Skip to content

chore: promote develop to main #1113

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
GrammaTonic merged 33 commits into from
Mar 1, 2026
Merged

chore: promote develop to main #1113

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
7eb5ed5
chore(base-image): switch questing to resolute across dockerfiles and…
GrammaTonic Feb 27, 2026
a36d071
fix(ci): guard chrome builds against missing curl/unzip on resolute
GrammaTonic Feb 27, 2026
66aef2a
fix(docker): remove fallback curl install in chrome layers
GrammaTonic Feb 27, 2026
e491d86
fix(docker): align chrome deps with resolute
GrammaTonic Feb 27, 2026
5660d88
fix(docker): skip unsupported playwright chromium install
GrammaTonic Feb 27, 2026
d731d26
fix(tests): add playwright chromium check with chrome fallback
GrammaTonic Feb 27, 2026
0346817
fix(tests): use npx path and executable chrome fallback
GrammaTonic Feb 27, 2026
897a4e3
fix(tests): stabilize chrome-go playwright fallback
GrammaTonic Feb 27, 2026
2d5ed23
fix(tests): add playwright chrome-channel fallback
GrammaTonic Feb 27, 2026
2194cf4
fix(tests): repair playwright chrome installer path
GrammaTonic Feb 27, 2026
91ff976
fix(tests): add offline fallback for screenshot navigation
GrammaTonic Feb 27, 2026
be6eceb
fix(tests): make playwright screenshot network-independent
GrammaTonic Feb 27, 2026
f3d2274
Merge pull request #1093 from GrammaTonic/feature/base-image-resolute…
GrammaTonic Feb 27, 2026
addd829
chore(runner): bump GitHub Actions runner to 2.331.0 (#1095)
GrammaTonic Feb 27, 2026
4bf0c49
fix(docker): patch npm internals and bump go toolchain for develop co…
GrammaTonic Feb 27, 2026
a536ae1
chore: sync develop with main (CODE_SCANNING_FIXES.md relocation) (#1…
Copilot Feb 28, 2026
273cf67
feat: update Node.js, npm, Go, Playwright, Cypress, and npm security …
GrammaTonic Feb 28, 2026
c12f16d
fix(docker): patch nested node-gyp and @tufjs/models sub-modules to f…
GrammaTonic Mar 1, 2026
c4e8d85
chore(docker): update Chrome for Testing from 142.0.7444.162 to 146.0…
GrammaTonic Mar 1, 2026
cb32949
feat(docker): configure Playwright to use system Chrome binary via PL…
GrammaTonic Mar 1, 2026
70a3f76
Merge branch 'main' into develop
GrammaTonic Mar 1, 2026
2a1b530
fix(ci): pin trivy-action to 0.34.1 across all workflows
GrammaTonic Mar 1, 2026
8bb9376
fix(ci): bypass broken setup-trivy, install trivy manually
GrammaTonic Mar 1, 2026
a65cbd0
fix(ci): remove broken manual trivy wget install steps (#1104)
GrammaTonic Mar 1, 2026
1972ce0
Merge branch 'main' into develop
GrammaTonic Mar 1, 2026
00ba4d2
fix(ci): remove broken manual trivy wget install steps (#1106)
GrammaTonic Mar 1, 2026
e57878d
fix(ci): replace broken trivy wget with apt repository install (#1108)
GrammaTonic Mar 1, 2026
b117a42
chore: sync develop with main after squash merge
GrammaTonic Mar 1, 2026
ad28ea8
chore: sync develop with main after v2.4.0 release
GrammaTonic Mar 1, 2026
6c61915
docs: update wiki Home.md to v2.4.0 and fix populate-wiki.sh branch
GrammaTonic Mar 1, 2026
dd70061
perf: optimize CI/CD pipeline for speed and cost (#1111)
GrammaTonic Mar 1, 2026
9225ed7
style: strip trailing whitespace in ci-cd.yml
GrammaTonic Mar 1, 2026
ae3df92
fix(security): critical and high priority workflow optimizations (#1112)
GrammaTonic Mar 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions .github/actions/install-trivy/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
name: 'Install Trivy'
description: 'Install Trivy via the official apt repository. Replaces the duplicated inline install block used across multiple workflows.'
author: 'GrammaTonic'

runs:
using: 'composite'
steps:
- name: Install Trivy via apt
shell: bash
run: |
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key \
| gpg --dearmor \
| sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" \
| sudo tee /etc/apt/sources.list.d/trivy.list
sudo apt-get update -qq
sudo apt-get install -y trivy
trivy --version
Comment on lines +11 to +18
Copy link

@gemini-code-assist gemini-code-assist bot Mar 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

For improved robustness, it's a good practice to include set -e and set -o pipefail at the beginning of your shell scripts. set -e will cause the script to exit immediately if a command exits with a non-zero status. set -o pipefail will cause a pipeline to return the exit status of the last command in the pipe that exited with a non-zero status, which is useful for chains of commands like wget | gpg | tee.

