chore: promote develop to main (Dec 2025)#1081
Conversation
- Add detailed squash merge benefits (7 key advantages) - Include recommended gh pr create commands with markdown file usage - Add explicit merge instructions for CLI and Web UI - Expand back-sync section with mandatory warnings and step-by-step guide - Add alternative back-sync method using GitHub CLI - Include verification commands and troubleshooting steps - Apply updates to both AI instructions and actual PR template - Ensure consistency between Copilot guidance and user-facing template This update ensures all PRs display comprehensive squash merge and back-sync instructions, preventing common issues like 'ahead' status and merge conflicts.
Phase 1 implementation complete with all code tasks validated. Testing to be completed in develop branch.
….28.0 to 0.33.1 Automatically merged Dependabot PR after CI validation.
Automatically merged Dependabot PR after CI validation.
Automatically merged Dependabot PR after CI validation.
- Update Go version from 1.25.4 to 1.25.5 in Dockerfile.chrome-go - Fixes HIGH severity vulnerability in stdlib HostnameError.Error() - Prevents excessive resource consumption from malicious certificates - Resolves quadratic runtime issue in error string construction Fixes: CVE-2025-61729 Related: https://github.com/GrammaTonic/github-runner/security/code-scanning/5682
Back-sync after PR #1073 (CVE-2025-61729 security fix) was merged to main. This prevents develop from appearing ahead of main and ensures branches stay synchronized.
- Update NPM_VERSION from 11.6.2 to 11.6.4 in Chrome and Chrome-Go Dockerfiles - Fixes HIGH severity vulnerability in glob (npm dependency) - npm 11.6.4 depends on glob ^13.0.0 (vs vulnerable 11.0.3) - Resolves command injection vulnerability in glob's -c/--cmd option - Prevents arbitrary code execution via malicious filenames Vulnerability Details: - CVE ID: CVE-2025-64756 - Severity: HIGH - Affected Package: glob 11.0.3 (npm internal dependency) - Fixed Versions: glob 11.1.0, 10.5.0 (npm 11.6.4 uses glob 13.0.0) - Issue: Command injection via shell metacharacters in filenames - Link: https://avd.aquasec.com/nvd/cve-2025-64756 Fixes: https://github.com/GrammaTonic/github-runner/security/code-scanning/5665
- Change VALIDATE_ALL_CODEBASE from true to false (only validate changed files) - Disable SAVE_SUPER_LINTER_OUTPUT to reduce artifact size - Disable VALIDATE_MD to reduce processing overhead - Expand FILTER_REGEX_EXCLUDE to skip docs and plan directories This reduces the Super-Linter job size and prevents image size issues while maintaining validation of critical files (Dockerfiles, bash, YAML, JSON). Fixes: https://github.com/GrammaTonic/github-runner/actions/runs/19948737687/job/57204156543
- Replace super-linter/super-linter with individual focused actions - Use hadolint/hadolint-action for Dockerfile linting - Use ludeeus/action-shellcheck for shell script validation - Use ibiqlik/action-yamllint for YAML validation - Add .yamllint.yml configuration file Benefits: - Significantly smaller action images (no 8GB+ Super-Linter image) - Faster execution with parallel specialized linters - More granular control over linting rules - Reduced CI/CD resource consumption - Better caching and incremental builds Fixes: https://github.com/GrammaTonic/github-runner/actions/runs/19948737687/job/57204156543
- Add 15-minute timeout for container scans (10m for filesystem) - Filter to CRITICAL and HIGH severity only to reduce scan time - Skip unnecessary directories (test-results, logs, .git) - Prevents PROTOCOL_ERROR from layer extraction timeouts This resolves the stream ID protocol errors when scanning large Docker images (Chrome/Chrome-Go runners with browsers and dependencies). Fixes: stream error: stream ID 17; PROTOCOL_ERROR; received from peer
- Remove cmd/metrics-exporter/main.go (experimental Prometheus metrics collector) - Remove go.mod and go.sum (no longer needed without Go code) - This feature was not production-ready and conflicted with documented netcat-based metrics approach - Reduces codebase complexity and maintenance burden Part of CI/CD optimization effort after CVE-2025-61729 and CVE-2025-64756 security fixes.
* feat: upgrade GitHub Actions runner to 2.330.0 - Update RUNNER_VERSION from 2.329.0 to 2.330.0 in all Dockerfiles - Standard runner: docker/Dockerfile - Chrome runner: docker/Dockerfile.chrome - Chrome-Go runner: docker/Dockerfile.chrome-go Runner 2.330.0 includes: - Updated Node.js versions - Custom image preflight checks - Improved logic for IsHostedServer detection - Docker v29.0.1 and Buildx v0.30.0 support - Retry logic for DNS resolution failures - Network-online dependency for runner service Release notes: https://github.com/actions/runner/releases/tag/v2.330.0 * fix: update runtime stage RUNNER_VERSION to 2.330.0 Ensure consistency between builder and runtime stages in multi-stage Dockerfile. --------- Co-authored-by: Syam Sampatsing <grammatonic@mbp-van-syam.home>
…1.0 to 3.3.0 Automatically merged Dependabot PR after CI validation.
Automatically merged Dependabot PR after CI validation.
* Initial plan * fix: replace broken free-disk-space action with manual cleanup Replace jlumbroso/free-disk-space-action@v1.3.1 with manual disk cleanup script. The original action repository is no longer accessible (404/403 errors), causing Dependabot failures. The manual approach achieves the same disk space cleanup by removing dotnet, android, haskell toolchains and boost libraries. This fixes the git_dependencies_not_reachable error for Dependabot and allows the security advisory workflow to continue functioning properly. Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com>
- Update VERSION_OVERVIEW.md to reflect runner version 2.330.0 - Update default RUNNER_VERSION in build.sh to 2.330.0 - Update default RUNNER_VERSION in build-chrome.sh to 2.330.0 Ensures consistency across Dockerfiles, documentation, and build scripts. Addresses review comment from PR #1080.
