v2.6.0

What's New in v2.6.0

Prometheus Monitoring (Phases 2–6)

• Phase 2: Fix Chrome/Chrome-Go metrics gaps — all 3 runner variants expose identical Prometheus metric families (#1135)
• Phase 3: DORA metrics and job lifecycle tracking — job-started.sh, job-completed.sh hooks, job duration histograms, queue-time gauges (#1136)
• Phase 4: 4 standalone Grafana dashboards — Runner Overview, Job Performance, Cache Efficiency, DORA Metrics (#1137)
• Phase 5: Prometheus monitoring user documentation and wiki pages (#1139)
• Phase 6: Comprehensive test suite — 6 integration test scripts (149 assertions) covering endpoint format, performance, persistence, scaling, security, and docs validation. CI/CD pipeline integration and shellcheck compliance (#1140)

Security

• Improve security-advisories.yml workflow logic and coverage (#1134)

Contributors

• @GrammaTonic

Full Changelog: v2.5.0...v2.6.0

v2.5.0

What's Changed

• chore(base-image): migrate questing to resolute across dockerfiles and docs by @GrammaTonic in #1093
• chore: update GitHub Actions runner to 2.331.0 by @GrammaTonic in #1095
• fix: resolve develop branch code-scanning findings by @GrammaTonic in #1096
• chore: sync develop with main (CODE_SCANNING_FIXES.md relocation) by @Copilot in #1099
• feat: update Node.js, npm, Go, Playwright, Cypress, and npm security packages to latest by @GrammaTonic in #1100
• fix(docker): patch nested node-gyp and @tufjs/models sub-modules to fix CVEs by @GrammaTonic in #1101
• fix(ci): remove broken manual trivy wget install steps by @GrammaTonic in #1104
• fix(ci): remove broken manual trivy wget install steps by @GrammaTonic in #1106
• fix(ci): replace broken trivy wget with apt repository install by @GrammaTonic in #1108
• perf: optimize CI/CD pipeline for speed and cost by @GrammaTonic in #1111
• fix(security): critical and high priority workflow optimizations by @GrammaTonic in #1112
• chore: promote develop to main by @GrammaTonic in #1113
• fix: improve maintenance workflow reliability, cache cleanup, and issue automation by @GrammaTonic in #1115
• chore: update GitHub Actions Runner to 2.332.0 by @GrammaTonic in #1116
• chore: promote develop to main by @GrammaTonic in #1117
• fix: replace push trigger with workflow_run in seed-trivy-sarif by @GrammaTonic in #1118
• docs: switch to dual merge strategy by @GrammaTonic in #1119
• chore(release): bump version to 2.5.0 by @GrammaTonic in #1120
• chore: promote develop to main - Release v2.5.0 by @GrammaTonic in #1121
• fix(ci): grant contents:write to release build jobs for SBOM upload by @GrammaTonic in #1122
• chore: promote develop to main - release pipeline fix by @GrammaTonic in #1123
• fix(ci): add checkout step before local install-trivy action in release workflow by @GrammaTonic in #1124
• chore: promote develop to main - release pipeline security scan fix by @GrammaTonic in #1125

