chore(ge-urs): complete deny-by-default permissions for all agents #10

	name: PR CI — build + validate + Playwright

	on:
	pull_request:
	types: [opened, synchronize, reopened]

	jobs:
	build-validate:
	runs-on: ubuntu-latest
	outputs:
	build-dir: ${{ steps.build.outputs.build_dir }}
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Use Node.js
	uses: actions/setup-node@v4
	with:
	node-version: 18

	- name: Install dependencies
	run: npm ci

	- name: Build
	id: build
	run: \|
	npm run build \|\| true
	echo "build_dir=web" >> $GITHUB_OUTPUT

	- name: Validate stories
	run: \|
	node scripts/validate-story.js --glob "web/stories/*/.ink" --output json --max-steps 2000

	- name: Archive build artifact
	uses: actions/upload-artifact@v4
	with:
	name: demo-web
	path: web

	playwright:
	runs-on: ubuntu-latest
	needs: build-validate
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Download build artifact
	uses: actions/download-artifact@v4
	with:
	name: demo-web
	path: demo-web

	- name: Setup Node.js
	uses: actions/setup-node@v4
	with:
	node-version: 18

	- name: Install dependencies
	run: npm ci

	- name: Install Playwright browsers
	run: npx playwright install --with-deps

	- name: Start static server
	run: npx http-server demo-web --port 4173 &

	- name: Run Playwright tests
	run: \|
	npx playwright test --config=playwright.config.ts

	- name: Upload Playwright HTML report
	uses: actions/upload-artifact@v4
	with:
	name: playwright-html-report
	path: playwright-report

	- name: Upload Playwright junit report
	uses: actions/upload-artifact@v4
	with:
	name: playwright-junit
	path: junit-report.xml

Provide feedback