Conversation
…-update chore(base-image): migrate questing to resolute across dockerfiles and docs
Squash merge: bump GitHub Actions runner to 2.331.0 and align docs/scripts.
) * fix: move CODE_SCANNING_FIXES.md to docs/ to resolve documentation structure CI failure (#1098) * Initial plan * fix: move CODE_SCANNING_FIXES.md to docs/ to fix documentation structure check Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> * fix: update relative links in CODE_SCANNING_FIXES.md after moving to docs/ Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> * Initial plan --------- Co-authored-by: Syam Sampatsing <gt@grammatonic.nl> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com>
…packages to latest (#1100) - Node.js: 24.11.1 -> 24.14.0 (LTS Krypton) - npm: 11.6.4 -> 11.11.0 - Go: 1.25.7 -> 1.26.0 (Chrome-Go runner) - Playwright: 1.55.1 -> 1.58.2 - @playwright/test: 1.55.1 -> 1.58.2 - Cypress: 13.15.0 -> 15.11.0 - tar: 7.5.6 -> 7.5.9 - brace-expansion: 2.0.2 -> 5.0.4 - @isaacs/brace-expansion: 5.0.0 -> 5.0.1 - glob: 13.0.0 -> 13.0.6 - minimatch: 10.1.1 -> 10.2.4 - diff: 8.0.2 -> 8.0.3 Updated all three Dockerfiles and all documentation references.
…ix CVEs (#1101) * fix(docker): patch nested node-gyp and @tufjs/models sub-modules to fix CVEs Fixes 4 HIGH severity CVEs found in Trivy scan of the standard runner image: - CVE-2025-64756 (glob@10.4.5 in node-gyp nested modules) - Command Injection Fixed: glob 10.4.5 to 10.5.0 (NODE_GYP_GLOB_VERSION) - CVE-2026-26996 (minimatch@9.0.5) - ReDoS via consecutive wildcards - CVE-2026-27903 (minimatch@9.0.5) - ReDoS via GLOBSTAR backtracking - CVE-2026-27904 (minimatch@9.0.5) - ReDoS via nested extglobs Fixed: minimatch 9.0.5 to 9.0.7 (NESTED_MINIMATCH_VERSION) in both node-gyp/node_modules/ and @tufjs/models/node_modules/ Root cause: existing patching replaced top-level npm/node_modules/ but missed deeply-nested sub-modules under node-gyp and @tufjs/models. All three Dockerfiles (standard, chrome, chrome-go) updated with: - Two new ARG variables (NODE_GYP_GLOB_VERSION, NESTED_MINIMATCH_VERSION) - Extended nested-patch step after top-level patching to replace vulnerable packages in node-gyp/node_modules/ and @tufjs/models/node_modules/ using the same runner-bundled node binary * fix(docker): run nested npm install before replacing npm modules The nested patch npm install was running after top-level module replacement, causing the runner-bundled npm to crash with: npm error Class extends value undefined is not a constructor or null Fix: both npm installs (top-level and nested) now run against the original unmodified npm before any rm/cp operations are performed.
…AYWRIGHT_CHROMIUM_EXECUTABLE_PATH
Replace broken aquasecurity/trivy-action@master (floating ref pointing to a broken commit) with pinned stable release 0.34.1 in all workflow files. The master ref was failing because setup-trivy attempted to fetch refs/heads/main from aquasecurity/trivy which does not exist, causing trivy setup to fail and SARIF files to never be generated, resulting in upload-sarif errors. Also add continue-on-error: true to SARIF upload steps to prevent cascading failures if a scan does not produce output. Files updated: - .github/workflows/ci-cd.yml (4 instances) - .github/workflows/release.yml (3 instances) - .github/workflows/security-advisories.yml (6 instances) - .github/workflows/maintenance.yml (1 instance)
All trivy-action versions bundle broken setup-trivy@e6c2c5e which fails to fetch aquasecurity/trivy refs/heads/main. Fix: wget trivy binary directly from GitHub releases and set skip-setup-trivy: true on all trivy-action steps across 5 workflow files.
fix(ci): remove broken manual trivy wget install steps
The manual wget steps downloading trivy v0.69.1 from GitHub releases were failing with exit code 8 (HTTP error). The trivy-action built-in setup-trivy also fails on cold cache with 'could not find remote ref refs/heads/main' when cloning aquasecurity/trivy. Fix: use the Aqua Security apt repository to install trivy, which is reliably available and more stable than release URL downloads. Affected workflow files: - .github/workflows/ci-cd.yml (4 security scan jobs) - .github/workflows/seed-trivy-sarif.yml (2 jobs) - .github/workflows/release.yml (1 job) - .github/workflows/security-advisories.yml (1 job) - .github/workflows/maintenance.yml (1 job)
- Update Home.md latest updates section to v2.4.0 (2026-03-01) - Add Chrome-Go column to versions table - Update all component versions: Node.js 24.14.0, npm 11.11.0, Chrome 146.0.7680.31, Playwright 1.58.2, Cypress 15.11.0, Go 1.26.0, Runner v2.331.0 - Add ubuntu:resolute base image row - Fix populate-wiki.sh to push/pull master instead of main
* perf: optimize ci-cd pipeline for speed and cost - Add paths filter to push trigger (skips docs-only commit builds) - Conditional multi-arch: arm64 only on main, amd64-only on feature/develop - Pin tonistiigi/binfmt version in setup-qemu-action - QEMU skipped on amd64-only builds (if: guard + removed from chrome jobs) - Remove QEMU from build-chrome and build-chrome-go (amd64-only jobs) - Strip redundant buildcache from cache-to in all three build jobs - Merge dual tag+digest artifact uploads into single upload per build job - Remove setup-buildx-action from all three provision-* jobs * style: fix yamllint trailing-spaces and missing newline errors Strip trailing whitespace from security-advisories.yml, maintenance.yml, and dependabot-rebase.yml. Add missing newline at end of docker/docker-compose.chrome-go.yml. All 34 pre-existing yamllint errors resolved so the Lint and Validate job passes cleanly.
Squash merge: security workflow optimizations (composite Trivy action, pinned actions, SARIF categories, staggered schedules, jq CRITICAL detection, heredoc fixes)
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request promotes the Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Changelog
Ignored Files
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request promotes the develop branch to main, incorporating several updates and fixes. The changes include a new composite action for Trivy installation, branch name corrections in a script, and documentation updates for a new release. My review focuses on improving the robustness of the new CI action script.
| wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key \ | ||
| | gpg --dearmor \ | ||
| | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null | ||
| echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" \ | ||
| | sudo tee /etc/apt/sources.list.d/trivy.list | ||
| sudo apt-get update -qq | ||
| sudo apt-get install -y trivy | ||
| trivy --version |
There was a problem hiding this comment.
For improved robustness, it's a good practice to include set -e and set -o pipefail at the beginning of your shell scripts. set -e will cause the script to exit immediately if a command exits with a non-zero status. set -o pipefail will cause a pipeline to return the exit status of the last command in the pipe that exited with a non-zero status, which is useful for chains of commands like wget | gpg | tee.
set -e
set -o pipefail
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key \
| gpg --dearmor \
| sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" \
| sudo tee /etc/apt/sources.list.d/trivy.list
sudo apt-get update -qq
sudo apt-get install -y trivy
trivy --version
Summary
Squash-merge promotion of
develop→main.Changes included
install-trivyaction, pinned TruffleHog/ShellCheck, unique SARIF categories, staggered Monday schedules, scoped advisory caches, jq-based CRITICAL detection in release.yml, heredoc bug fixesChecklist
developmain