chore: promote develop to main (Dec 2025)

.github/copilot-tracking/prometheus-implementation-progress.md

@@ -16,9 +16,8 @@
 - [x] 2-phase implementation plan defined
 - [x] Metrics strategy documented
 - [x] Dashboard panel specifications designed
-- [x] Go module created with Prometheus dependencies
-- [x] Metrics exporter implementation completed
-- [x] Metrics tested and validated
+- [x] Implementation approach switched to netcat method
+- [x] Removed Go dependencies and implementation
 
 ### 🚧 In Progress (0%)
 - [ ] Docker integration
@@ -40,19 +39,19 @@
 **Tasks:**
 - [x] Create feature branch
 - [x] Create feature specification document
-- [x] Create Go metrics exporter using Prometheus client library
-- [x] Implement Prometheus metrics (gauges, counters, histograms)
-- [ ] Add metrics exporter binary to Docker images
-- [ ] Update `docker/entrypoint.sh` to start metrics exporter
-- [ ] Update `docker/entrypoint-chrome.sh` to start metrics exporter
+- [ ] Create bash metrics server script using netcat
+- [ ] Create bash metrics collector script
+- [ ] Initialize job log file in entrypoint scripts
+- [ ] Update `docker/entrypoint.sh` to start metrics server and collector
+- [ ] Update `docker/entrypoint-chrome.sh` to start metrics server and collector
 - [ ] Expose port 9091 in Dockerfiles
 - [ ] Update Docker Compose files to map port 9091
 - [ ] Test metrics endpoint on all runner types
 
 **Next Steps:**
-1. Create multi-stage Dockerfile for building Go binary
-2. Update entrypoint.sh to start metrics exporter
-3. Update entrypoint-chrome.sh to start metrics exporter
+1. Create /tmp/metrics-server.sh using netcat for HTTP server
+2. Create /tmp/metrics-collector.sh to generate Prometheus metrics
+3. Update entrypoint scripts to launch background processes
 
 ---
 
@@ -92,17 +91,13 @@
 ## 📂 Files to Create/Modify
 
 ### Phase 1: Metrics Endpoint
-- [x] Create `go.mod` (Go module with Prometheus dependencies)
-- [x] Create `go.sum` (dependency checksums)
-- [x] Create `cmd/metrics-exporter/main.go` (main metrics exporter)
-- [x] Update `.gitignore` (add bin/, keep go.sum)
-- [ ] Create `internal/metrics/collector.go` (optional: metrics collection logic)
-- [ ] Create `internal/metrics/registry.go` (optional: Prometheus registry)
-- [ ] Update `docker/entrypoint.sh` (start metrics exporter)
-- [ ] Update `docker/entrypoint-chrome.sh` (start metrics exporter)
-- [ ] Update `docker/Dockerfile` (multi-stage build for Go binary, add `EXPOSE 9091`)
-- [ ] Update `docker/Dockerfile.chrome` (multi-stage build, add `EXPOSE 9091`)
-- [ ] Update `docker/Dockerfile.chrome-go` (multi-stage build, add `EXPOSE 9091`)
+- [ ] Create `docker/metrics-server.sh` (netcat-based HTTP server for port 9091)
+- [ ] Create `docker/metrics-collector.sh` (bash script to generate Prometheus metrics)
+- [ ] Update `docker/entrypoint.sh` (start metrics server and collector)
+- [ ] Update `docker/entrypoint-chrome.sh` (start metrics server and collector)
+- [ ] Update `docker/Dockerfile` (add `EXPOSE 9091`)
+- [ ] Update `docker/Dockerfile.chrome` (add `EXPOSE 9091`)
+- [ ] Update `docker/Dockerfile.chrome-go` (add `EXPOSE 9091`)
 - [ ] Update `docker/docker-compose.production.yml` (add port mapping)
 - [ ] Update `docker/docker-compose.chrome.yml` (add port mapping)
 - [ ] Update `docker/docker-compose.chrome-go.yml` (add port mapping)
@@ -205,13 +200,13 @@ curl http://localhost:9091/metrics
 
 ## 📝 Design Decisions
 
-- **Go Prometheus Client**: Using official `github.com/prometheus/client_golang` library
-- **Real-time Updates**: Metrics updated on events, not polling intervals
+- **Netcat HTTP Server**: Using netcat (nc) for lightweight HTTP server on port 9091
+- **Bash Metrics Collector**: Pure bash script to generate Prometheus text format
+- **Periodic Updates**: Metrics updated every 30 seconds via background process
 - **Port 9091**: Standard Prometheus exporter port, avoids conflicts
 - **Prometheus Text Format**: Standard exposition format with proper metric types
 - **Dashboard JSON**: Users import into their own Grafana instance
-- **Multi-stage Build**: Separate Go build stage for smaller final images
-- **Static Binary**: CGO_ENABLED=0 for portability and smaller size
+- **Job Log Tracking**: Parse /tmp/jobs.log for job metrics
 - **Health Endpoint**: `/health` endpoint for container health checks
 
