cobalt/build: Push browser test Docker images to registry#9049
cobalt/build: Push browser test Docker images to registry#9049Awallky wants to merge 69 commits intoyoutube:mainfrom
Conversation
🤖 Gemini Suggested Commit Message💡 Pro Tips for a Better Commit Message:
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds functionality to build and push a Docker image for browser tests within the CI/CD pipeline. A critical vulnerability was identified where a service account access token could be exposed in GitHub Actions logs due to set -x tracing combined with printf ${ACCESS_TOKEN}. Additionally, there are areas for improvement regarding shell script safety, robustness of JSON parsing, and maintainability, including an unsafe use of printf, a brittle JSON check, and a hardcoded image name.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces a new capability to the upload_test_artifacts action to build and push a Docker image for browser tests. A high-severity command injection vulnerability has been identified in .github/actions/upload_test_artifacts/action.yaml due to direct interpolation of GitHub Action inputs and matrix variables into a shell script, which can lead to arbitrary command execution. This should be remediated by using environment variables. Additionally, the action contains hardcoded values that reduce reusability and a potential correctness issue in the browser test target detection logic.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request integrates Docker image building and pushing for browser tests into the CI workflow. However, it introduces a high-severity command injection vulnerability in the internal_tests and on_device_tests actions, as the docker_tag input is directly interpolated into shell scripts instead of being handled safely via environment variables. Additionally, there is a high-severity suggestion to improve authentication with Google Artifact Registry and a medium-severity suggestion to parameterize the Dockerfile path for enhanced action flexibility.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
.github/workflows/main.yaml
Outdated
| - name: Parse Test Target JSON | ||
| id: test-target-json | ||
| uses: ./.github/actions/test_targets_json | ||
| - name: Build and Push Browser Test Docker Image |
Check warning
Code scanning / Scorecard
Pinned-Dependencies Medium
Awallky
force-pushed
the
add-browsertest-runners-to-ci
branch
from
7cdccbd to
493b022
Compare
Awallky
changed the title
Awallky
force-pushed
the
add-browsertest-runners-to-ci
branch
from
493b022 to
af75fb8
Compare
Awallky
force-pushed
the
add-browsertest-runners-to-ci
branch
3 times, most recently
from
cc773aa to
9850d00
Compare
Awallky
force-pushed
the
add-browsertest-runners-to-ci
branch
2 times, most recently
from
1bb4bac to
fe4451c
Compare
| - name: Test Results | ||
| uses: ./.github/actions/process_test_results | ||
| continue-on-error: true | ||
| with: |
Check warning
Code scanning / Scorecard
Pinned-Dependencies Medium
| - name: Failed Tests | ||
| if: needs.test-results.result == 'failure' | ||
| if: needs.test-results.result == 'failure' || needs.browser-test-results.result == 'failure' | ||
| run: | |
Check warning
Code scanning / Scorecard
Pinned-Dependencies Medium
Enable the browser test runners in CI by building and pushing a specialized Docker image when cobalt_browsertests is a target. This update: 1. Authenticates with the us-west1 Artifact Registry. 2. Colocates the browser test Dockerfile with its dependencies in the artifacts directory. 3. Builds and pushes the image to: us-west1-docker.pkg.dev/ytlr-image-hosting/integration-test-images/avvall-service-test 4. Uses a unique tag based on the run ID and platform for traceability. This ensures that the necessary environment is available for downstream on-device or on-host browser test execution. Bug: 473909877
- Added 'continue-on-error' to browser test results processing in CI. - Dynamically extract browser test target names in main.yaml and browser_tests action. - Ensure gateway client explicitly sets result filenames for browser tests. - Updated unit tests to verify filename and Piper target alignment.
- Added missing 'browser_test_targets' and 'yts_wpt_test_targets' to android-arm64.json. - Updated browser_tests action to handle empty targets gracefully. - Improved bash robustness in action.yaml by fixing array usage and unbound variables.
…ture - Restore '--runtime-deps-path' in 'run_tests.template.py' to fix unit tests. - Fix argument forwarding and unique XML output in 'run_browser_tests.py'. - Support both '.tar.gz' and '.tar.zstd' extensions in Dockerfile. - Encapsulate Linux host execution logic into a dedicated '.github/actions/linux_browser_tests' action. - Split 'test-results' and 'browser-test-results' jobs to prevent matrix collisions. - Standardize Docker image naming to 'cobalt-browsertest-runner'. - Add TODOs and bug references (b/432503432, b/483460300) for disabled tests on Starboard.
- Switched from 'name' to 'pattern' in 'actions/download-artifact' to prevent job failure when artifacts are missing. - Added 'continue-on-error: true' to the download step for extra robustness. - Aligned browser test artifact download pattern with standard unit test pattern.
- Added 'continue-on-error: true' to the download step in 'browser-test-results'. - This prevents downstream processing failures if the browser test job didn't produce artifacts (e.g. due to filtering or infra errors).
- Ensured the xvfb-run command is on a single line to prevent bash interpretation errors from missing line continuations.
Awallky
force-pushed
the
add-browsertest-runners-to-ci
branch
from
75211ab to
190bc58
Compare
- Added strict gtest name validation to ignore summary lines. - Implemented filename sanitization for XML results to support artifact uploads. - Added temporary user data directories for better process isolation.
- Renamed output files to include the target name ('cobalt_browsertests_runner').
- This ensures the 'print_logs' action glob correctly identifies the files after download.
- Created 'browser-test-on-device' (Android) which no longer waits for unit test Docker images. - Created 'browser-test-on-host' (Linux) which continues to use the unit test image for its environment. - This allows Android browser tests to start immediately after the Cobalt build, saving 5-10 minutes per PR run.
Awallky
force-pushed
the
add-browsertest-runners-to-ci
branch
from
015fed8 to
072ae10
Compare
| id: test-target-json | ||
| uses: ./.github/actions/test_targets_json | ||
| - name: Build and Push Browser Test Docker Image | ||
| id: build-docker-image |
Check warning
Code scanning / Scorecard
Pinned-Dependencies Medium
- Following the split of browser tests into on-device and on-host jobs, it is now safe to move the 'if' conditions for 'docker-unittest-image' and 'docker-webtest-image' back to the job level. - Android browser tests no longer depend on these images, so they will not be incorrectly skipped.
4 participants
Enable the browser test runners in CI by building and pushing a specialized Docker image when cobalt_browsertests is a target.
This update:
This ensures that the necessary environment is available for downstream on-device or on-host browser test execution.
Test:
vpython3 cobalt/tools/test_on_device_tests_gateway_client.pyTest:
vpython3 cobalt/build/test_archive_test_artifacts.pyTest:
vpython3 cobalt/testing/browser_tests/tools/test_collect_test_artifacts.pyTest:
vpython3 cobalt/testing/browser_tests/test_run_browser_tests.pyTest:
vpython3 cobalt/tools/test_on_device_tests_gateway_client.pyBug: 483488213
Bug: 473909665
Bug: 473909293