Skip to content

[ci] Workflow input to release a specific version #3114

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
VietND96 merged 1 commit into from
Apr 12, 2026
Merged

[ci] Workflow input to release a specific version #3114

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 17 additions & 4 deletions .github/actions/get-latest-upstream/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ inputs:
required: false
type: boolean
default: false
version:
description: 'Specific Selenium version or release tag to use, e.g 4.42.1'
required: false
default: ''
gh_cli_token:
description: 'GitHub CLI authentication token'
required: true
Expand All @@ -22,19 +26,28 @@ runs:
shell: bash
env:
AUTHORS: ${{ inputs.authors }}
REQUESTED_VERSION: ${{ inputs.version }}
run: |
sudo apt update
sudo apt install jq
AUTH_HEADER="Authorization: token ${{ inputs.gh_cli_token }}"
if [ "${{ inputs.release }}" = "true" ]; then
RELEASES=$(curl -s -H "$AUTH_HEADER" https://api.github.com/repos/${AUTHORS}/selenium/releases)
if [ -n "${REQUESTED_VERSION}" ]; then
echo "Getting the requested Selenium release: ${REQUESTED_VERSION}"
RELEASE=$(echo "${RELEASES}" | jq -r --arg requested "${REQUESTED_VERSION}" '[.[]? | select(.tag_name == $requested or .tag_name == ("selenium-" + $requested) or ([.assets[]?.name] | index("selenium-server-" + $requested + ".jar")))] | .[0].tag_name')
if [ -z "${RELEASE}" ] || [ "${RELEASE}" = "null" ]; then
echo "Requested Selenium release not found: ${REQUESTED_VERSION}"
exit 1
fi
Comment on lines +34 to +41
Copy link
Copy Markdown
Contributor

@qodo-code-review qodo-code-review Bot Apr 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

2. Requested version lookup incomplete 🐞 Bug ☼ Reliability

get-latest-upstream derives the requested release only from the single JSON payload stored in
RELEASES, so any requested version/tag not present in that payload will hard-fail even if it
exists upstream. This breaks the new “release a specific version” workflow path by making version
selection dependent on what the first fetch happened to include.
Agent Prompt 
### Issue description
When `inputs.version` is provided, the composite action only searches within a single `RELEASES=$(curl ... /releases)` response. If the requested release isn’t present in that response, the workflow exits even though the release may exist upstream.

### Issue Context
The action already uses `/releases/tags/${RELEASE}` later to fetch assets, but it doesn’t leverage that endpoint to resolve the requested release tag/version.

### Fix Focus Areas
- .github/actions/get-latest-upstream/action.yml[30-53]

### Implementation notes
- Prefer a direct lookup when a specific version is requested:
  - Try `/releases/tags/$REQUESTED_VERSION` first.
  - If that fails and the input looks like a plain version (e.g. `4.42.1`), try `/releases/tags/selenium-$REQUESTED_VERSION`.
- Only fall back to listing releases (and if you do, loop through pages / handle multiple fetches) if direct tag lookup fails.
- Ensure failures distinguish “not found” vs “API error/rate limit” (e.g., check curl exit code / HTTP status).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

elif [ "${{ inputs.release }}" = "true" ]; then
echo "Getting the latest stable release."
RELEASE=$(curl -s -H "$AUTH_HEADER" https://api.github.com/repos/${AUTHORS}/selenium/releases | jq -r '[.[]? | select(.prerelease == false)] | .[0].tag_name')
RELEASE=$(echo "${RELEASES}" | jq -r '[.[]? | select(.prerelease == false)] | .[0].tag_name')
else
echo "Getting the latest Nightly release."
RELEASE=$(curl -s -H "$AUTH_HEADER" https://api.github.com/repos/${AUTHORS}/selenium/releases | jq -r '[.[]? | select(.prerelease == true)] | .[0].tag_name' || echo "")
RELEASE=$(echo "${RELEASES}" | jq -r '[.[]? | select(.prerelease == true)] | .[0].tag_name' || echo "")
if [ -z "${RELEASE}" ] || [ "${RELEASE}" = "null" ]; then
echo "Nightly release not found, getting the latest stable release."
RELEASE=$(curl -s -H "$AUTH_HEADER" https://api.github.com/repos/${AUTHORS}/selenium/releases | jq -r '[.[]? | select(.prerelease == false)] | .[0].tag_name')
RELEASE=$(echo "${RELEASES}" | jq -r '[.[]? | select(.prerelease == false)] | .[0].tag_name')
Comment on lines +42 to +50
Copy link
Copy Markdown
Contributor

@qodo-code-review qodo-code-review Bot Apr 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. Floating release selection via api 📘 Rule violation ⛨ Security

The CI action selects RELEASE by querying GitHub releases and taking the first stable/nightly
entry, which is a floating (non-pinned) upstream version and makes builds non-reproducible. This
violates the requirement to pin external dependency versions in CI scripts.
Agent Prompt 
## Issue description
The action derives `RELEASE` from the upstream GitHub API and selects the latest stable/nightly tag, which is a floating version and makes CI runs non-reproducible.

## Issue Context
Compliance requires CI dependency versions to be explicitly pinned rather than implicitly selecting "latest".

