Hack23
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 24 additions & 45 deletions b/‎.github/workflows/release.yml‎
Lines changed: 24 additions & 45 deletions
diff --git a/‎.github/workflows/screenshot-analysis.yml‎
Lines changed: 20 additions & 46 deletions b/‎.github/workflows/screenshot-analysis.yml‎
Lines changed: 20 additions & 46 deletions
diff --git a/‎.github/workflows/test-and-report.yml‎
Lines changed: 31 additions & 49 deletions b/‎.github/workflows/test-and-report.yml‎
Lines changed: 31 additions & 49 deletions
@@ -22,17 +22,29 @@ jobs:
   prepare:
     name: Prepare Release
     runs-on: ubuntu-latest
+    # Run inside Cypress's official browsers image so Chrome/Firefox/Edge/Xvfb and all
+    # GTK/NSS/font system libs are preinstalled. Node is normalised to the version pinned
+    # in .nvmrc by actions/setup-node below.
+    container:
+      # Use cypress/browsers:latest — keeps Chrome/Firefox/Edge/Xvfb on a
+      # rolling release. We don't pin to a specific patch tag because .nvmrc is
+      # a Node major (26) and `actions/setup-node` would override the
+      # container's Node anyway, which would defeat the purpose of digest
+      # pinning the container's Node.
+      image: cypress/browsers:latest
+      # Run as root so the in-job apt-get (graphviz/ffmpeg/zip/git) and
+      # actions/setup-node cache writes don't hit permission errors. The
+      # cypress/browsers image's default USER is non-root.
+      options: --user root
     # Only prepare job needs write permissions for commit and tagging
     permissions:
       contents: write # Required for git auto-commit
     outputs:
       version: ${{ steps.get-version.outputs.version }}
       is_prerelease: ${{ github.event.inputs.prerelease || 'false' }}
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
-        with:
-          egress-policy: audit
+      # NOTE: step-security/harden-runner does not support container jobs and is
+      # intentionally omitted from this job.
 
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -50,54 +62,21 @@ jobs:
           echo "version=${VERSION}" >> $GITHUB_OUTPUT
           echo "Version: ${VERSION}"
 
-      - name: Cache APT packages
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
-        with:
-          path: /var/cache/apt/archives
-          key: v2-${{ runner.os }}-apt-chrome-${{ hashFiles('.github/workflows/release.yml') }}
-          restore-keys: |
-            v2-${{ runner.os }}-apt-chrome-
-
       - name: Setup Three.js Test Environment
         env:
           CYPRESS_VIDEO: true
           # Suppress X11 keyboard configuration warnings
           XKB_DEFAULT_RULES: evdev
           XKB_DEFAULT_MODEL: pc105
           XKB_DEFAULT_LAYOUT: us
-        timeout-minutes: 10
+        timeout-minutes: 5
         run: |
-          echo "🔧 Setting up Three.js test environment for release validation..."
-
-          # Install all dependencies
-          sudo DEBIAN_FRONTEND=noninteractive apt-get update -qq
-          sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
-            xvfb dbus-x11 graphviz \
-            libgtk2.0-0 libgtk-3-0 libgbm-dev libgbm1 \
-            ffmpeg libnotify-dev libnss3 libxss1 \
-            libxtst6 xauth \
-            fonts-noto fonts-noto-cjk fonts-noto-cjk-extra \
-            ca-certificates fonts-liberation curl gnupg \
-            libatk-bridge2.0-0 libatk1.0-0 \
-            libcups2 libdbus-1-3 libdrm2 \
-            libnspr4 libx11-xcb1 libxcomposite1 \
-            libxdamage1 libxfixes3 libxrandr2 \
-            libxrender1 libxshmfence1 xdg-utils libxkbcommon0 xkb-data
-
-          # Install Chrome using signed keyring (modern method, resilient)
-          curl -fsSL --retry 3 --retry-delay 5 --connect-timeout 30 \
-            https://dl.google.com/linux/linux_signing_key.pub \
-            | sudo gpg --dearmor -o /usr/share/keyrings/google-chrome-keyring.gpg
-          echo "deb [arch=amd64 signed-by=/usr/share/keyrings/google-chrome-keyring.gpg] https://dl.google.com/linux/chrome/deb/ stable main" \
-            | sudo tee /etc/apt/sources.list.d/google-chrome.list > /dev/null
-          sudo DEBIAN_FRONTEND=noninteractive apt-get update -qq
-          sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends google-chrome-stable
-
-          # Setup D-Bus and Xvfb
-          sudo mkdir -p /var/run/dbus
-          sudo dbus-daemon --system --fork
-          export DISPLAY=:99
-
+          echo "🔧 Verifying Three.js test environment for release validation..."
+          # Chrome / Xvfb / GTK libs are baked into cypress/browsers image.
+          # Only graphviz (for diagrams documentation), ffmpeg, and zip (for
+          # release artifact packaging) are still required on top.
+          apt-get update -qq
+          DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends graphviz ffmpeg zip git
           echo "✅ Three.js environment ready"
           google-chrome --version
 
