good

crisdosaygo · crisdosaygo · commit 9dfd30dae862 · 2026-04-22T21:18:13.000+08:00
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,40 @@
+FROM debian:bookworm-slim
+
+# Install system dependencies
+RUN apt-get update && apt-get install -y \
+    curl \
+    sudo \
+    jq \
+    vim-common \
+    gnupg \
+    && rm -rf /var/lib/apt/lists/*
+
+# Add a non-root user for BrowserBox
+RUN useradd -m -s /bin/bash browserbox && \
+    echo "browserbox ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
+
+USER browserbox
+WORKDIR /home/browserbox
+
+# Install BrowserBox using full-install
+# BBX_TEST_AGREEMENT=true skips prompts
+# BBX_FULL_INSTALL=true triggers full-install
+# BBX_INSTALL_HOSTNAME="localhost"
+# BBX_INSTALL_EMAIL="actions@browserbox.io"
+# INSTALL_DOC_VIEWER="false" skips doc viewer
+RUN curl -fsSL https://browserbox.io/install.sh | \
+    BBX_TEST_AGREEMENT="true" \
+    BBX_FULL_INSTALL="true" \
+    BBX_INSTALL_HOSTNAME="localhost" \
+    BBX_INSTALL_EMAIL="actions@browserbox.io" \
+    INSTALL_DOC_VIEWER="false" \
+    bash
+
+# Ensure bbx is in PATH
+ENV PATH="/home/browserbox/.local/bin:${PATH}"
+
+# Expose the default BrowserBox port
+EXPOSE 8080
+
+# Default command
+CMD ["bbx", "status"]
diff --git a/README.md b/README.md
@@ -18,10 +18,9 @@ On runners, the action defaults to a minimal runtime footprint:
 `browserbox-action` v1 is intentionally narrow:
 
 - Linux runners only
-- `tunnel: none`
-- `tunnel: cloudflare` (Public login link)
-- `tunnel: tor`
-- ZeroTier is intentionally excluded from v1
+- `tunnel: cloudflare` (Default - Public login link)
+- `tunnel: tor` (Onion address)
+- `tunnel: none` (Local runner only)
 
 ## Quick start
 
@@ -40,7 +39,6 @@ jobs:
         uses: BrowserBox/browserbox-action@v1
         with:
           license-key: ${{ secrets.BROWSERBOX_LICENSE_KEY }}
-          tunnel: cloudflare
           timeout: 60 # Stay alive for 60 minutes
 ```
 
@@ -49,13 +47,43 @@ jobs:
 - **Interactive Login Link:** Like `tmate`, the action prints the login link in a loop to the console until the timeout is reached or the job is cancelled.
 - **Configurable Timeout:** Control how long the session stays active (default 30m, up to 150m).
 - **Step Summary:** Automatically adds the login link and base URL to the GitHub Actions Job Summary.
+- **Automated Verification:** The action includes a built-in background smoke test to confirm the public accessibility of your tunnel.
+
+## Example Usages
+
+### Public Cloudflare Tunnel (Default)
+Ideal for quick demos or ephemeral browsing sessions.
+```yaml
+- uses: BrowserBox/browserbox-action@v1
+  with:
+    license-key: ${{ secrets.BBX_LICENSE_KEY }}
+    tunnel: cloudflare
+```
+
+### Tor Network Tunnel
+Generates a `.onion` address for maximum privacy.
+```yaml
+- uses: BrowserBox/browserbox-action@v1
+  with:
+    license-key: ${{ secrets.BBX_LICENSE_KEY }}
+    tunnel: tor
+```
+
+### Local Runner (No Tunnel)
+Useful for automated testing where subsequent steps interact with the browser via `localhost:8080`.