## Fix Focus Areas
- .github/actions/get-latest-upstream/action.yml[42-50]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

fi
fi
jar_file=$(curl -s -H "$AUTH_HEADER" https://api.github.com/repos/${AUTHORS}/selenium/releases/tags/${RELEASE} | jq -r '.assets[] | select(.name | endswith(".jar")) | .name' | tail -n 1)
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/deploy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ on:
required: true
type: string
default: 'true'
version:
description: 'Specific Selenium version or release tag to use, e.g 4.42.1'
required: false
default: ''
release:
description: 'Deploy a new release'
required: false
Expand Down Expand Up @@ -82,6 +86,7 @@ jobs:
uses: ./.github/actions/get-latest-upstream
with:
release: ${{ github.event.inputs.stable || true }}
version: ${{ github.event.inputs.version || '' }}
gh_cli_token: ${{ secrets.GITHUB_TOKEN }}
Comment on lines 86 to 90
Copy link
Copy Markdown
Contributor

@qodo-code-review qodo-code-review Bot Apr 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

3. Build-test ignores requested version 🐞 Bug ≡ Correctness

deploy.yml introduces a version input and uses it only in the deploy job, but the gating
build-test reusable workflow is still invoked without version, so its Docker/Helm tests build
against the latest stable/nightly base instead of the requested one. Since the Makefile uses
BASE_VERSION/BASE_RELEASE to build images, this can validate one upstream Selenium base and then
publish images for a different base.
Agent Prompt 
### Issue description
The deploy workflow supports `github.event.inputs.version`, but the gating `build-test` job (and its downstream docker/helm test workflows) doesn’t receive this value. As a result, tests can run against a different Selenium base version than the one being released.

### Issue Context
- `deploy.yml` passes `version` only in the `deploy` job.
- `build-test.yml` only accepts/forwards `release`.
- `docker-test.yml` and `helm-chart-test.yml` call `get-latest-upstream` without `version`.
- The Makefile uses `BASE_VERSION`/`BASE_RELEASE` for base image build args, so this mismatch is meaningful.

### Fix Focus Areas
- .github/workflows/deploy.yml[44-52]
- .github/workflows/build-test.yml[10-20]
- .github/workflows/build-test.yml[72-88]
- .github/workflows/docker-test.yml[220-226]
- .github/workflows/helm-chart-test.yml[179-185]

### Implementation notes
- Add a `version` input to `.github/workflows/build-test.yml` (`workflow_call.inputs`).
- Pass `version: ${{ github.event.inputs.version || '' }}` from `deploy.yml` into the `build-test` job’s `with:`.
- Add a `version` input to the reusable workflows `.github/workflows/docker-test.yml` and `.github/workflows/helm-chart-test.yml` (their `workflow_call.inputs`).
- Forward that `version` into the `get-latest-upstream` step in those workflows (`with: version: ${{ inputs.version || '' }}`).
- Keep the default empty so existing callers remain unaffected.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

authors: ${{ vars.AUTHORS || github.repository_owner }}
- name: Sets build date
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/release-preparation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,14 @@ on:
inputs:
grid-version:
required: true
default: '4.37.0'
default: '4.41.0'
type: string
workflow_dispatch:
inputs:
grid-version:
required: true
type: string
default: '4.37.0'
default: '4.41.0'
description: Expected Grid version to update

jobs:
Expand Down
30 changes: 30 additions & 0 deletions charts/selenium-grid/multiple-nodes-platform-version.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,16 @@ crossBrowsers:
hpa:
platformName: 'Linux'
browserVersion: ''
- nameOverride: '{{ $.Release.Name }}-node-chrome-146'
imageTag: '146.0-20260222'
hpa:
platformName: 'Linux'
browserVersion: '146.0'
- nameOverride: '{{ $.Release.Name }}-node-chrome-145'
imageTag: '145.0-20260222'
hpa:
platformName: 'Linux'
browserVersion: '145.0'
- nameOverride: '{{ $.Release.Name }}-node-chrome-144'
imageTag: '144.0-20260222'
hpa:
Expand Down Expand Up @@ -259,6 +269,16 @@ crossBrowsers:
hpa:
platformName: 'Linux'
browserVersion: ''
- nameOverride: '{{ $.Release.Name }}-node-firefox-149'
imageTag: '149.0-20260222'
hpa:
platformName: 'Linux'
browserVersion: '149.0'
- nameOverride: '{{ $.Release.Name }}-node-firefox-148'
imageTag: '148.0-20260222'
hpa:
platformName: 'Linux'
browserVersion: '148.0'
- nameOverride: '{{ $.Release.Name }}-node-firefox-147'
imageTag: '147.0-20260222'
hpa:
Expand Down Expand Up @@ -515,6 +535,16 @@ crossBrowsers:
hpa:
platformName: 'Linux'
browserVersion: ''
- nameOverride: '{{ $.Release.Name }}-node-edge-146'
imageTag: '146.0-20260222'
hpa:
platformName: 'Linux'
browserVersion: '146.0'
- nameOverride: '{{ $.Release.Name }}-node-edge-145'
imageTag: '145.0-20260222'
hpa:
platformName: 'Linux'
browserVersion: '145.0'
- nameOverride: '{{ $.Release.Name }}-node-edge-144'
imageTag: '144.0-20260222'
hpa:
Expand Down
Loading