@@ -148,7 +127,7 @@ jobs:
           TERM: dumb
         run: |
           echo "🚀 Running Three.js E2E tests for release validation..."
-          NODE_OPTIONS="--max-old-space-size=4096" xvfb-run --auto-servernum --server-args="-screen 0 1280x720x24 -ac +extension GLX +extension RANDR +render -nolisten tcp" npm run test:e2e || TEST_EXIT_CODE=$?
+          NODE_OPTIONS="--max-old-space-size=4096" npm run test:e2e || TEST_EXIT_CODE=$?
           exit ${TEST_EXIT_CODE:-0}
 
 
 
@@ -15,6 +15,18 @@ jobs:
     name: Capture UI/UX Screenshots
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    # Run inside Microsoft's official Playwright image. Includes all browsers
+    # (Chromium/Firefox/WebKit) plus every system dependency Playwright needs,
+    # so we no longer need a custom apt-get block or `playwright install --with-deps`.
+    # Tag pinned to v1.59.1-noble to match the `playwright` version in package.json
+    # so the bundled browser binaries always match the npm client. Node is then
+    # normalised to the version in .nvmrc by actions/setup-node below.
+    container:
+      image: mcr.microsoft.com/playwright:v1.59.1-noble
+      # Run as root so actions/setup-node cache writes and the Playwright
+      # browser cache write work without permission issues. The Playwright
+      # noble image runs as the `pwuser` non-root user by default.
+      options: --user root
     env:
       # Suppress X11 keyboard configuration warnings
       XKB_DEFAULT_RULES: evdev
@@ -28,60 +40,22 @@ jobs:
           node-version-file: '.nvmrc'
           cache: "npm"
 
-      - name: Cache APT packages
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
-        with:
-          path: /var/cache/apt/archives
-          key: v2-${{ runner.os }}-apt-playwright-${{ hashFiles('.github/workflows/screenshot-analysis.yml') }}
-          restore-keys: |
-            v2-${{ runner.os }}-apt-playwright-
-
-      - name: Setup Screenshot Environment
-        timeout-minutes: 10
-        run: |
-          echo "🔧 Setting up screenshot capture environment..."
-
-          # Install dependencies for Playwright screenshot capture
-          sudo DEBIAN_FRONTEND=noninteractive apt-get update -qq
-          sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
-            xvfb dbus-x11 \
-            libgtk2.0-0 libgtk-3-0 libgbm-dev libgbm1 \
-            libnotify-dev libnss3 libxss1 \
-            libxtst6 xauth \
-            fonts-noto fonts-noto-cjk fonts-noto-cjk-extra \
-            ca-certificates fonts-liberation \
-            libatk-bridge2.0-0 libatk1.0-0 \
-            libcups2 libdbus-1-3 libdrm2 \
-            libnspr4 libx11-xcb1 libxcomposite1 \
-            libxdamage1 libxfixes3 libxrandr2 \
-            libxrender1 libxshmfence1 xdg-utils libxkbcommon0 xkb-data
-
-          # Setup D-Bus
-          sudo mkdir -p /var/run/dbus
-          sudo dbus-daemon --system --fork
-
-          echo "✅ Screenshot environment ready"
-
       - name: Install dependencies
         run: npm ci
 
