Conversation
- Add detailed squash merge benefits (7 key advantages) - Include recommended gh pr create commands with markdown file usage - Add explicit merge instructions for CLI and Web UI - Expand back-sync section with mandatory warnings and step-by-step guide - Add alternative back-sync method using GitHub CLI - Include verification commands and troubleshooting steps - Apply updates to both AI instructions and actual PR template - Ensure consistency between Copilot guidance and user-facing template This update ensures all PRs display comprehensive squash merge and back-sync instructions, preventing common issues like 'ahead' status and merge conflicts.
Phase 1 implementation complete with all code tasks validated. Testing to be completed in develop branch.
….28.0 to 0.33.1 Automatically merged Dependabot PR after CI validation.
Automatically merged Dependabot PR after CI validation.
Automatically merged Dependabot PR after CI validation.
- Update Go version from 1.25.4 to 1.25.5 in Dockerfile.chrome-go - Fixes HIGH severity vulnerability in stdlib HostnameError.Error() - Prevents excessive resource consumption from malicious certificates - Resolves quadratic runtime issue in error string construction Fixes: CVE-2025-61729 Related: https://github.com/GrammaTonic/github-runner/security/code-scanning/5682
Back-sync after PR #1073 (CVE-2025-61729 security fix) was merged to main. This prevents develop from appearing ahead of main and ensures branches stay synchronized.
- Update NPM_VERSION from 11.6.2 to 11.6.4 in Chrome and Chrome-Go Dockerfiles - Fixes HIGH severity vulnerability in glob (npm dependency) - npm 11.6.4 depends on glob ^13.0.0 (vs vulnerable 11.0.3) - Resolves command injection vulnerability in glob's -c/--cmd option - Prevents arbitrary code execution via malicious filenames Vulnerability Details: - CVE ID: CVE-2025-64756 - Severity: HIGH - Affected Package: glob 11.0.3 (npm internal dependency) - Fixed Versions: glob 11.1.0, 10.5.0 (npm 11.6.4 uses glob 13.0.0) - Issue: Command injection via shell metacharacters in filenames - Link: https://avd.aquasec.com/nvd/cve-2025-64756 Fixes: https://github.com/GrammaTonic/github-runner/security/code-scanning/5665
- Change VALIDATE_ALL_CODEBASE from true to false (only validate changed files) - Disable SAVE_SUPER_LINTER_OUTPUT to reduce artifact size - Disable VALIDATE_MD to reduce processing overhead - Expand FILTER_REGEX_EXCLUDE to skip docs and plan directories This reduces the Super-Linter job size and prevents image size issues while maintaining validation of critical files (Dockerfiles, bash, YAML, JSON). Fixes: https://github.com/GrammaTonic/github-runner/actions/runs/19948737687/job/57204156543
- Replace super-linter/super-linter with individual focused actions - Use hadolint/hadolint-action for Dockerfile linting - Use ludeeus/action-shellcheck for shell script validation - Use ibiqlik/action-yamllint for YAML validation - Add .yamllint.yml configuration file Benefits: - Significantly smaller action images (no 8GB+ Super-Linter image) - Faster execution with parallel specialized linters - More granular control over linting rules - Reduced CI/CD resource consumption - Better caching and incremental builds Fixes: https://github.com/GrammaTonic/github-runner/actions/runs/19948737687/job/57204156543
- Add 15-minute timeout for container scans (10m for filesystem) - Filter to CRITICAL and HIGH severity only to reduce scan time - Skip unnecessary directories (test-results, logs, .git) - Prevents PROTOCOL_ERROR from layer extraction timeouts This resolves the stream ID protocol errors when scanning large Docker images (Chrome/Chrome-Go runners with browsers and dependencies). Fixes: stream error: stream ID 17; PROTOCOL_ERROR; received from peer
- Remove cmd/metrics-exporter/main.go (experimental Prometheus metrics collector) - Remove go.mod and go.sum (no longer needed without Go code) - This feature was not production-ready and conflicted with documented netcat-based metrics approach - Reduces codebase complexity and maintenance burden Part of CI/CD optimization effort after CVE-2025-61729 and CVE-2025-64756 security fixes.
* feat: upgrade GitHub Actions runner to 2.330.0 - Update RUNNER_VERSION from 2.329.0 to 2.330.0 in all Dockerfiles - Standard runner: docker/Dockerfile - Chrome runner: docker/Dockerfile.chrome - Chrome-Go runner: docker/Dockerfile.chrome-go Runner 2.330.0 includes: - Updated Node.js versions - Custom image preflight checks - Improved logic for IsHostedServer detection - Docker v29.0.1 and Buildx v0.30.0 support - Retry logic for DNS resolution failures - Network-online dependency for runner service Release notes: https://github.com/actions/runner/releases/tag/v2.330.0 * fix: update runtime stage RUNNER_VERSION to 2.330.0 Ensure consistency between builder and runtime stages in multi-stage Dockerfile. --------- Co-authored-by: Syam Sampatsing <grammatonic@mbp-van-syam.home>
…1.0 to 3.3.0 Automatically merged Dependabot PR after CI validation.
Automatically merged Dependabot PR after CI validation.