Full Changelog: v2.4.0...v2.5.0

Release v2.4.0

Changes in v2.4.0

• chore(release): bump version to 2.4.0 (#1110) (a6e52e6)
• chore: promote develop to main (#1109) (d568f70)
• chore: promote develop to main (#1105) (43293c0)
• fix(ci): pin trivy-action to 0.34.1 across all workflows (#1103) (a3aa5d7)
• chore: promote develop to main (#1102) (6c259c5)
• fix: move CODE_SCANNING_FIXES.md to docs/ to resolve documentation structure CI failure (#1098) (fa152e1)
• fix(security): address gemini review findings (#1092) (7b2bc58)
• chore(deps): chore(deps)(deps): bump aquasecurity/trivy-action from 0.34.0 to 0.34.1 (f2df91f)
• chore(deps): chore(deps)(deps): bump aquasecurity/trivy-action from 0.33.1 to 0.34.0 (08e0ece)
• fix(security): resolve code scanning alerts SC2068 and SC2086 (#1086) (3c87fd7)
• fix(security): upgrade tar from 7.5.2 to 7.5.4 (CVE-2026-23950) (#1085) (7355f96)
• test: add Phase 1 metrics validation suite and documentation (#1084) (624476a)
• feat(prometheus): Phase 2 - Chrome & Chrome-Go metrics endpoints (#1083) (03a72c9)
• Develop (#1082) (4300c03)
• chore: remove unused monitoring workflow (176a816)
• chore: remove unused monitoring workflow (145cbfd)
• chore: promote develop to main (Dec 2025) (#1081) (481d9cd)
• fix(security): patch CVE-2025-64756 glob vulnerability in standard runner (794cf1a)
• refactor: replace Go Prometheus implementation with netcat method (d4dee72)
• Develop (#1080) (20817bc)
• chore: update runner version to 2.330.0 in docs and build scripts (3e92e8e)
• fix: replace broken free-disk-space action with manual cleanup (#1079) (f0dcc4d)
• chore(deps): chore(deps)(deps): bump actions/upload-artifact from 5 to 6 (00f387c)
• fix: resolve disk space exhaustion in security scan workflow (#1077) (604dce1)
• chore(deps): chore(deps)(deps): bump hadolint/hadolint-action from 3.1.0 to 3.3.0 (cb28e27)
• feat: upgrade GitHub Actions runner to 2.330.0 (#1075) (74c640f)
• fix(security): patch runner's bundled npm glob to fix CVE-2025-64756 (d5b9a59)
• fix(security): security fixes and CI optimization (#1074) (dd9a14c)
• refactor: remove experimental Go metrics exporter (ced4ecb)
• fix(ci): add Trivy scan resilience settings for large images (a6c2954)
• fix(ci): replace Super-Linter with lightweight GitHub Actions (d65be88)
• fix(ci): optimize Super-Linter to reduce image size overhead (a540fd9)
• fix(security): upgrade npm to 11.6.4 to fix CVE-2025-64756 (3fb387a)
• fix(security): upgrade Go to 1.25.5 to fix CVE-2025-61729 (#1073) (e5e1309)
• fix(security): upgrade Go to 1.25.5 to fix CVE-2025-61729 (7aec39f)
• fix: sanitize GitHub Actions output in maintenance workflow (#1070) (04a07d7)
• chore(deps): chore(deps)(deps): bump actions/checkout from 5 to 6 (6580102)
• chore(deps): chore(deps)(deps): bump actions/upload-artifact from 4 to 5 (492ce7b)
• chore(deps): chore(deps)(deps): bump aquasecurity/trivy-action from 0.28.0 to 0.33.1 (b7161fd)
• feat(prometheus): Phase 1 - Standard Runner Metrics Endpoint (#1066) (bad8357)
• docs: enhance PR template with comprehensive squash merge workflow (#1051) (81b6804)
• docs: enhance PR template with comprehensive squash merge workflow (450a471)
• docs(workflow): add comprehensive documentation to Trivy SARIF workflow (25c006d)
• docs(pr): document squash merge as standard strategy with detailed back-sync guidance (8be8ac9)
• fix(ci): use heredoc to safely handle commit messages with special chars (ca6af92)
• fix(ci): prevent bash substitution errors in commit message handling (c60e7b1)
• fix(ci): correct Dockerfile path for standard variant in Trivy SARIF workflow (e322e52)
• fix(ci): resolve multi-platform build error in Trivy SARIF workflow (eccd306)
• fix(ci): resolve multi-platform build error in Trivy SARIF workflow (d018eea)
• chore: promote develop to main - security hardening (#1047) (9a59114)
• security: harden entrypoint scripts - prevent token exposure and add input validation (#1046) (90f335b)
• chore: merge workflow optimizations to main (68dc3a6)
• docs: add quick-reference implementation guide for security-advisories workflow (2bcca8b)
• docs: add security-advisories workflow refactoring specification (11dd190)
• feat(security): optimize Trivy SARIF baseline seeding workflow (e17f9aa)
• feat(multi-arch): Add comprehensive multi-architecture container support (AMD64 + ARM64) (511f5f2)
• fix(workflow): escape newlines in printf statements for cache configuration (f9b509a)
• fix(workflow): remove quotes from RUNNER_VERSION extraction (5dc3435)
• refactor(scripts): improve error handling in test-dependabot.sh (83457be)
• docs(readme): update with current project state (03951db)
• docs(copilot): update instructions with current project state (bd8f406)
• docs(pr): remove [skip ci] from back-sync instructions (a7e2d2d)
• fix(ci): add status files to all test suites to prevent artifact upload warnings (1cbd168)