+```yaml
+- uses: BrowserBox/browserbox-action@v1
+  with:
+    license-key: ${{ secrets.BBX_LICENSE_KEY }}
+    tunnel: none
+```
 
 ## Inputs
 
 | Input | Required | Default | Notes |
 | --- | --- | --- | --- |
 | `license-key` | Yes | none | BrowserBox license key from [browserbox.io](https://browserbox.io) |
-| `tunnel` | No | `none` | `none`, `cloudflare`, or `tor` |
+| `tunnel` | No | `cloudflare` | `none`, `cloudflare`, or `tor` |
 | `timeout` | No | `30` | Maximum run time in minutes (max 150) |
 | `port` | No | `8080` | Main BrowserBox service port |
 | `service-mode` | No | `minimal` | `minimal` runs only `bb-main`; `full` runs all BrowserBox services |
diff --git a/run-browserbox.sh b/run-browserbox.sh
@@ -239,6 +239,34 @@ open_url() {
   fi
 }
 
+check_link_accessible() {
+  local link="$1"
+  local base_url="${link%/login?token=*}"
+  local response
+  local out_file
+  out_file="$(mktemp)"
+
+  if ! command -v curl >/dev/null 2>&1; then
+    rm -f "$out_file"
+    return 0
+  fi
+
+  response=$(curl -s -L -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" --max-time 10 -w "%{http_code}" "$base_url" -o "$out_file" || echo "CURL_FAILED")
+
+  if [[ "$response" =~ ^(200|403)$ ]]; then
+    if grep -qi "BrowserBox" "$out_file" 2>/dev/null; then
+      rm -f "$out_file"
+      return 0
+    fi
+  elif [[ "$response" =~ ^(302|401)$ ]]; then
+    rm -f "$out_file"
+    return 0
+  fi
+
+  rm -f "$out_file"
+  return 1
+}
+
 find_latest_dispatch_run() {
   local repo="$1"
   local workflow="$2"
@@ -329,8 +357,11 @@ wait_for_login_link() {
     )"
 
     if [[ -n "$link" ]]; then
-      printf '%s\n' "$link"
-      return 0
+      if check_link_accessible "$link"; then
+        printf '%s\n' "$link"
+        return 0
+      fi
+      log "found link on issue #${issue_number}, but it is not yet accessible; still waiting..."
     fi
 
     status="$(gh run view "$run_id" --repo "$repo" --json status,conclusion --jq '.status + ":" + (.conclusion // "")' 2>/dev/null || true)"
diff --git a/scripts/run-browserbox.sh b/scripts/run-browserbox.sh
@@ -40,6 +40,37 @@ base_url_from_login_link() {
   printf '%s' "$1" | sed 's#/login?token=.*##'
 }
 
+check_link_accessible() {
+  local link="$1"
+  local base_url
+  base_url="$(base_url_from_login_link "$link")"
+  local response
+  local out_file
+  out_file="$(mktemp)"
+
+  response=$(curl -s -L -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" --max-time 10 -w "%{http_code}" "$base_url" -o "$out_file" || echo "CURL_FAILED")
+
+  if [[ "$response" =~ ^(200|302|401)$ ]]; then
+    if [[ "$response" == "200" ]]; then
+      if grep -qi "BrowserBox" "$out_file" 2>/dev/null; then
+        rm -f "$out_file"
+        return 0
+      fi
+    else
+      rm -f "$out_file"
+      return 0
+    fi
+  elif [[ "$response" == "403" ]]; then
+    if grep -qi "BrowserBox" "$out_file" 2>/dev/null; then
+      rm -f "$out_file"
+      return 0
+    fi
+  fi
+
+  rm -f "$out_file"
+  return 1
+}
+
 ensure_gh_token() {
   if [[ -z "${GH_TOKEN:-}" && -n "${GITHUB_TOKEN:-}" ]]; then
     export GH_TOKEN="$GITHUB_TOKEN"
@@ -206,20 +237,24 @@ case "$tunnel" in
     # cf-run can spend time in setup/certification, local readiness retries,
     # and up to three Cloudflare URL/verification attempts.
     login_link=""
+    echo "Waiting for verified Cloudflare tunnel URL..."
