From 31a9ba629b3a36c7a7d2aa49b6dda9e6cff12706 Mon Sep 17 00:00:00 2001 From: Matiss Janis Aboltins Date: Sat, 18 Oct 2025 12:46:52 +0200 Subject: [PATCH] Change "/update-vrt" workflow (#5952) --- .github/workflows/update-vrt.yml | 119 ----------------- .github/workflows/vrt-update-apply.yml | 156 ++++++++++++++++++++++ .github/workflows/vrt-update-generate.yml | 105 +++++++++++++++ upcoming-release-notes/5952.md | 7 + 4 files changed, 268 insertions(+), 119 deletions(-) delete mode 100644 .github/workflows/update-vrt.yml create mode 100644 .github/workflows/vrt-update-apply.yml create mode 100644 .github/workflows/vrt-update-generate.yml create mode 100644 upcoming-release-notes/5952.md diff --git a/.github/workflows/update-vrt.yml b/.github/workflows/update-vrt.yml deleted file mode 100644 index 2c97e612a5..0000000000 --- a/.github/workflows/update-vrt.yml +++ /dev/null @@ -1,119 +0,0 @@ -name: /update-vrt -on: - issue_comment: - types: [created] - -permissions: - pull-requests: read - contents: read - -concurrency: - group: ${{ github.workflow }}-${{ github.event.issue.number }}-${{ contains(github.event.comment.body, '/update-vrt') }} - cancel-in-progress: true - -jobs: - update-vrt: - name: Update VRT - runs-on: ubuntu-latest - if: | - github.event.issue.pull_request && - contains(github.event.comment.body, '/update-vrt') - container: - image: mcr.microsoft.com/playwright:v1.56.0-jammy - steps: - - name: Get PR branch - # Until https://github.com/xt0rted/pull-request-comment-branch/issues/322 is resolved we use the forked version - uses: gotson/pull-request-comment-branch@head-repo-owner-dist - id: comment-branch - - uses: actions/checkout@v4 - with: - repository: ${{ steps.comment-branch.outputs.head_owner }}/${{ steps.comment-branch.outputs.head_repo }} - ref: ${{ steps.comment-branch.outputs.head_ref }} - - name: Set up environment - uses: ./.github/actions/setup - - name: Run VRT Tests on Desktop app - continue-on-error: true - run: | - xvfb-run --auto-servernum --server-args="-screen 0 1920x1080x24" -- yarn e2e:desktop --update-snapshots - - name: Wait for Netlify build to finish - id: netlify - env: - COMMIT_SHA: ${{ steps.comment-branch.outputs.head_sha }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: ./.github/actions/netlify-wait-for-build - - name: Run VRT Tests on Netlify URL - run: yarn vrt --update-snapshots - env: - E2E_START_URL: ${{ steps.netlify.outputs.url }} - - name: Create patch - run: | - git config --system --add safe.directory "*" - git config --global user.name "github-actions[bot]" - git config --global user.email "github-actions[bot]@users.noreply.github.com" - git reset - git add "**/*.png" - if git diff --staged --quiet; then - echo "No changes to commit" - exit 0 - fi - git commit -m "Update VRT" - git format-patch -1 HEAD --stdout > Update-VRT.patch - - uses: actions/upload-artifact@v4 - with: - name: patch - path: Update-VRT.patch - - push-patch: - runs-on: ubuntu-latest - needs: update-vrt - permissions: - contents: write - pull-requests: write - steps: - - name: Get PR branch - # Until https://github.com/xt0rted/pull-request-comment-branch/issues/322 is resolved we use the forked version - uses: gotson/pull-request-comment-branch@head-repo-owner-dist - id: comment-branch - - uses: actions/checkout@v4 - with: - repository: ${{ steps.comment-branch.outputs.head_owner }}/${{ steps.comment-branch.outputs.head_repo }} - ref: ${{ steps.comment-branch.outputs.head_ref }} - - uses: actions/download-artifact@v4 - continue-on-error: true - with: - name: patch - - name: Apply patch and push - env: - BRANCH_NAME: ${{ steps.comment-branch.outputs.head_ref }} - run: | - git config --global user.name "github-actions[bot]" - git config --global user.email "github-actions[bot]@users.noreply.github.com" - git apply Update-VRT.patch - git add "**/*.png" - if git diff --staged --quiet; then - echo "No changes to commit" - exit 0 - fi - git commit -m "Update VRT" - git push origin HEAD:${BRANCH_NAME} - - name: Add finished reaction - uses: dkershner6/reaction-action@v2 - with: - token: ${{ secrets.GITHUB_TOKEN }} - commentId: ${{ github.event.comment.id }} - reaction: 'rocket' - - add-starting-reaction: - runs-on: ubuntu-latest - if: | - github.event.issue.pull_request && - contains(github.event.comment.body, '/update-vrt') - permissions: - pull-requests: write - steps: - - name: React to