• chore(deps): chore(deps)(deps): bump github/super-linter from 6 to 7 (672cc22)
• fix(ci): auto-merge workflow should check PR author, not just actor (908a811)
• chore(deps): chore(deps)(deps): bump actions/upload-artifact from 4 to 5 (6a2ccee)
• chore(deps)(deps): bump super-linter/super-linter from 8.1.0 to 8.2.1 (#1038) (70fdc6d)
• chore(deps)(deps): bump actions/checkout from 4 to 5 (#1039) (b439a96)
• feat(deps): add auto-rebase for out-of-date Dependabot PRs (d3475ca)
• feat(ci): add auto-merge workflow for Dependabot PRs (a4a551e)
• fix(ci): skip runner provisioning for Dependabot PRs (e2bba19)
• fix(deps): remove npm ecosystem from Dependabot config (66d5008)
• style(scripts): fix shell formatting in test-dependabot.sh (2f2c58d)
• test(dependabot): add comprehensive configuration test script (6e0dec9)
• chore(deps): enhance dependabot configuration (3291e9e)
• docs(performance): document rejected parallel npm optimization (fedd791)
• docs(performance): add comprehensive performance measurement results (83a6d35)
• fix(docker): remove duplicate FROM statement in Dockerfile.chrome-go (4f8af24)
• fix(ci): enable cross-branch cache sharing for Docker builds (b034696)
• perf: Implement critical Docker build optimizations (#1036) (c312e8c)
• fix(dependabot): remove unnecessary gomod package ecosystem (6d70980)
• fix(workflows): update artifact retention days to 30 (5a102cc)
• chore(deps): update CodeQL Action from v3 to v4 (60865a4)
• docs(pr): add [skip ci] to back-sync instructions (31421af)
• chore(release): bump version to 2.2.1 (f27175b)
• docs(pr): add post-merge back-sync instructions (3ae4ac6)
• docs(pr): add pre-submission checklist to PR template (acf32a5)
• fix(release): publish runner variants to separate packages (#1032) (d8bd1d8)
• Release (#1030) (e090ada)
• Revert "chore(release): promote develop to main (#1023)" (#1025) (0057019)
• chore(release): promote develop to main (#1023) (6e127db)
• chore(chrome): bump runner chrome to 142.0.7444.162 (#1028) (cdc3b9d)
• fix(docker): ensure npm bundles patched tar (#1027) (2dc18c8)
• Revert "chore(release): promote develop to main (#1021)" (#1026) (f36a9c1)
• Update docker/Dockerfile (0e735ba)
• Update docker/Dockerfile.chrome (4c85ab9)
• Update docker/Dockerfile.chrome-go (29770f7)
• chore(release): promote develop to main (#1021) (#1024) (73a18d2)
• fix: patch npm brace-expansion dependencies (#1022) (e8999d1)
• fix: patch tar vulnerability (#1020) (7da819a)
• fix(docker): reinstall cross-spawn 7.0.6 (#1019) (3c7a1f6)
• chore: sync runner dependencies (35e3016)
• chore: bump Node.js and npm for Chrome runner (#1017) (0b0dc01)
• build: upgrade actions runner to v2.329.0 (#1015) (11d52e4)
• fix(docker): update questing dependencies (8a0b1c5)
• chore(deps)(deps): bump actions/upload-artifact from 4 to 5 (#1013) (2ff43b4)
• chore(deps)(deps): bump github/codeql-action from 3 to 4 (#1011) (c2c0658)
• chore(deps)(deps): bump super-linter/super-linter from 8.1.0 to 8.2.0 (#1010) (c68a69d)
• test(local): make local docker tests skip-mode aware; chrome compose wiring (#1012) (a0c85b5)
• fix(docker): ensure unzip available before Chrome installation (ad86777)
• chore(deps)(deps): bump github/super-linter from 6 to 7 (#1007) (3496b6e)
• chore(deps)(deps): bump actions/checkout from 4 to 5 (#1008) (920f954)
• feat: Add Chrome-Go Runner Support (#1004) (e6530a3)
• fix: update DEFAULT_BRANCH logic to handle pull request events correctly (22a5ade)
• ci(workflow): remove dangling needs reference to test-container-startup from cleanup job (d01de4f)
• ci(workflow): remove test-container-startup job (containers provisioned by provision jobs) (d723b30)
• Quote data URLs in CI workflow Chrome headless tests to avoid shell redirection syntax errors,--allow-empty:false (bedc772)
• fix: remove unnecessary dependencies on lint-and-validate job (e17d87e)
• Fix Chrome headless test segmentation fault and shell script linting errors (a07422a)
• fix: make Chrome headless test more robust (a5f6d8c)
• fix: resolve shellcheck SC2329 and shfmt formatting issues (1aefa69)
• fix: update Super Linter action path to use slim directory (67351b4)
• Fix shell script formatting with shfmt (d3548d6)
• Fix shellcheck SC2329 warnings for cleanup functions (73f6b01)
• Fix shellcheck SC2329 warnings for unused functions (bda2128)
• fix: remove Super Linter SARIF upload and failure steps from CI/CD workflow (6845275)
• Fix YAML syntax error in CI/CD workflow (192c440)
• fix: remove DISABLE_ERRORS option from linting configuration (6b2676e)
• fix: resolve all Super Linter errors and warnings (c6d3ed5)
• feat: enhance GitHub Super Linter step with SARIF reporting and error handling (3cc6997)
• feat: add DEFAULT_BRANCH environment variable to GitHub Super Linter step (0144074)
• chore: update GitHub Super Linter to version 8.1.0 (a19276e)
• feat: replace individual linters with GitHub Super Linter (0740bf7)