* Initial plan * fix: replace broken free-disk-space action with manual cleanup Replace jlumbroso/free-disk-space-action@v1.3.1 with manual disk cleanup script. The original action repository is no longer accessible (404/403 errors), causing Dependabot failures. The manual approach achieves the same disk space cleanup by removing dotnet, android, haskell toolchains and boost libraries. This fixes the git_dependencies_not_reachable error for Dependabot and allows the security advisory workflow to continue functioning properly. Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com>
- Update VERSION_OVERVIEW.md to reflect runner version 2.330.0 - Update default RUNNER_VERSION in build.sh to 2.330.0 - Update default RUNNER_VERSION in build-chrome.sh to 2.330.0 Ensures consistency across Dockerfiles, documentation, and build scripts. Addresses review comment from PR #1080.
- Remove all Go/Prometheus client library references - Replace with lightweight bash + netcat HTTP server approach - Update metrics-server.sh to use netcat for serving /metrics endpoint - Update metrics-collector.sh to generate Prometheus text format - Remove multi-stage Docker build requirements for Go - Update implementation tasks and design decisions - Simplify architecture to use only bash scripting - Update risks & mitigations for netcat approach - Remove CGO_ENABLED and go.mod/go.sum references Benefits: - No additional language runtime required - Smaller Docker image size (no Go toolchain) - Simpler build process - Lower resource overhead - Easier to maintain and debug Addresses constraint CON-001: Must use bash scripting only
…nner - Add glob 13.0.0 patching to standard Dockerfile - Mitigate command injection vulnerability in node-gyp glob dependency - Chrome and Chrome-Go runners already had this patching - Uses same patching strategy as cross-spawn, tar, and brace-expansion Fixes #5660 Closes: CVE-2025-64756
- Remove .github/workflows/monitoring.yml - Workflow was not actively used in current setup - Reduces workflow complexity and maintenance burden
Summary of ChangesHello @GrammaTonic, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request introduces a significant change in how Prometheus metrics are collected and exposed for GitHub Actions runners, transitioning from a Go-based application to a more streamlined bash and netcat approach. This aims to reduce complexity and external dependencies. Concurrently, it incorporates a critical security fix for CVE-2025-64756, a command injection vulnerability in the Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Ignored Files
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces two main changes. First, it addresses a security vulnerability (CVE-2025-64756) in the glob npm package by patching it in the Docker images. The implementation for this fix is sound. Second, it pivots the Prometheus metrics implementation from a Go-based exporter to a more lightweight solution using bash and netcat, which is reflected across several documentation and planning files.
My review focuses on improving the documentation to ensure the examples and verification steps are accurate and robust. I've suggested updating a verification command in the CVE fix documentation to be more comprehensive, and I've pointed out an issue in the bash script example for the new metrics server.
Overall, the changes are positive, especially the security fix. A more descriptive pull request title and body would be helpful for future reference.
| docker run --rm github-runner:latest \ | ||
| bash -c 'node -e "console.log(require(\"/actions-runner/externals/node24/lib/node_modules/npm/node_modules/glob/package.json\").version)"' |
There was a problem hiding this comment.
The verification command is hardcoded to check only the node24 directory. However, the patching logic in the Dockerfile correctly iterates over all node* directories. To ensure the vulnerability is fixed in all embedded Node.js versions, the verification command should also loop through all available versions.
This makes the verification process more robust and aligned with the implementation.
| docker run --rm github-runner:latest \ | |
| bash -c 'node -e "console.log(require(\"/actions-runner/externals/node24/lib/node_modules/npm/node_modules/glob/package.json\").version)"' | |
| docker run --rm github-runner:latest bash -c ' | |
| for dir in /actions-runner/externals/node*/; do | |
| path="${dir}lib/node_modules/npm/node_modules/glob/package.json" | |
| if [ -f "$path" ]; then | |
| echo -n "${dir}: " | |
| node -p "require(\"$path\").version" | |
| fi | |
| done | |
| ' |
| ) | ||
| while true; do | ||
| # Wait for connection | ||
| RESPONSE=$(echo -e "HTTP/1.1 200 OK\r\nContent-Type: text/plain; version=0.0.4\r\n\r\n$(cat \"$METRICS_FILE\" 2>/dev/null || echo '# No metrics available')" | nc -l -p "$PORT" -q 1) |
There was a problem hiding this comment.
The example for the metrics server script uses a command substitution RESPONSE=$(...) but the RESPONSE variable is never used. This is misleading and inefficient as it captures the client's request into a variable that is immediately discarded.
Additionally, it uses nc -q 1, which introduces an unnecessary 1-second delay after each request. The actual implementation (docker/metrics-server.sh) correctly uses -q 0 to exit immediately. The documentation should reflect the more efficient approach.
The command substitution should be removed and -q 0 should be used.
| RESPONSE=$(echo -e "HTTP/1.1 200 OK\r\nContent-Type: text/plain; version=0.0.4\r\n\r\n$(cat \"$METRICS_FILE\" 2>/dev/null || echo '# No metrics available')" | nc -l -p "$PORT" -q 1) | |
| echo -e "HTTP/1.1 200 OK\r\nContent-Type: text/plain; version=0.0.4\r\n\r\n$(cat \"$METRICS_FILE\" 2>/dev/null || echo '# No metrics available')" | nc -l -p "$PORT" -q 0 |
No description provided.