Conversation
…-update chore(base-image): migrate questing to resolute across dockerfiles and docs
Squash merge: bump GitHub Actions runner to 2.331.0 and align docs/scripts.
) * fix: move CODE_SCANNING_FIXES.md to docs/ to resolve documentation structure CI failure (#1098) * Initial plan * fix: move CODE_SCANNING_FIXES.md to docs/ to fix documentation structure check Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> * fix: update relative links in CODE_SCANNING_FIXES.md after moving to docs/ Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> * Initial plan --------- Co-authored-by: Syam Sampatsing <gt@grammatonic.nl> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com>
…packages to latest (#1100) - Node.js: 24.11.1 -> 24.14.0 (LTS Krypton) - npm: 11.6.4 -> 11.11.0 - Go: 1.25.7 -> 1.26.0 (Chrome-Go runner) - Playwright: 1.55.1 -> 1.58.2 - @playwright/test: 1.55.1 -> 1.58.2 - Cypress: 13.15.0 -> 15.11.0 - tar: 7.5.6 -> 7.5.9 - brace-expansion: 2.0.2 -> 5.0.4 - @isaacs/brace-expansion: 5.0.0 -> 5.0.1 - glob: 13.0.0 -> 13.0.6 - minimatch: 10.1.1 -> 10.2.4 - diff: 8.0.2 -> 8.0.3 Updated all three Dockerfiles and all documentation references.
…ix CVEs (#1101) * fix(docker): patch nested node-gyp and @tufjs/models sub-modules to fix CVEs Fixes 4 HIGH severity CVEs found in Trivy scan of the standard runner image: - CVE-2025-64756 (glob@10.4.5 in node-gyp nested modules) - Command Injection Fixed: glob 10.4.5 to 10.5.0 (NODE_GYP_GLOB_VERSION) - CVE-2026-26996 (minimatch@9.0.5) - ReDoS via consecutive wildcards - CVE-2026-27903 (minimatch@9.0.5) - ReDoS via GLOBSTAR backtracking - CVE-2026-27904 (minimatch@9.0.5) - ReDoS via nested extglobs Fixed: minimatch 9.0.5 to 9.0.7 (NESTED_MINIMATCH_VERSION) in both node-gyp/node_modules/ and @tufjs/models/node_modules/ Root cause: existing patching replaced top-level npm/node_modules/ but missed deeply-nested sub-modules under node-gyp and @tufjs/models. All three Dockerfiles (standard, chrome, chrome-go) updated with: - Two new ARG variables (NODE_GYP_GLOB_VERSION, NESTED_MINIMATCH_VERSION) - Extended nested-patch step after top-level patching to replace vulnerable packages in node-gyp/node_modules/ and @tufjs/models/node_modules/ using the same runner-bundled node binary * fix(docker): run nested npm install before replacing npm modules The nested patch npm install was running after top-level module replacement, causing the runner-bundled npm to crash with: npm error Class extends value undefined is not a constructor or null Fix: both npm installs (top-level and nested) now run against the original unmodified npm before any rm/cp operations are performed.
…AYWRIGHT_CHROMIUM_EXECUTABLE_PATH
Replace broken aquasecurity/trivy-action@master (floating ref pointing to a broken commit) with pinned stable release 0.34.1 in all workflow files. The master ref was failing because setup-trivy attempted to fetch refs/heads/main from aquasecurity/trivy which does not exist, causing trivy setup to fail and SARIF files to never be generated, resulting in upload-sarif errors. Also add continue-on-error: true to SARIF upload steps to prevent cascading failures if a scan does not produce output. Files updated: - .github/workflows/ci-cd.yml (4 instances) - .github/workflows/release.yml (3 instances) - .github/workflows/security-advisories.yml (6 instances) - .github/workflows/maintenance.yml (1 instance)
All trivy-action versions bundle broken setup-trivy@e6c2c5e which fails to fetch aquasecurity/trivy refs/heads/main. Fix: wget trivy binary directly from GitHub releases and set skip-setup-trivy: true on all trivy-action steps across 5 workflow files.