 ---

docker/Dockerfile

@@ -13,6 +13,7 @@ ARG RUNNER_VERSION="2.330.0"
 ARG CROSS_SPAWN_VERSION="7.0.6"
 ARG TAR_VERSION="7.5.2"
 ARG BRACE_EXPANSION_VERSION="2.0.2"
+ARG GLOB_VERSION="13.0.0"
 
 # --- ENVIRONMENT VARIABLES ---
 ENV DEBIAN_FRONTEND=noninteractive
@@ -66,9 +67,9 @@ RUN --mount=type=cache,target=/tmp/npm-cache,uid=1001,gid=1001 \
         if [ -x "${NODE_ROOT}bin/node" ] && [ -d "${NODE_ROOT}lib/node_modules/npm" ]; then \
             NPM_DIR="${NODE_ROOT}lib/node_modules/npm"; \
             PATCH_DIR="$(mktemp -d)"; \
-            printf '{\n  "name": "runner-patch",\n  "private": true,\n  "version": "1.0.0",\n  "dependencies": {\n    "cross-spawn": "%s",\n    "tar": "%s",\n    "brace-expansion": "%s"\n  }\n}\n' "${CROSS_SPAWN_VERSION}" "${TAR_VERSION}" "${BRACE_EXPANSION_VERSION}" > "${PATCH_DIR}/package.json"; \
+            printf '{\n  "name": "runner-patch",\n  "private": true,\n  "version": "1.0.0",\n  "dependencies": {\n    "cross-spawn": "%s",\n    "tar": "%s",\n    "brace-expansion": "%s",\n    "glob": "%s"\n  }\n}\n' "${CROSS_SPAWN_VERSION}" "${TAR_VERSION}" "${BRACE_EXPANSION_VERSION}" "${GLOB_VERSION}" > "${PATCH_DIR}/package.json"; \
             "${NODE_ROOT}bin/node" "${NPM_DIR}/bin/npm-cli.js" install --prefix="${PATCH_DIR}" --omit=dev --cache /tmp/npm-cache; \
-            rm -rf "${NPM_DIR}/node_modules/cross-spawn" "${NPM_DIR}/node_modules/tar" "${NPM_DIR}/node_modules/brace-expansion"; \
+            rm -rf "${NPM_DIR}/node_modules/cross-spawn" "${NPM_DIR}/node_modules/tar" "${NPM_DIR}/node_modules/brace-expansion" "${NPM_DIR}/node_modules/glob"; \
             cp -a "${PATCH_DIR}/node_modules/." "${NPM_DIR}/node_modules/"; \
             rm -rf "${PATCH_DIR}" "${NPM_DIR}/node_modules/.npm"; \
         fi; \