        set -e
        set -o pipefail
        wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key \
          | gpg --dearmor \
          | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
        echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" \
          | sudo tee /etc/apt/sources.list.d/trivy.list
        sudo apt-get update -qq
        sudo apt-get install -y trivy
        trivy --version

137 changes: 57 additions & 80 deletions .github/workflows/ci-cd.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,13 @@ name: CI/CD Pipeline
on:
push:
branches: [main, develop]
paths:
- "docker/**"
- "scripts/**"
- "config/**"
- "monitoring/**"
- ".github/workflows/**"
- "tests/**"
pull_request:
branches: [main, develop]
paths:
Expand Down Expand Up @@ -60,8 +67,6 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Container Registry
uses: docker/login-action@v3
with:
Expand Down Expand Up @@ -168,8 +173,6 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Container Registry
uses: docker/login-action@v3
with:
Expand Down Expand Up @@ -274,8 +277,6 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v6
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Container Registry
uses: docker/login-action@v3
with:
Expand Down Expand Up @@ -303,18 +304,18 @@ jobs:
echo "Setting up Chrome-Go runner configuration..."
# Copy the example config file
cp config/chrome-go-runner.env.example config/chrome-go-runner.env

# Update the config file with actual values
sed -i.bak "s|GITHUB_TOKEN=ghp_your_personal_access_token_here|GITHUB_TOKEN=$GITHUB_TOKEN|" config/chrome-go-runner.env
sed -i.bak "s|GITHUB_REPOSITORY=your-username/your-repo-name|GITHUB_REPOSITORY=$GITHUB_REPOSITORY|" config/chrome-go-runner.env

echo "Provisioning Chrome-Go runner container in staging..."
echo "Using configuration from config/chrome-go-runner.env"
echo "Injecting GITHUB_TOKEN from secrets.REG_TOKEN"

# Use --env-file to load configuration
docker compose --env-file config/chrome-go-runner.env -f docker/docker-compose.chrome-go.yml up -d