comment - uses: dkershner6/reaction-action@v2 - with: - token: ${{ secrets.GITHUB_TOKEN }} - commentId: ${{ github.event.comment.id }} - reaction: '+1' diff --git a/.github/workflows/vrt-update-apply.yml b/.github/workflows/vrt-update-apply.yml new file mode 100644 index 0000000000..e4b8454aad --- /dev/null +++ b/.github/workflows/vrt-update-apply.yml @@ -0,0 +1,156 @@ +name: VRT Update - Apply +# SECURITY: This workflow runs in trusted base repo context. +# It treats the patch artifact as untrusted data, validates it contains only PNGs, +# and safely applies it to the contributor's fork branch. +on: + workflow_run: + workflows: ['VRT Update - Generate'] + types: + - completed + +permissions: + contents: write + pull-requests: write + +jobs: + apply-vrt-updates: + name: Apply VRT Updates + runs-on: ubuntu-latest + if: ${{ github.event.workflow_run.conclusion == 'success' }} + steps: + - name: Download patch artifact + uses: actions/download-artifact@v4 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + run-id: ${{ github.event.workflow_run.id }} + pattern: vrt-patch-* + path: /tmp/artifacts + + - name: Download metadata artifact + uses: actions/download-artifact@v4 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + run-id: ${{ github.event.workflow_run.id }} + pattern: vrt-metadata-* + path: /tmp/metadata + + - name: Extract metadata + id: metadata + run: | + # Find the metadata directory (will be vrt-metadata-{PR_NUMBER}) + METADATA_DIR=$(find /tmp/metadata -mindepth 1 -maxdepth 1 -type d | head -n 1) + + if [ -z "$METADATA_DIR" ]; then + echo "No metadata found, skipping..." + exit 0 + fi + + PR_NUMBER=$(cat "$METADATA_DIR/pr-number.txt") + HEAD_REF=$(cat "$METADATA_DIR/head-ref.txt") + HEAD_REPO=$(cat "$METADATA_DIR/head-repo.txt") + + echo "pr_number=$PR_NUMBER" >> "$GITHUB_OUTPUT" + echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT" + echo "head_repo=$HEAD_REPO" >> "$GITHUB_OUTPUT" + + echo "Found PR #$PR_NUMBER: $HEAD_REPO @ $HEAD_REF" + + - name: Checkout fork branch + if: steps.metadata.outputs.pr_number != '' + uses: actions/checkout@v4 + with: + repository: ${{ steps.metadata.outputs.head_repo }} + ref: ${{ steps.metadata.outputs.head_ref }} + token: ${{ secrets.GITHUB_TOKEN }} + fetch-depth: 0 + + - name: Validate and apply patch + if: steps.metadata.outputs.pr_number != '' + id: apply + run: | + # Find the patch file + PATCH_DIR=$(find /tmp/artifacts -mindepth 1 -maxdepth 1 -type d | head -n 1) + PATCH_FILE="$PATCH_DIR/vrt-update.patch" + + if [ ! -f "$PATCH_FILE" ]; then + echo "No patch file found" + exit 0 + fi + + echo "Found patch file: $PATCH_FILE" + + # Validate patch only contains PNG files + echo "Validating patch contains only PNG files..." + if grep -E '^(\+\+\+|---) [ab]/' "$PATCH_FILE" | grep -v '\.png$'; then + echo "ERROR: Patch contains non-PNG files! Rejecting for security." + echo "applied=false" >> "$GITHUB_OUTPUT" + echo "error=Patch validation failed: contains non-PNG files" >> "$GITHUB_OUTPUT" + exit 1 + fi + + # Extract file list for verification + FILES_CHANGED=$(grep -E '^\+\+\+ b/' "$PATCH_FILE" | sed 's/^+++ b\///' | wc -l) + echo "Patch modifies $FILES_CHANGED PNG file(s)" + + # Configure git + git config --global user.name "github-actions[bot]" + git config --global user.email "github-actions[bot]@users.noreply.github.com" + + # Apply patch + echo "Applying patch..." + if git apply --check "$PATCH_FILE" 2>&1; then + git apply "$PATCH_FILE" + + # Stage only PNG files (extra safety) + git add "**/*.png" + + if git diff --staged --quiet; then + echo "No changes after applying patch" + echo "applied=false" >> "$GITHUB_OUTPUT" + exit 0 + fi + + # Commit + git commit -m "Update VRT screenshots" -m "Auto-generated by VRT workflow" -m "PR: #${{ steps.metadata.outputs.pr_number }}" + + echo "applied=true" >> "$GITHUB_OUTPUT" + else + echo "Patch could not be applied cleanly" + echo "applied=false" >> "$GITHUB_OUTPUT" + echo "error=Patch conflicts with current branch state" >> "$GITHUB_OUTPUT" + exit 1 + fi + + - name: Push changes + if: steps.apply.outputs.applied == 'true' + env: + HEAD_REF: ${{ steps.metadata.outputs.head_ref }} + HEAD_REPO: ${{ steps.metadata.outputs.head_repo }} + run: | + git push origin "HEAD:refs/heads/$HEAD_REF" + echo "Successfully pushed VRT updates to $HEAD_REPO@$HEAD_REF" + + - name: Comment on PR - Success + if: steps.apply.outputs.applied == 'true' + uses: actions/github-script@v7 + with: + script: | + await github.rest.issues.createComment({ + issue_number: ${{ steps.metadata.outputs.pr_number }}, + owner: context.repo.owner, + repo: context.repo.repo, + body: '✅ VRT screenshots have been automatically updated.' + }); + + - name: Comment on PR - Failure + if: failure() && steps.metadata.outputs.pr_number != '' + uses: actions/github-script@v7 + with: + script: | + const error = `${{ steps.apply.outputs.error }}` || 'Unknown error occurred'; + await github.rest.issues.createComment({ + issue_number: ${{ steps.metadata.outputs.pr_number }}, + owner: context.repo.owner, + repo: context.repo.repo, + body: `❌ Failed to apply VRT updates: ${error}\n\nPlease check the workflow logs for details.` + }); diff --git a/.github/workflows/vrt-update-generate.yml b/.github/workflows/vrt-update-generate.yml new file mode 100644 index 0000000000..034ec36ecb --- /dev/null +++ b/.github/workflows/vrt-update-generate.yml @@ -0,0 +1,105 @@ +name: VRT Update - Generate +# SECURITY: This workflow runs in untrusted fork context with no write permissions. +# It only generates VRT patch artifacts that are later applied by vrt-update-apply.yml +on: + pull_request: + types: [opened, synchronize, reopened] + paths: + - 'packages/**' + - '.github/workflows/vrt-update-generate.yml' + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number }} + cancel-in-progress: true + +jobs: + generate-vrt-updates: + name: Generate VRT Updates + runs-on: ubuntu-latest + container: + image: mcr.microsoft.com/playwright:v1.56.0-jammy + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Set up environment + uses: ./.github/actions/setup + + - name: Run VRT Tests on Desktop app + continue-on-error: true + run: | + xvfb-run --auto-servernum --server-args="-screen 0 1920x1080x24" -- yarn e2e:desktop --update-snapshots + + - name: Wait for Netlify build to finish + id: netlify + env: + COMMIT_SHA: ${{ github.event.pull_request.head.sha }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: ./.github/actions/netlify-wait-for-build + + - name: Run VRT Tests on Netlify URL + continue-on-error: true + run: yarn vrt --update-snapshots + env: + E2E_START_URL: ${{ steps.netlify.outputs.url }} + + - name: Create patch with PNG changes only + id: create-patch + run: | + # Trust the repository directory (required for container environments) + git config --global --add safe.directory "$GITHUB_WORKSPACE" + + git config --global user.name "github-actions[bot]" + git config --global user.email "github-actions[bot]@users.noreply.github.com" + + # Stage only PNG files + git add "**/*.png" + + # Check if there are any changes + if git diff --staged --quiet; then + echo "has_changes=false" >> "$GITHUB_OUTPUT" + echo "No VRT changes to commit" + exit 0 + fi + + echo "has_changes=true" >> "$GITHUB_OUTPUT" + + # Create commit and patch + git commit -m "Update VRT screenshots" + git format-patch -1 HEAD --stdout > vrt-update.patch + + # Validate patch only contains PNG files + if grep -E '^(\+\+\+|---) [ab]/' vrt-update.patch | grep -v '\.png$'; then + echo "ERROR: Patch contains non-PNG files!" + exit 1 + fi + + echo "Patch created successfully with PNG changes only" + + - name: Upload patch artifact + if: steps.create-patch.outputs.has_changes == 'true' + uses: actions/upload-artifact@v4 + with: + name: vrt-patch-${{ github.event.pull_request.number }} + path: vrt-update.patch + retention-days: 5 + + - name: Save PR metadata + if: steps.create-patch.outputs.has_changes == 'true' + run: | + mkdir -p pr-metadata + echo "${{ github.event.pull_request.number }}" > pr-metadata/pr-number.txt + echo "${{ github.event.pull_request.head.ref }}" > pr-metadata/head-ref.txt + echo "${{ github.event.pull_request.head.repo.full_name }}" > pr-metadata/head-repo.txt + + - name: Upload PR metadata + if: steps.create-patch.outputs.has_changes == 'true' + uses: actions/upload-artifact@v4 + with: + name: vrt-metadata-${{ github.event.pull_request.number }} + path: pr-metadata/ + retention-days: 5 diff --git a/upcoming-release-notes/5952.md b/upcoming-release-notes/5952.md new file mode 100644 index 0000000000..2fe2217228 --- /dev/null +++ b/upcoming-release-notes/5952.md @@ -0,0 +1,7 @@ +--- +category: Maintenance +authors: [MatissJanis] +--- + +Refactor VRT workflow into two stages for improved testing and patch validation. +