docs/archive/CVE-2025-64756-fix.md

@@ -0,0 +1,135 @@
+# CVE-2025-64756 Fix: glob Command Injection Vulnerability
+
+## Overview
+
+**Date**: December 18, 2025  
+**CVE ID**: CVE-2025-64756  
+**Severity**: HIGH  
+**Component**: `glob` package (transitive dependency)  
+**Location**: `actions-runner/externals/node24/lib/node_modules/npm/node_modules/node-gyp/node_modules/glob`
+
+## Vulnerability Details
+
+The `glob` package versions < 10.5.0 and < 11.1.0 are vulnerable to command injection via malicious filenames.
+
+- **Vulnerable Version**: 10.4.5
+- **Fixed Versions**: 10.5.0, 11.1.0, or higher
+- **Applied Version**: 13.0.0 (latest stable)
+
+## Impact
+
+The vulnerability allows attackers to execute arbitrary commands through specially crafted filenames when glob patterns are evaluated. This affects the GitHub Actions Runner's embedded Node.js distribution.
+
+## Resolution
+
+### Changes Made
+
+Added `glob` package patching to all three Dockerfile variants:
+
+1. **Standard Runner** (`docker/Dockerfile`):
+   - Added `ARG GLOB_VERSION="13.0.0"`
+   - Updated embedded Node.js npm patching to include glob 13.0.0
+   - Removes vulnerable glob 10.4.5 from node-gyp dependencies
+
+2. **Chrome Runner** (`docker/Dockerfile.chrome`):
+   - Already had glob patching implemented with version 13.0.0
+   - No changes required
+
+3. **Chrome-Go Runner** (`docker/Dockerfile.chrome-go`):
+   - Already had glob patching implemented with version 13.0.0
+   - No changes required
+
+### Technical Implementation
+
+The patching process:
+
+```dockerfile
+# Add glob version argument
+ARG GLOB_VERSION="13.0.0"
+
+# Patch embedded Node distributions
+RUN --mount=type=cache,target=/tmp/npm-cache,uid=1001,gid=1001 \
+    set -e; \
+    for NODE_ROOT in /actions-runner/externals/node*/ ; do \
+        if [ -x "${NODE_ROOT}bin/node" ] && [ -d "${NODE_ROOT}lib/node_modules/npm" ]; then \
+            NPM_DIR="${NODE_ROOT}lib/node_modules/npm"; \
+            PATCH_DIR="$(mktemp -d)"; \
+            printf '{\n  "name": "runner-patch",\n  "private": true,\n  "version": "1.0.0",\n  "dependencies": {\n    "cross-spawn": "%s",\n    "tar": "%s",\n    "brace-expansion": "%s",\n    "glob": "%s"\n  }\n}\n' \
+                "${CROSS_SPAWN_VERSION}" "${TAR_VERSION}" "${BRACE_EXPANSION_VERSION}" "${GLOB_VERSION}" \
+                > "${PATCH_DIR}/package.json"; \
+            "${NODE_ROOT}bin/node" "${NPM_DIR}/bin/npm-cli.js" install \
+                --prefix="${PATCH_DIR}" --omit=dev --cache /tmp/npm-cache; \
+            rm -rf "${NPM_DIR}/node_modules/glob"; \
+            cp -a "${PATCH_DIR}/node_modules/." "${NPM_DIR}/node_modules/"; \
+            rm -rf "${PATCH_DIR}" "${NPM_DIR}/node_modules/.npm"; \
+        fi; \
+    done
+```
+
+### Patching Strategy
+
+1. **Create temporary package.json** with safe dependency versions
+2. **Install patched versions** into temporary directory using BuildKit cache
+3. **Remove vulnerable versions** from runner's embedded Node.js
+4. **Copy patched versions** to replace vulnerable dependencies
+5. **Clean up** temporary files and npm cache
+
+This approach:
+- ✅ Works across all Node.js versions in the runner
+- ✅ Doesn't modify runner binary (maintains GitHub signature)
+- ✅ Uses BuildKit cache for fast rebuilds
+- ✅ Runs during image build, not at runtime
+- ✅ No performance impact on runner startup
+
+## Verification
+
+### Manual Testing
+
+After rebuilding images, verify the glob version:
+
+```bash
+# For standard runner
+docker run --rm github-runner:latest \
+    bash -c 'node -e "console.log(require(\"/actions-runner/externals/node24/lib/node_modules/npm/node_modules/glob/package.json\").version)"'
+
+# Expected output: 13.0.0
+```
+
+### CI/CD Validation
+
+The fix will be validated by:
+1. Docker image build in CI/CD pipeline
+2. Security scanning with Trivy
+3. Runner self-test workflow
+4. GitHub code scanning rescan
+
+## References
+
+- **CVE**: [CVE-2025-64756](https://avd.aquasec.com/nvd/cve-2025-64756)
+- **GitHub Alert**: [#5660](https://github.com/GrammaTonic/github-runner/security/code-scanning/5660)
+- **npm Package**: [glob@13.0.0](https://www.npmjs.com/package/glob)
+- **Related Fixes**: 
+  - CVE-2023-52576 (tar vulnerability)
+  - CVE-2024-27980 (cross-spawn vulnerability)
+  - CVE-2024-4068 (brace-expansion vulnerability)
+
+## Timeline
+
+- **December 18, 2025**: CVE-2025-64756 reported in GitHub code scanning
+- **December 18, 2025**: Fix implemented for all Dockerfile variants
+- **Next**: CI/CD validation and image rebuild
+
+## Action Items
+
+- [x] Add glob patching to standard Dockerfile
+- [x] Verify Chrome and Chrome-Go Dockerfiles have glob patching
+- [ ] Test Docker image builds
+- [ ] Verify security alert resolution
+- [ ] Deploy updated images to production
+
+## Notes
+
+- The Chrome and Chrome-Go runners already had glob patching from a previous security update
+- This fix brings the standard runner in line with the same security posture
+- Using glob 13.0.0 (latest) provides maximum protection and future-proofs against similar vulnerabilities
+- The vulnerability is in a transitive dependency, so direct updates to the runner package are not possible