feat: Support scanning pages which require authentication (#1053)

Fixes
github/continuous-ai-for-accessibility#10
(Hubber access only)

This PR adds support for scanning pages which require authentication,
via 2 different methods:

1. It adds a built-in ‘Auth’ sub-action that can be used when an auth
flow requires only a username and password.
2. It delegates complex auth flows to custom, external actions, whose
output the scanner can now consume via a new `session_state_path` input.

Check out the new section [“Authentication” in the
README](https://github.com/github-community-projects/continuous-ai-for-accessibility-scanner/blob/smockle/auth/README.md#authentication)
for details.

Author: smockle

.github/actions/auth/README.md

@@ -0,0 +1,28 @@
+# auth
+
+Log in using Playwright, then write authenticated session state to a file for reuse in other Playwright sessions.
+
+## Usage
+
+### Inputs
+
+#### `login_url`
+
+**Required** Login page URL. For example, `https://github.com/login`
+
+#### `username`
+
+**Required** Username.
+
+#### `password`
+
+**Required** Password.
+
+> [!IMPORTANT]
+> Don’t put passwords in your workflow as plain text; instead reference a [repository secret](https://docs.github.com/en/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets#creating-secrets-for-a-repository).
+
+### Outputs
+
+#### `session_state_path`
+
+Path to a file containing authenticated session state.

.github/actions/auth/action.yml

@@ -0,0 +1,25 @@
+name: "Auth"
+description: "Log in using Playwright, then write authenticated session state to a file for reuse in other Playwright sessions."
+
+inputs:
+  login_url:
+    description: "Login page URL"
+    required: true
+  username:
+    description: "Username"
+    required: true
+  password:
+    description: "Password"
+    required: true
+
+outputs:
+  session_state_path:
+    description: "Path to a file containing authenticated session state"
+
+runs:
+  using: "node20"
+  main: "bootstrap.js"
+
+branding:
+  icon: "lock"
+  color: "blue"

.github/actions/auth/bootstrap.js

@@ -0,0 +1,61 @@
+#!/usr/bin/env node
+//@ts-check
+
+import fs from 'node:fs'
+import * as url from 'node:url'
+import { spawn } from 'node:child_process'
+
+function spawnPromisified(command, args, { quiet = false, ...options } = {}) {
+  return new Promise((resolve, reject) => {
+    const proc = spawn(command, args, options)
+    proc.stdout.setEncoding('utf8')
+    proc.stdout.on('data', (data) => {
+      if (!quiet) {
+        console.log(data)
+      }
+    })
+    proc.stderr.setEncoding('utf8')
+    proc.stderr.on('data', (data) => {
+      console.error(data)
+    })
+    proc.on('close', (code) => {
+      if (code !== 0) {
+        reject(code)
+      } else {
+        resolve(code)
+      }
+    })
+  })
+}
+
+await (async () => {
+  // If dependencies are not vendored-in, install them at runtime.
+  try {
+    await fs.accessSync(
+      url.fileURLToPath(new URL('./node_modules', import.meta.url)),
+      fs.constants.R_OK
+    )
+  } catch {
+    try {
+      await spawnPromisified('npm', ['ci'], {
+        cwd: url.fileURLToPath(new URL('.', import.meta.url)),
+        quiet: true
+      })
+    } catch {
+      process.exit(1)
+    }
+  } finally {
+    // Compile TypeScript.
+    try {
+      await spawnPromisified('npm', ['run', 'build'], {
+        cwd: url.fileURLToPath(new URL('.', import.meta.url)),
+        quiet: true
+      })
+    } catch {
+      process.exit(1)
+    }
+    // Run the main script.
+    const action = await import('./dist/index.js')
+    await action.default()
+  }
+})()

.github/actions/auth/package-lock.json

@@ -0,0 +1,23 @@
+{
+  "name": "auth",
+  "version": "1.0.0",
+  "description": "Log in using Playwright, then write authenticated session state to a file for reuse in other Playwright sessions.",
+  "main": "dist/index.js",
+  "module": "dist/index.js",
+  "scripts": {
+    "start": "node bootstrap.js",
+    "build": "tsc"
+  },
+  "keywords": [],
+  "author": "GitHub",
+  "license": "MIT",
+  "type": "module",
+  "dependencies": {
+    "@actions/core": "^1.11.1",
+    "playwright": "^1.55.1"
+  },
+  "devDependencies": {
+    "@types/node": "^24.5.2",
+    "typescript": "^5.8.3"
+  }
+}

.github/actions/auth/package.json

@@ -0,0 +1,65 @@
+import crypto from "node:crypto";
+import process from "node:process";
+import * as url from "node:url";
+import core from "@actions/core";
+import playwright from "playwright";
+
+export default async function () {
+  core.info("Starting 'auth' action");
+
+  let browser: playwright.Browser | undefined;
+  let context: playwright.BrowserContext | undefined;
+  let page: playwright.Page | undefined;
+  try {
+    // Get inputs
+    const loginUrl = core.getInput("login_url", { required: true });
+    const username = core.getInput("username", { required: true });
+    const password = core.getInput("password", { required: true });
+    core.setSecret(password);
+
+    // Determine storage path for authenticated session state
+    // Playwright will create missing directories, if needed
+    const actionDirectory = `${url.fileURLToPath(new URL(import.meta.url))}/..`;
+    const sessionStatePath = `${
+      process.env.RUNNER_TEMP ?? actionDirectory
+    }/.auth/${crypto.randomUUID()}/sessionState.json`;
+
+    // Launch a headless browser
+    browser = await playwright.chromium.launch({
+      headless: true,
+      executablePath: process.env.CI ? "/usr/bin/google-chrome" : undefined,
+    });
+    context = await browser.newContext();
+    page = await context.newPage();
+
+    // Log in
+    core.info("Navigating to login page");
+    await page.goto(loginUrl);
+    core.info("Filling username");
+    await page.getByLabel(/username/i).fill(username);
+    core.info("Filling password");
+    await page.getByLabel(/password/i).fill(password);
+    core.info("Logging in");
+    await page
+      .getByLabel(/password/i)
+      .locator("xpath=ancestor::form")
+      .evaluate((form) => (form as HTMLFormElement).submit());
+
+    // Write authenticated session state to a file and output its path
+    await context.storageState({ path: sessionStatePath });
+    core.setOutput("session_state_path", sessionStatePath);
+    core.info(`Wrote authenticated session state to ${sessionStatePath}`);
+  } catch (error) {
+    if (page) {
+      core.info(`Errored at page URL: ${page.url()}`);
+    }
+    core.setFailed(`${error}`);
+    process.exit(1);
+  } finally {
+    // Clean up
+    await context?.close();
+    await browser?.close();
+  }
+
+  core.info("Finished 'auth' action");
+}

.github/actions/auth/src/index.ts

@@ -0,0 +1,14 @@
+{
+  "compilerOptions": {
+    "target": "esnext",
+    "module": "nodenext",
+    "moduleResolution": "nodenext",
+    "esModuleInterop": true,
+    "strict": true,
+    "rootDir": "src",
+    "outDir": "dist"
+  },
+  "include": [
+    "src/**/*.ts"
+  ]
+}

.github/actions/auth/tsconfig.json

@@ -15,6 +15,10 @@ https://primer.style
 https://primer.style/octicons/
 ```
 
+#### `session_state_path`
+
+**Optional** Path to a file containing authenticated session state.
+
 ### Outputs
 
 #### `findings`