ignore-all
Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
@SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		Potential code anomaly (AI signal): npm `@puppeteer/browsers` is 100.0% likely to have a medium risk anomaly Notes: The fragment is a legitimate part of a binary distribution manager for headless browsers, with fallback download logic and optional Linux dependency installation. There is no evidence of covert data exfiltration, hardcoded credentials, or backdoors. The presence of system-level package installation and Windows executables introduces security risk if used in untrusted contexts, but these are expected behaviors for a tool intended to provision browsers. The malware likelihood is low, but the security risk to host environments (due to elevated commands and external downloads) warrants cautious review in restricted environments. Strengthening input validation, ensuring integrity of downloaded artifacts (checksums/signatures), and restricting shell-level executions would further mitigate risk. Confidence: 1.00 Severity: 0.60 From: `?` → `npm/[email protected]` → `npm/@puppeteer/[email protected]` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@puppeteer/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm `playwright-core` is 100.0% likely to have a medium risk anomaly Notes: The code implements an evaluation sandbox with serialization/deserialization capabilities. The most significant security concern is the use of eval on untrusted input, which can lead to arbitrary code execution. While there are protections around DOM-like objects and careful serialization, these do not fully mitigate the inherent risk of evaluating external expressions. No clear malware indicators (data exfiltration, backdoors, or hardcoded secrets) are present in this fragment, but the eval path represents a high-risk sink that could be misused if the surrounding system passes untrusted input. Treat this as a high-risk component requiring strict input validation, sandboxing, or avoidance of eval in favor of safer alternatives. Overall security risk is moderate to high due to eval exposure, with malware likelihood low unless the component is misused in a broader attack chain. Confidence: 1.00 Severity: 0.60 From: `?` → `npm/@playwright/[email protected]` → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm `undici` is 100.0% likely to have a medium risk anomaly Notes: The fragment appears to be a legitimate HTTP interaction snapshot utility designed for recording and replaying requests/responses with configurable filters and disk-backed persistence. No malicious activity is evident. Primary concerns revolve around securing stored data (privacy and access control) and ensuring proper configuration of header/body filtering. Overall security posture remains moderate and manageable with correct usage. Confidence: 1.00 Severity: 0.60 From: `?` → `npm/[email protected]` → `npm/[email protected]` → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Ignoring alerts on:

View full report

christopherferreira9 · 2025-12-04T12:23:45Z

@SocketSecurity ignore npm/[email protected] - expected and verified

christopherferreira9 · 2025-12-04T12:24:06Z

@SocketSecurity ignore npm/[email protected] - expected for dom parsing

christopherferreira9 · 2025-12-04T12:24:27Z

@SocketSecurity ignore npm/[email protected] - also expected, driver is downloaded automatically