fix(ci): remove broken manual trivy wget install steps
The manual wget steps downloading trivy v0.69.1 from GitHub releases were failing with exit code 8 (HTTP error). The trivy-action built-in setup-trivy also fails on cold cache with 'could not find remote ref refs/heads/main' when cloning aquasecurity/trivy. Fix: use the Aqua Security apt repository to install trivy, which is reliably available and more stable than release URL downloads. Affected workflow files: - .github/workflows/ci-cd.yml (4 security scan jobs) - .github/workflows/seed-trivy-sarif.yml (2 jobs) - .github/workflows/release.yml (1 job) - .github/workflows/security-advisories.yml (1 job) - .github/workflows/maintenance.yml (1 job)
- Update Home.md latest updates section to v2.4.0 (2026-03-01) - Add Chrome-Go column to versions table - Update all component versions: Node.js 24.14.0, npm 11.11.0, Chrome 146.0.7680.31, Playwright 1.58.2, Cypress 15.11.0, Go 1.26.0, Runner v2.331.0 - Add ubuntu:resolute base image row - Fix populate-wiki.sh to push/pull master instead of main
* perf: optimize ci-cd pipeline for speed and cost - Add paths filter to push trigger (skips docs-only commit builds) - Conditional multi-arch: arm64 only on main, amd64-only on feature/develop - Pin tonistiigi/binfmt version in setup-qemu-action - QEMU skipped on amd64-only builds (if: guard + removed from chrome jobs) - Remove QEMU from build-chrome and build-chrome-go (amd64-only jobs) - Strip redundant buildcache from cache-to in all three build jobs - Merge dual tag+digest artifact uploads into single upload per build job - Remove setup-buildx-action from all three provision-* jobs * style: fix yamllint trailing-spaces and missing newline errors Strip trailing whitespace from security-advisories.yml, maintenance.yml, and dependabot-rebase.yml. Add missing newline at end of docker/docker-compose.chrome-go.yml. All 34 pre-existing yamllint errors resolved so the Lint and Validate job passes cleanly.
Squash merge: security workflow optimizations (composite Trivy action, pinned actions, SARIF categories, staggered schedules, jq CRITICAL detection, heredoc fixes)
…ue automation (#1115) * fix: improve maintenance workflow reliability and correctness - Add concurrency block to prevent duplicate simultaneous runs - Extract hardcoded retention days and security patch versions to env vars - Fix curl error handling with timeouts and null guards in check-updates - Add continue-on-error to Trivy scan to prevent cascade failures - Replace sed-i steps that never committed with read-only status reports - Remove dead wiki-repo sync code (wiki-repo was never checked out) - Fix bash -n syntax check suppressing errors via 2>/dev/null - Add if guard to comprehensive-health-check (was running unconditionally) - Fix maintenance-summary to correctly count skipped jobs - Mark stub jobs (docker-images, github-actions) with Dependabot notices - Use env vars for all retention-days and security patch references * feat: add cache cleanup for closed PRs in maintenance workflow Replace the placeholder container-image cleanup step with a real actions/github-script step that enumerates all GitHub Actions caches, compares their ref against currently open PRs, and deletes caches from closed/merged PRs to free storage. * feat: add cache cleanup for deleted branches in maintenance workflow Add a new step that lists all existing branches, then walks the GHA cache entries and deletes any whose ref points to a branch that no longer exists. Runs after the closed-PR cache cleanup step. * feat: auto-create/close version update issues in maintenance workflow - Add 'Manage version update issues' step using actions/github-script - Creates a GitHub Issue assigned to GrammaTonic when a newer runner version is detected (labeled 'version-update') - Skips creation if an issue with the same title already exists - Auto-closes issues when the version has been applied to Dockerfiles - Add issues:write permission to workflow
Bump ARG RUNNER_VERSION from 2.331.0 to 2.332.0 in all three Dockerfiles (standard, chrome, chrome-go) and update the version reference in docs/VERSION_OVERVIEW.md. Closes #1114
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request promotes the latest integrated changes from the Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Changelog
Ignored Files
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the GitHub Actions Runner version to "2.332.0" in the Dockerfiles and documentation. However, a security audit revealed that the RUNNER_VERSION build argument is used insecurely in shell commands across all modified Dockerfiles, lacking proper validation. This could lead to command injection vulnerabilities in the build pipeline. Additionally, the default runner version in the build scripts (scripts/build.sh and scripts/build-chrome.sh) is outdated and needs to be updated for consistency.
Promote develop to main
Summary
Promotes latest integrated changes from develop to main.
Changes Included
Files Changed (net)
Type of Change
Merge Strategy
Use Squash and merge then back-sync develop.