-      - name: Cache Playwright browsers
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
-        with:
-          path: ~/.cache/ms-playwright
-          key: v2-playwright-${{ runner.os }}-${{ hashFiles('package-lock.json') }}
-          restore-keys: |
-            v2-playwright-${{ runner.os }}-
-
-      - name: Install Playwright
-        timeout-minutes: 20
-        run: npx playwright install chromium --with-deps
-
+      # The mcr.microsoft.com/playwright:v1.59.1-noble image already ships the
+      # browser binaries for Playwright 1.59.1 under /ms-playwright. Because the
+      # image is pinned to the same Playwright version as the `playwright` npm
+      # dep in package.json, we deliberately skip both `playwright install` and
+      # the Playwright browser cache here — they would just re-download what
+      # the image already provides and add network flake.
       - name: Build application
         run: npm run build
 
       - name: Start Xvfb
         run: |
+          # The playwright:noble image ships xvfb. Start it so any screenshot
+          # script that relies on $DISPLAY (e.g. headed Chromium) has a server.
           Xvfb :99 -ac -screen 0 1280x1024x24 +extension GLX +extension RANDR +render -nolisten tcp > /dev/null 2>&1 &
           echo "DISPLAY=:99" >> $GITHUB_ENV
           sleep 2  # Give Xvfb time to start
 
@@ -113,6 +113,23 @@ jobs:
   e2e-tests:
     needs: [prepare, build-validation]
     runs-on: ubuntu-latest
+    # Use Cypress's official browsers image: ships Node + Chrome + Firefox + Edge + Xvfb
+    # + all GTK/NSS/font system libs preinstalled, removing the need for a custom
+    # apt-get + Google Chrome bootstrap step. Node is then normalised to the version
+    # in .nvmrc via actions/setup-node below.
+    container:
+      # Use cypress/browsers:latest — this keeps Chrome/Firefox/Edge/Xvfb on a
+      # rolling release, and `actions/setup-node` below normalises Node to the
+      # major pinned in .nvmrc (currently 26). We deliberately accept the
+      # rolling browser version over digest-pinning because .nvmrc is a Node
+      # major (26), not a patch, so attempting to also pin the container's Node
+      # patch would just be silently overridden by setup-node and create a
+      # misleading impression of full reproducibility.
+      image: cypress/browsers:latest
+      # Run as root so actions/setup-node cache writes and Cypress binary cache
+      # writes work without permission issues. The cypress/browsers image's
+      # default USER is non-root.
+      options: --user root
     # Needs write permissions to upload artifacts
     permissions:
       contents: write # Required to check out code
@@ -126,60 +143,22 @@ jobs:
       XKB_DEFAULT_MODEL: pc105
       XKB_DEFAULT_LAYOUT: us
     steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
-        with:
-          egress-policy: audit
+      # NOTE: step-security/harden-runner does not support container jobs, so it
+      # is intentionally omitted here. Egress hardening for E2E browser traffic
+      # would block legitimate test traffic anyway.
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version-file: '.nvmrc'
           cache: "npm"
 