Release v2.3.1

Changes in v2.3.1

• feat(ci): align release workflow cache with ci-cd pipeline (d3e9d32)

Release v2.3.0

Changes in v2.3.0

• release: Promote develop to main (Multi-arch support + fixes) (066b085)
• fix(release): Add multi-architecture support to release pipeline (8d0e11c)
• Release: Dependabot automation, CI/CD improvements, and dependency updates (#1042) (b8c54e3)
• chore(deps): bump Node.js to 24.11.1 and npm to 11.6.2 in Chrome runners (#1037) (bb5453d)

Release v2.2.1

Changes in v2.2.1

• chore(release): Release v2.2.1 (#1035) (683016b)
• chore(release): Merge container tagging fix and PR workflow improvements (#1034) (cc56459)

Release v2.2.0

Changes in v2.2.0

• chore(release): Promote develop to main for v2.2.0 (#1031) (5ffbaee)
• chore(release): promote develop to main (v2.0.9) (#1029) (70af46b)
• Revert "chore(release): promote develop to main (#1023)" (#1025) (291f7ab)
• chore(release): promote develop to main (#1023) (efa6757)
• chore(release): promote develop to main (#1021) (534e98a)
• release: promote develop to main (#1018) (e3fb4ac)
• release: promote develop to main (#1016) (0568fcc)
• Release v2.2.0: Super Linter, Chrome-Go Runner, Enhanced Testing (#1014) (4598c4b)
• promote dev to main (#1006) (b2d452d)
• Update coffee donation link to lowercase username (36296e1)
• Develop (#999) (c9c4917)
• chore(deps)(deps): bump actions/github-script from 6 to 8 (#997) (d32bcac)
• chore(deps)(deps): bump actions/checkout from 3 to 5 (#996) (6b8170a)
• Release: Promote integrated changes from develop to main (#998) (724c7bb)
• Removes duplicate commit-message block in config (61d69d3)
• docs: update FUNDING.yml and clean up dependabot.yml configuration (a46ae3f)
• chore(deps)(deps): bump docker/build-push-action from 5 to 6 (#995) (af23ec6)
• Comprehensive Integration: All Changes from Develop into Main (#994) (04d82e0)
• docs: correct base OS version in VERSION_OVERVIEW.md test (c80120b)
• ci(docs): create PR via shell/curl to avoid node module dependency in github-script (720cf45)
• docs: automated documentation and wiki sync (#993) (b673014)
• ci(docs): avoid duplicate core/exec declarations in github-script block (0d994e9)
• ci(docs): fix github-script naming collision and ensure core available (20d5de1)
• ci(docs): run auto-sync only on develop pushes and workflow_dispatch (185e4f0)
• ci(docs): update auto-sync to update existing auto-sync PR branch or create new PR when needed (d4968bf)
• ci(docs): create PR for docs/wiki changes when diffs detected (auto-sync) (4bc06db)
• ci(docs): allow workflow to create issues for docs/wiki patches (issues: write) (f11c00c)
• fix: update auto-sync workflow to create an issue with documentation and wiki patch instead of a pull request (c5962b9)
• ci(docs): make auto-sync create PR only when docs/wiki changed and avoid bot direct push (fe1f24d)
• docs: update documentation to reflect changes in base image and deployment instructions (7d02309)
• ci: update auto-sync-docs workflow to use actions/upload-artifact@v4 (#991) (c18191a)

Release v2.1.0

Changes in v2.1.0

• fix: update cache-from references in Docker build steps to use registry format (4ef575c)
• fix: remove tag trigger from CI/CD workflow to streamline push events (f4bb453)
• fix: remove workflow_run trigger from release management workflow (b6ac2e3)
• fix: update release and CI/CD workflows to streamline Docker image caching and tagging (a891e83)
• fix: refactor release workflow to separate standard and chrome artifact builds (5ec6b11)