     for ((i = 0; i < cloudflare_link_timeout_seconds; i++)); do
       candidate="$(extract_cloudflare_login_link "$login_link_file")"
       if [[ -z "$candidate" ]]; then
         candidate="$(extract_cloudflare_login_link "$run_log")"
       fi
       if [[ -n "$candidate" ]]; then
-        login_link="$candidate"
-        break
+        if check_link_accessible "$candidate"; then
+          login_link="$candidate"
+          echo "Verified Cloudflare tunnel URL: $login_link"
+          break
+        fi
       fi
       if ! kill -0 "$cf_pid" 2>/dev/null; then
         cat "$run_log" >&2
         fail "bbx cf-run exited before producing a tunnel URL."
       fi
-      sleep 1
+      sleep 2
     done
 
     if [[ -z "$login_link" ]]; then
@@ -276,34 +311,22 @@ echo "--------------------------------------------------------------------------
 
 # Background smoke test for public accessibility
 (
-  echo "[Smoke Test] Waiting for tunnel to propagate (up to 2 minutes)..."
+  echo "[Smoke Test] Verifying tunnel propagation..."
   MAX_SMOKE_ATTEMPTS=12
   SMOKE_ATTEMPT=1
   SMOKE_SUCCESS=false
-  
+
   while (( SMOKE_ATTEMPT <= MAX_SMOKE_ATTEMPTS )); do
-    sleep 10
-    echo "[Smoke Test Attempt $SMOKE_ATTEMPT/$MAX_SMOKE_ATTEMPTS] Checking $base_url ..."
-    # Try with verbose output to diagnose 403 or other issues
-    RESPONSE=$(curl -s -L -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36" --max-time 10 -w "%{http_code}" "$base_url" -o /tmp/smoke_out.html || echo "CURL_FAILED")
-    
-    echo "[Smoke Test] Response code: $RESPONSE"
-    
-    if [[ "$RESPONSE" =~ ^(200|302|401)$ ]]; then
+    if check_link_accessible "$login_link"; then
       echo "[Smoke Test] SUCCESS: BrowserBox is accessible via tunnel."
       SMOKE_SUCCESS=true
       break
-    elif [[ "$RESPONSE" == "403" ]]; then
-      echo "[Smoke Test] Received 403. This might be Cloudflare WAF or Bot Protection. Checking content..."
-      if grep -qi "BrowserBox" /tmp/smoke_out.html; then
-        echo "[Smoke Test] SUCCESS: Found 'BrowserBox' in 403 response body. It is reachable!"
-        SMOKE_SUCCESS=true
-        break
-      fi
     fi
+    echo "[Smoke Test Attempt $SMOKE_ATTEMPT/$MAX_SMOKE_ATTEMPTS] Not yet accessible..."
     (( SMOKE_ATTEMPT++ ))
+    sleep 10
   done
-  
+
   if [[ "$SMOKE_SUCCESS" != "true" ]]; then
     echo "[Smoke Test] WARNING: BrowserBox might not be publicly accessible yet (or check failed)."
   fi
@@ -320,10 +343,12 @@ while (( $(date +%s) < end_time )); do
   if [[ "$tunnel" == "cloudflare" ]]; then
     refreshed_link="$(extract_cloudflare_login_link "$login_link_file")"
     if [[ -n "$refreshed_link" && "$refreshed_link" != "$login_link" ]]; then
-      login_link="$refreshed_link"
-      base_url="$(base_url_from_login_link "$login_link")"
-      echo "::notice title=BrowserBox Login Link Updated::$login_link"
-      broadcast_login_link "BrowserBox login link updated"
+      if check_link_accessible "$refreshed_link"; then
+        login_link="$refreshed_link"
+        base_url="$(base_url_from_login_link "$login_link")"
+        echo "::notice title=BrowserBox Login Link Updated::$login_link"
+        broadcast_login_link "BrowserBox login link updated"
+      fi
     fi
   fi
   echo "[$(date +%T)] BrowserBox is active. Login at: $login_link"