- Remove all Go/Prometheus client library references - Replace with lightweight bash + netcat HTTP server approach - Update metrics-server.sh to use netcat for serving /metrics endpoint - Update metrics-collector.sh to generate Prometheus text format - Remove multi-stage Docker build requirements for Go - Update implementation tasks and design decisions - Simplify architecture to use only bash scripting - Update risks & mitigations for netcat approach - Remove CGO_ENABLED and go.mod/go.sum references Benefits: - No additional language runtime required - Smaller Docker image size (no Go toolchain) - Simpler build process - Lower resource overhead - Easier to maintain and debug Addresses constraint CON-001: Must use bash scripting only
…nner - Add glob 13.0.0 patching to standard Dockerfile - Mitigate command injection vulnerability in node-gyp glob dependency - Chrome and Chrome-Go runners already had this patching - Uses same patching strategy as cross-spawn, tar, and brace-expansion Fixes #5660 Closes: CVE-2025-64756
Summary of ChangesHello @GrammaTonic, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request represents the December 2025 release, consolidating recent developments from the Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Ignored Files
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request promotes a significant set of changes from develop to main, including security fixes, a major refactoring of the Prometheus metrics feature, and dependency updates. The switch from a Go-based metrics exporter to a lightweight bash and netcat solution is a notable improvement. The security patch for the glob vulnerability is also a critical addition. My review focuses on improving the documentation and example code associated with these new changes to ensure they are accurate and clear for users. I've provided a few suggestions to correct a verification command and fix bugs in example scripts within the documentation.
| docker run --rm github-runner:latest \ | ||
| bash -c 'node -e "console.log(require(\"/actions-runner/externals/node24/lib/node_modules/npm/node_modules/glob/package.json\").version)"' |
There was a problem hiding this comment.
The verification command provided is not sufficient to confirm the vulnerability is mitigated. It checks for the presence of the patched glob package at the top level of npm's node_modules, but it doesn't verify that this is the version node-gyp (the source of the vulnerability) will actually resolve and use. A more reliable verification would execute require from within the node-gyp directory to test Node.js's module resolution behavior directly.
| docker run --rm github-runner:latest \ | |
| bash -c 'node -e "console.log(require(\"/actions-runner/externals/node24/lib/node_modules/npm/node_modules/glob/package.json\").version)"' | |
| bash -c 'cd /actions-runner/externals/node24/lib/node_modules/npm/node_modules/node-gyp && node -e "console.log(require(\"glob/package.json\").version)"' |
| while true; do | ||
| # Wait for connection | ||
| RESPONSE=$(echo -e "HTTP/1.1 200 OK\r\nContent-Type: text/plain; version=0.0.4\r\n\r\n$(cat \"$METRICS_FILE\" 2>/dev/null || echo '# No metrics available')" | nc -l -p "$PORT" -q 1) | ||
| done |
There was a problem hiding this comment.
The example metrics-server.sh script contains a command that will not work as intended. The RESPONSE=$(...) command substitution captures the client's request into the RESPONSE variable, which is then unused. The intention is to send the HTTP response to the client, not capture input from them. To fix this, the command substitution should be removed, and the echo command should be piped directly to nc.
| while true; do | |
| # Wait for connection | |
| RESPONSE=$(echo -e "HTTP/1.1 200 OK\r\nContent-Type: text/plain; version=0.0.4\r\n\r\n$(cat \"$METRICS_FILE\" 2>/dev/null || echo '# No metrics available')" | nc -l -p "$PORT" -q 1) | |
| done | |
| while true; do | |
| # Wait for connection | |
| echo -e "HTTP/1.1 200 OK\r\nContent-Type: text/plain; version=0.0.4\r\n\r\n$(cat \"$METRICS_FILE\" 2>/dev/null || echo '# No metrics available')" | nc -l -p "$PORT" -q 1 | |
| done |
| JOBS_SUCCESS=$(grep -c "success" "$JOBS_LOG" 2>/dev/null || echo 0) | ||
| JOBS_FAILED=$(grep -c "failed" "$JOBS_LOG" 2>/dev/null || echo 0) |
There was a problem hiding this comment.
The grep commands in the example script for counting jobs are not robust and could lead to incorrect metrics. For instance, grep -c "success" would incorrectly match a line containing the word "unsuccessful". To ensure accuracy, the patterns should be more specific by anchoring them to the expected CSV format, such as matching the full status field between delimiters.
| JOBS_SUCCESS=$(grep -c "success" "$JOBS_LOG" 2>/dev/null || echo 0) | |
| JOBS_FAILED=$(grep -c "failed" "$JOBS_LOG" 2>/dev/null || echo 0) | |
| JOBS_SUCCESS=$(grep -c ",success," "$JOBS_LOG" 2>/dev/null || echo 0) | |
| JOBS_FAILED=$(grep -c ",failed," "$JOBS_LOG" 2>/dev/null || echo 0) |
📋 Promotion PR: develop → main
This PR promotes all integrated changes from
developtomainfor production release.🔒 Security Fixes
✨ Features & Enhancements
🔧 Improvements
📦 Dependency Updates
📚 Documentation
✅ Merge Strategy
This PR will use SQUASH MERGE to maintain a clean, linear history on
main.maintodevelopmust be performed to prevent "ahead" status.�� CI/CD Status
All CI/CD checks must pass before merge. This includes:
Commits: 24 commits from develop
Branch Protection: Enabled on both main and develop