• fix: enhance SBOM generation and upload steps for standard and Chrome images (13081a3)
• fix: update Chrome image tagging in release workflow to include version suffix (65cf843)
• fix: update release workflow to restrict Docker build platforms to linux/amd64 (2fd277e)
• fix: add build and push steps for runner and chrome images in release workflow (4296f67)
• chore: add manual workflow dispatch inputs for release workflow (c78a0bb)
• fix: release workflow covers all runner images, output references, and artifact retention (42fdac0)
• docs: update base OS and component versions for standard and Chrome runners (Questing 25.10) (0dcac9e)
• fix: optimize APT setup by adding autoremove and clean commands to reduce image size (b85ab3c)
• fix: optimize APT setup by removing cached lists to reduce image size (a30d796)
• fix: restrict maintenance-summary.md output to test-results only (no root output) (fa8986a)
• docs: comprehensive update for questing base image, CVE mitigation, Trivy scan workflow, and audit strategy (7e6f3f3)
• docs: document questing base image, CVE mitigation, Trivy scan workflow, and audit strategy (131bdeb)
• maintenance summary: add set +e and exit 0 for robust job success (no-cicd) (4de14ea)
• fix: robust maintenance summary step (echo-based output) (2803179)
• no-cicd (41173c5)
• Add debug output and test file write to diagnose maintenance summary step failure (96ec2b7)
• Output maintenance summary to docs/maintenance/maintenance-summary.md (a5fb1ef)
• Fix maintenance summary step: set shell to bash for array/arithmetic syntax (66dba5c)
• Suppress root user warning: validate final USER in Dockerfiles is non-root in maintenance workflow (29bf1b6)
• Accept root user warning in maintenance workflow; all jobs and security posture validated (ad97835)
• Clarify final image runs as unprivileged runner user in Dockerfiles; suppress root user warning for CI/CD (44c917e)
• Fix final broken Chrome-Runner link in Home.md for green pipeline (bab512a)
• Remove all [missing doc] links and fix internal links for CI/CD compliance (04f4e91)
• Fix broken internal links in wiki-content markdown files; add .md extension and mark missing docs (75014b4)
• Fix broken internal links in Common-Issues.md; add .md extension and mark missing docs (a47acd2)
• Remove broken links and update references in Docker-Configuration.md (7c23f7b)
• Remove corrupted README file to resolve maintenance workflow errors (de46418)
• Fix broken documentation links and clarify Dockerfile root usage; ensure final USER is runner (e3e1d9d)
• Develop Branch Updates (#986) (202804e)
• fix: resolve shellcheck warnings in test script - quote /Users/grammatonic/Git/Private/github-runner and define TIMESTAMP early (7732f15)
• feat: add sha.js@2.4.12 to global npm packages in Dockerfile.chrome (39d0a9a)
• test: add Trivy security scan to Chrome runner local test script (b79830b)
• Develop (#985) (ecf7749)
• docs: extensive update to VERSION_OVERVIEW.md for Ubuntu 24.04, v2.0.2, Node.js 24.7.0, and architecture enforcement (84be599)
• docs: update Chrome Runner documentation for Ubuntu 24.04 and Node.js 24.7.0, including architecture enforcement and version updates (ecff460)
• docs: update VERSION_OVERVIEW.md for Ubuntu 24.04, v2.0.2, Node.js 24.7.0, and architecture enforcement (b5489f2)
• Update Chrome Runner: Ubuntu 24.04, Node.js 24.7.0, dependency fixes (#984) (7a998a9)
• docs: update README.md and add release notes for v2.0.2 (de6f040)
• docs: add release notes for version 2.0.2 (b7462ad)