-      - name: Cache APT packages
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
-        with:
-          path: /var/cache/apt/archives
-          key: v2-${{ runner.os }}-apt-chrome-${{ hashFiles('.github/workflows/test-and-report.yml') }}
-          restore-keys: |
-            v2-${{ runner.os }}-apt-chrome-
-
-      - name: Setup Three.js Test Environment
-        timeout-minutes: 10
+      - name: Print browser versions
         run: |
-          echo "🔧 Setting up Three.js test environment with optimized Chrome flags..."
-
-          # Install all required dependencies for E2E testing
-          sudo DEBIAN_FRONTEND=noninteractive apt-get update -qq
-          sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
-            xvfb dbus-x11 graphviz \
-            libgtk2.0-0 libgtk-3-0 libgbm-dev libgbm1 \
-            libnotify-dev libnss3 libxss1 \
-            libxtst6 xauth \
-            fonts-noto fonts-noto-cjk fonts-noto-cjk-extra \
-            ca-certificates fonts-liberation curl gnupg \
-            libatk-bridge2.0-0 libatk1.0-0 \
-            libcups2 libdbus-1-3 libdrm2 \
-            libnspr4 libx11-xcb1 libxcomposite1 \
-            libxdamage1 libxfixes3 libxrandr2 \
-            libxrender1 libxshmfence1 xdg-utils libxkbcommon0 xkb-data
-
-          # Install Chrome for Three.js WebGL support using signed keyring (modern method)
-          curl -fsSL --retry 3 --retry-delay 5 --connect-timeout 30 \
-            https://dl.google.com/linux/linux_signing_key.pub \
-            | sudo gpg --dearmor -o /usr/share/keyrings/google-chrome-keyring.gpg
-          echo "deb [arch=amd64 signed-by=/usr/share/keyrings/google-chrome-keyring.gpg] https://dl.google.com/linux/chrome/deb/ stable main" \
-            | sudo tee /etc/apt/sources.list.d/google-chrome.list > /dev/null
-          sudo DEBIAN_FRONTEND=noninteractive apt-get update -qq
-          sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends google-chrome-stable
-
-          # Setup D-Bus
-          sudo mkdir -p /var/run/dbus
-          sudo dbus-daemon --system --fork
-
-          echo "✅ Three.js test environment ready"
-          google-chrome --version
+          echo "Node: $(node --version)"
+          google-chrome --version || true
+          # cypress/browsers ships Xvfb (used by Cypress's bundled @cypress/xvfb).
+          command -v Xvfb >/dev/null 2>&1 && echo "Xvfb available" || echo "Xvfb missing"
 
       - name: Cache Cypress binary
         uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
@@ -200,13 +179,16 @@ jobs:
           echo "🚀 Starting Three.js E2E test execution at $(date +%T)"
           echo "📊 Configuration:"
           echo "  - Chrome: $(google-chrome --version)"
-          echo "  - Node memory: 4GB heap"
+          echo "  - Node: $(node --version) (memory: 4GB heap)"
           echo "  - Display: $DISPLAY"
           echo "  - Target: 10-12 minute execution"
           echo ""
           START_TIME=$(date +%s) || START_TIME=0
-          # Run tests - xvfb-run handles display setup
-          NODE_OPTIONS="--max-old-space-size=4096" xvfb-run --auto-servernum --server-args="-screen 0 1280x720x24 -ac +extension GLX +extension RANDR +render -nolisten tcp" npm run test:e2e || TEST_EXIT_CODE=$?
+          # cypress/browsers image ships Xvfb but NOT xauth, so the xvfb-run
+          # wrapper fails with "xauth command not found". Cypress's bundled
+          # @cypress/xvfb spawns Xvfb directly (no xauth needed) when DISPLAY
+          # is unset, so we just call npm run test:e2e and let Cypress manage it.
+          NODE_OPTIONS="--max-old-space-size=4096" npm run test:e2e || TEST_EXIT_CODE=$?
           END_TIME=$(date +%s) || END_TIME=$START_TIME
           if [ "$START_TIME" -ne 0 ]; then
             DURATION=$((END_TIME - START_TIME))