echo "Checking if Chrome-Go runner container is running..."
RUNNING=$(docker ps --filter "name=github-runner-chrome-go" --filter "status=running" -q)
if [ -z "$RUNNING" ]; then
Expand Down Expand Up @@ -410,7 +411,7 @@ jobs:
recursive: true
failure-threshold: warning
- name: Lint Shell Scripts with ShellCheck
uses: ludeeus/action-shellcheck@master
uses: ludeeus/action-shellcheck@00b27aa7cb85167568cb48a3838b75f4265f2bca # master 2024-06-20
with:
scandir: './scripts'
severity: warning
Expand Down Expand Up @@ -452,11 +453,8 @@ jobs:
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Install Trivy via apt
run: |
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee /etc/apt/sources.list.d/trivy.list
sudo apt-get update -qq && sudo apt-get install -y trivy
- name: Install Trivy
uses: ./.github/actions/install-trivy
- name: Run Trivy vulnerability scanner on filesystem
uses: aquasecurity/trivy-action@0.34.1
with:
Expand All @@ -473,9 +471,9 @@ jobs:
continue-on-error: true
with:
sarif_file: "trivy-results.sarif"
category: "security-scan"
category: "cicd-filesystem-scan"
- name: Check for secrets in repository
uses: trufflesecurity/trufflehog@main
uses: trufflesecurity/trufflehog@v3.88.1
with:
path: ./
base: ${{ github.event.before }}
Expand All @@ -502,10 +500,21 @@ jobs:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Compute build platforms
id: platforms
run: |
# Build multi-arch (arm64) only on main; develop/feature branches use amd64-only for speed
if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
echo "platforms=linux/amd64,linux/arm64" >> $GITHUB_OUTPUT
else
echo "platforms=linux/amd64" >> $GITHUB_OUTPUT
fi
- name: Set up QEMU for multi-platform builds
uses: docker/setup-qemu-action@v3
if: steps.platforms.outputs.platforms != 'linux/amd64'
with:
platforms: linux/amd64,linux/arm64
platforms: ${{ steps.platforms.outputs.platforms }}
image: tonistiigi/binfmt:qemu-v10.2.1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Extract normal runner metadata
Expand Down Expand Up @@ -539,7 +548,7 @@ jobs:
# Provide the default cache sources (multi-line) via GITHUB_ENV
# Use cross-branch cache to leverage builds from feature branches and other branches
printf "CACHE_FROM=type=gha\\ntype=gha,scope=normal-runner\\ntype=gha,scope=buildcache\\n" >> $GITHUB_ENV
printf "CACHE_TO=type=gha,mode=max,scope=normal-runner\\ntype=gha,mode=max,scope=buildcache\\n" >> $GITHUB_ENV
printf "CACHE_TO=type=gha,mode=max,scope=normal-runner\\n" >> $GITHUB_ENV
# Also emit as step outputs so other action inputs can reference them (multi-line)
echo "cache_from<<EOF" >> $GITHUB_OUTPUT
echo "type=gha" >> $GITHUB_OUTPUT
Expand All @@ -548,15 +557,14 @@ jobs:
echo "EOF" >> $GITHUB_OUTPUT
echo "cache_to<<EOF" >> $GITHUB_OUTPUT
echo "type=gha,mode=max,scope=normal-runner" >> $GITHUB_OUTPUT
echo "type=gha,mode=max,scope=buildcache" >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
fi
- name: Build and push normal runner Docker image
id: build
uses: docker/build-push-action@v6
with:
context: ./docker
platforms: linux/amd64,linux/arm64
platforms: ${{ steps.platforms.outputs.platforms }}
file: ./docker/Dockerfile
push: true
load: false
Expand All @@ -576,17 +584,13 @@ jobs:
echo "Normal runner image pushed to registry: $PRIMARY_TAG"
echo "$PRIMARY_TAG" > build-normal-image-tag.txt
echo "${{ steps.build.outputs.digest }}" > build-normal-image-digest.txt
- name: Upload normal runner build image tag as artifact
- name: Upload normal runner build artifacts
uses: actions/upload-artifact@v6
with:
name: build-normal-image-tag
path: build-normal-image-tag.txt
retention-days: 30
- name: Upload normal runner build image digest as artifact
uses: actions/upload-artifact@v6
with:
name: build-normal-image-digest
path: build-normal-image-digest.txt
name: build-normal-image-artifacts
path: |
build-normal-image-tag.txt
build-normal-image-digest.txt
retention-days: 30
build-chrome:
name: Build Chrome Runner Image
Expand All @@ -609,10 +613,6 @@ jobs:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up QEMU for multi-platform builds
uses: docker/setup-qemu-action@v3
with:
platforms: linux/amd64,linux/arm64
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Extract Chrome runner metadata
Expand Down Expand Up @@ -646,7 +646,7 @@ jobs:
# Provide the default cache sources (multi-line) via GITHUB_ENV
# Use cross-branch cache to leverage builds from feature branches and other branches
printf "CACHE_FROM=type=gha\\ntype=gha,scope=chrome-runner\\ntype=gha,scope=buildcache\\n" >> $GITHUB_ENV
printf "CACHE_TO=type=gha,mode=max,scope=chrome-runner\\ntype=gha,mode=max,scope=buildcache\\n" >> $GITHUB_ENV
printf "CACHE_TO=type=gha,mode=max,scope=chrome-runner\\n" >> $GITHUB_ENV
# Also emit as step outputs so other action inputs can reference them (multi-line)
echo "cache_from<<EOF" >> $GITHUB_OUTPUT
echo "type=gha" >> $GITHUB_OUTPUT
Expand All @@ -655,7 +655,6 @@ jobs:
echo "EOF" >> $GITHUB_OUTPUT
echo "cache_to<<EOF" >> $GITHUB_OUTPUT
echo "type=gha,mode=max,scope=chrome-runner" >> $GITHUB_OUTPUT
echo "type=gha,mode=max,scope=buildcache" >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
fi
- name: Build and push Chrome runner image
Expand Down Expand Up @@ -683,17 +682,13 @@ jobs:
echo "Chrome runner image pushed to registry: $PRIMARY_TAG"
echo "$PRIMARY_TAG" > build-chrome-image-tag.txt
echo "${{ steps.build-chrome.outputs.digest }}" > build-chrome-image-digest.txt
- name: Upload Chrome build image tag as artifact
- name: Upload Chrome build artifacts
uses: actions/upload-artifact@v6
with:
name: build-chrome-image-tag
path: build-chrome-image-tag.txt
retention-days: 30
- name: Upload Chrome build image digest as artifact
uses: actions/upload-artifact@v6
with:
name: build-chrome-image-digest
path: build-chrome-image-digest.txt
name: build-chrome-image-artifacts
path: |
build-chrome-image-tag.txt
build-chrome-image-digest.txt
retention-days: 30
build-chrome-go:
name: Build Chrome-Go Runner Image
Expand All @@ -716,10 +711,6 @@ jobs:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up QEMU for multi-platform builds
uses: docker/setup-qemu-action@v3
with:
platforms: linux/amd64,linux/arm64
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Extract Chrome-Go runner metadata
Expand Down Expand Up @@ -753,7 +744,7 @@ jobs:
# Provide the default cache sources (multi-line) via GITHUB_ENV
# Use cross-branch cache to leverage builds from feature branches and other branches
printf "CACHE_FROM=type=gha\\ntype=gha,scope=chrome-go-runner\\ntype=gha,scope=buildcache\\n" >> $GITHUB_ENV
printf "CACHE_TO=type=gha,mode=max,scope=chrome-go-runner\\ntype=gha,mode=max,scope=buildcache\\n" >> $GITHUB_ENV
printf "CACHE_TO=type=gha,mode=max,scope=chrome-go-runner\\n" >> $GITHUB_ENV
# Also emit as step outputs so other action inputs can reference them (multi-line)
echo "cache_from<<EOF" >> $GITHUB_OUTPUT
echo "type=gha" >> $GITHUB_OUTPUT
Expand All @@ -762,7 +753,6 @@ jobs:
echo "EOF" >> $GITHUB_OUTPUT
echo "cache_to<<EOF" >> $GITHUB_OUTPUT
echo "type=gha,mode=max,scope=chrome-go-runner" >> $GITHUB_OUTPUT
echo "type=gha,mode=max,scope=buildcache" >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
fi
- name: Build and push Chrome-Go runner image
Expand Down Expand Up @@ -790,17 +780,13 @@ jobs:
echo "Chrome-Go runner image pushed to registry: $PRIMARY_TAG"
echo "$PRIMARY_TAG" > build-chrome-go-image-tag.txt
echo "${{ steps.build-chrome-go.outputs.digest }}" > build-chrome-go-image-digest.txt
- name: Upload Chrome-Go build image tag as artifact
uses: actions/upload-artifact@v6
with:
name: build-chrome-go-image-tag
path: build-chrome-go-image-tag.txt
retention-days: 30
- name: Upload Chrome-Go build image digest as artifact
- name: Upload Chrome-Go build artifacts
uses: actions/upload-artifact@v6
with:
name: build-chrome-go-image-digest
path: build-chrome-go-image-digest.txt
name: build-chrome-go-image-artifacts
path: |
build-chrome-go-image-tag.txt
build-chrome-go-image-digest.txt
retention-days: 30
# Comprehensive Testing Suite
test-package-validation:
Expand Down Expand Up @@ -889,7 +875,7 @@ jobs:
echo "✅ Docker Compose validation passed for $compose_file"
else
echo "❌ Docker Compose validation failed for $compose_file"
echo "Error details:"
echo "Error details:"
cat "test-results/integration/compose-$compose_name.log" | head -20
integration_errors=$((integration_errors + 1))
fi
Expand Down Expand Up @@ -1133,11 +1119,8 @@ jobs:
uses: actions/checkout@v6
with:
fetch-depth: 1
- name: Install Trivy via apt
run: |
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee /etc/apt/sources.list.d/trivy.list
sudo apt-get update -qq && sudo apt-get install -y trivy
- name: Install Trivy
uses: ./.github/actions/install-trivy
- name: Run Trivy vulnerability scanner on container
uses: aquasecurity/trivy-action@0.34.1
with:
Expand All @@ -1153,7 +1136,7 @@ jobs:
continue-on-error: true
with:
sarif_file: "trivy-container-results.sarif"
category: "container-scan"
category: "cicd-container-scan"
security-chrome-scan:
name: Chrome Container Security Scan
runs-on: ubuntu-latest
Expand All @@ -1166,11 +1149,8 @@ jobs:
uses: actions/checkout@v6
with:
fetch-depth: 1
- name: Install Trivy via apt
run: |
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee /etc/apt/sources.list.d/trivy.list
sudo apt-get update -qq && sudo apt-get install -y trivy
- name: Install Trivy
uses: ./.github/actions/install-trivy
- name: Run Trivy vulnerability scanner on Chrome container
uses: aquasecurity/trivy-action@0.34.1
with:
Expand All @@ -1186,7 +1166,7 @@ jobs:
continue-on-error: true
with:
sarif_file: "trivy-chrome-results.sarif"
category: "chrome-container-scan"
category: "cicd-chrome-container-scan"
security-chrome-go-scan:
name: Chrome-Go Container Security Scan
runs-on: ubuntu-latest
Expand All @@ -1199,11 +1179,8 @@ jobs:
uses: actions/checkout@v6
with:
fetch-depth: 1
- name: Install Trivy via apt
run: |
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee /etc/apt/sources.list.d/trivy.list
sudo apt-get update -qq && sudo apt-get install -y trivy
- name: Install Trivy
uses: ./.github/actions/install-trivy
- name: Run Trivy vulnerability scanner on Chrome-Go container
uses: aquasecurity/trivy-action@0.34.1
with:
Expand All @@ -1219,7 +1196,7 @@ jobs:
continue-on-error: true
with:
sarif_file: "trivy-chrome-go-results.sarif"
category: "chrome-go-container-scan"
category: "cicd-chrome-go-container-scan"
cleanup:
name: Cleanup Resources
runs-on: ubuntu-latest
Expand Down
Loading