v2.0.2 Fixed Chrome runner

Release Notes v2.0.2

Release Date: September 10, 2025

Highlights

• All changes from develop branch merged into main.
• Documentation structure validated (see scripts/check-docs-structure.sh).
• Branch protection and CI/CD pipeline enforced for release integrity.
• Tag v2.0.2 created and pushed to remote.

Upgrade Notes

• Follow standard deployment steps in DEPLOYMENT.md.
• No breaking changes; safe for production rollout.

Changelog

• See CHANGELOG.md for detailed commit history and changes included in this release.

---

This release follows DevOps best practices for automation, measurement, and reliability. For questions or rollback instructions, refer to SECURITY_ADVISORY_WORKFLOW.md and RUNNER_SELF_TEST.md.

GitHub Runner v2.0.0 - Major Security & Automation Release

GitHub Runner v2.0.0 - Major Security & Automation Release

🔒 Security Improvements

• CVE-2020-36632: Fixed critical prototype pollution vulnerability in flat@5.0.2
• CVE-2025-9288: Resolved path traversal issue in ws@8.17.1
• CVE-2024-37890: Applied security patch for ws package
• sha.js@2.4.12: Updated to address potential security concerns

🤖 Automation & Workflow Enhancements

• Enhanced Maintenance Workflow: Added comprehensive automation with 6 jobs
• Automated Version Tracking: Dynamic version detection and documentation updates
• Security Monitoring: Integrated Trivy vulnerability scanning
• Health Checks: Automated infrastructure monitoring
• Cleanup Automation: Scheduled artifact and cache management

📚 Documentation & Organization

• VERSION_OVERVIEW.md: New comprehensive version tracking system
• Enhanced README: Added version tables and security status indicators
• Wiki Synchronization: Updated all wiki content with latest versions
• Improved Structure: Better organized documentation hierarchy

🛠️ Infrastructure Updates

• Docker Images: Updated base images with security patches
• Chrome Runner: Enhanced browser testing capabilities
• Monitoring: Added Prometheus and Grafana configurations
• Cache Management: Improved build and dependency caching

⚠️ Breaking Changes

• Updated minimum security standards
• Enhanced branch protection requirements
• Modified default runner configurations

🔄 Migration Guide

See docs/VERSION_OVERVIEW.md for detailed upgrade instructions and compatibility information.

🙏 Acknowledgments

Special thanks to the security community for vulnerability reports and the development team for comprehensive testing.