e2e/framework/config/ConfigHandler.ts

e2e/framework/PlaywrightMatchers.ts

e2e/framework/services/appium/AppiumServer.ts

…rtup

e2e/framework/services/appium/AppiumServer.ts

e2e/playwright.config.ts

e2e/framework/config/ConfigHandler.ts

e2e/framework/services/providers/browserstack/BrowserStackAPI.ts

e2e/framework/services/providers/emulator/EmulatorConfigBuilder.ts

e2e/framework/services/appium/AppiumServer.ts

e2e/playwright.config.ts

e2e/framework/services/appium/AppiumServer.ts

e2e/framework/fixture/index.ts

e2e/framework/utils.ts

cortisiko

small feedback. Otherwise looks good

e2e/framework/services/providers/browserstack/BrowserStackConfigBuilder.ts

e2e/framework/services/appium/AppiumServer.ts

e2e/framework/fixture/index.ts

e2e/framework/PlaywrightMatchers.ts

e2e/framework/utils.ts

## **Description** Adds unified approach for element location in page objects through: - Generic approach for defining locators - Adds a Platform and Framework detector to avoid relying on framework specific ways - Turns framework files stack agnostic  ## **Changelog**  CHANGELOG entry: ## **Related issues** Fixes: ## **Manual testing steps** ```gherkin Feature: my feature name Scenario: user [verb for user action] Given [describe expected initial app state] When user [verb for user action] Then [describe expected outcome] ``` ## **Screenshots/Recordings**  ### **Before**  ### **After**  ## **Pre-merge author checklist** - [ ] I’ve followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I’ve included tests if applicable - [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > Adds a unified Detox/Appium element encapsulation layer with framework/platform detectors, updates fixtures to use it, and wires E2E_FRAMEWORK through CI and env configs. > > - **E2E framework**: > - Add `e2e/framework/EncapsulatedElement.ts` with `EncapsulatedElement`, `encapsulated`, `asPlaywrightElement`, `asDetoxElement`, and `LocatorStrategy` for unified Detox/Appium locators. > - Add `e2e/framework/FrameworkDetector.ts` and `e2e/framework/PlatformLocator.ts` for framework/platform detection. > - Export new APIs via `e2e/framework/index.ts`. > - Add comprehensive tests in `e2e/framework/EncapsulatedElement.test.ts` and architecture doc `e2e/framework/UNIFIED_E2E_ARCHIITECTURE.md`. > - **Fixtures**: > - Update `e2e/framework/fixtures/FixtureHelper.ts` and `e2e/framework/fixtures/FixtureUtils.ts` to use `PlatformDetector`/`FrameworkDetector`, refine Android `adb reverse` setup/cleanup, and adjust dapp/Anvil port helpers. > - **CI/Config**: > - Add `E2E_FRAMEWORK` env var to `.e2e.env.example`. > - Set `E2E_FRAMEWORK: 'detox'` in workflows: `.github/workflows/build-android-e2e.yml`, `.github/workflows/build-ios-e2e.yml`, `.github/workflows/run-e2e-workflow.yml`. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 2243d40. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>

christopherferreira9 · 2025-12-05T15:54:04Z

@SocketSecurity ignore npm/[email protected] verified

christopherferreira9 · 2025-12-05T15:54:22Z

@SocketSecurity ignore npm/[email protected] this is expected

github-actions · 2025-12-05T16:18:59Z

🔍 Smart E2E Test Selection

Selected E2E tags: SmokeCore, SmokeWalletPlatform
Risk Level: medium
AI Confidence: 75%

click to see 🤖 AI reasoning details

This PR introduces a unified E2E testing framework supporting both Detox and WebDriverIO/Playwright. The changes are primarily additive, introducing new files for the Appium/WebDriverIO path while preserving the existing Detox infrastructure.

Key observations:

Additive changes: Most new files (PlaywrightAdapter, EncapsulatedElement, BrowserStackProvider, EmulatorProvider, etc.) are new code that won't affect existing Detox tests
CI safety: The PR adds E2E_FRAMEWORK='detox' to all existing CI workflows, ensuring existing tests detect and use the Detox path
One production change: The only change to existing test infrastructure is in FixtureHelper.ts (line 407) where device.getPlatform() === 'ios' is replaced with await PlatformDetector.isIOS(). The PlatformDetector correctly delegates to device.getPlatform() when in Detox context
Dependencies: Added Playwright and WebDriverIO packages - these are development dependencies for the new test infrastructure
Framework detection: The FrameworkDetector defaults to Detox for backwards compatibility when E2E_FRAMEWORK env var is not set

Risk is medium because:

The FixtureHelper.ts change modifies code that runs for all fixture-based tests
The new PlatformDetector is async (using await) which could potentially affect test timing
The package.json additions are dev dependencies but could affect build/test environment

Selected tags rationale:

SmokeCore: Tests core wallet functionality and framework stability - important to verify the framework changes don't break basic test infrastructure
SmokeWalletPlatform: Tests core wallet and platform features - validates that platform detection continues to work correctly

These two smoke tests provide good coverage of the fundamental test paths that would be affected if the framework detection or fixture loading had issues. If these pass, it indicates the infrastructure changes haven't broken the existing test foundation.

View GitHub Actions results

e2e/playwright.config.ts

sonarqubecloud · 2025-12-05T16:39:51Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

test: part 1 of adding the appium-playwright framework

c6247ff

christopherferreira9 requested a review from a team as a code owner December 4, 2025 12:21

metamaskbot added the team-qa QA team label Dec 4, 2025

github-actions bot added the size-XL label Dec 4, 2025