[ci] Revert latest changes related to the mirror workflow

[bonigarcia]

User description

🔗 Related Issues

It reverts 2b5da89 and 0e75082.

💥 What does this PR do?

🔧 Implementation Notes

💡 Additional Considerations

🔄 Types of changes

• Cleanup (formatting, renaming)

---

PR Type

Other

---

Description

• Reverts PR workflow changes to mirror update process

• Removes PR creation step, restores direct push to trunk

• Simplifies commit message to use dynamic date

• Restores mirror data for selenium-4.11.0 and 4.10.0

---

Diagram Walkthrough

flowchart LR
  A["Mirror Workflow"] -->|Remove PR Creation| B["Direct Push to Trunk"]
  A -->|Simplify Date Handling| C["Dynamic Date in Commit"]
  D["Mirror Data"] -->|Restore Versions| E["selenium-4.11.0 & 4.10.0"]

Loading

File Walkthrough

	Relevant files
Configuration changes	mirror-selenium-releases.yml Revert to direct push workflow without PR creation              .github/workflows/mirror-selenium-releases.yml Removes the "Set current date" step that exported DATE environment variable Changes commit message from using ${{ env.DATE }} to dynamic date command Replaces "Create PR" step using peter-evans/create-pull-request with direct push using ad-m/github-push-action Removes PR-related configuration (title, body, branch, reviewers, labels) +5/-21
Miscellaneous	selenium Restore selenium 4.11.0 and 4.10.0 mirror data                      common/mirror/selenium Adds mirror data for selenium-4.11.0 release with 7 asset download URLs Adds mirror data for selenium-4.10.0 release with 7 asset download URLs Restores previously removed release information +52/-0

---

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Insecure CI token usage Description: The workflow pushes directly to the repository using a long-lived secret secrets.SELENIUM_CI_TOKEN via a third-party action ad-m/github-push-action@master, increasing risk of token misuse or supply-chain attack; prefer GITHUB_TOKEN with least privileges or a pinned commit. mirror-selenium-releases.yml [21-38] Referred Code curl -H "Authorization: ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/SeleniumHQ/selenium/releases | jq "$JQ_FILTER" > selenium - name: Commit files id: git run: | export CHANGES=$(git status -s) if [ -n "$CHANGES" ]; then git config --local user.email "selenium-ci@users.noreply.github.com" git config --local user.name "Selenium CI Bot" git add common/mirror/selenium git commit -m "Update mirror info (`date`)" -a echo "::set-output name=commit::true" fi - name: Push changes if: steps.git.outputs.commit == 'true' uses: ad-m/github-push-action@master with: github_token: ${{ secrets.SELENIUM_CI_TOKEN }} branch: ${{ github.ref }}
Ticket Compliance
🟡	🎫 #1234 🔴 Ensure Firefox triggers JavaScript in link href on click() as it did in 2.47.1, addressing regressions seen in 2.48.x. ⚪ Provide validation or tests confirming alert/dialog behavior matches expected behavior on affected Firefox versions.
🟡	🎫 #5678 🔴 Investigate and fix intermittent "Error: ConnectFailure (Connection refused)" when instantiating multiple ChromeDriver instances on Ubuntu with Chrome 65/ChromeDriver 2.35 and Selenium 3.9.0. ⚪ Add diagnostics or retries to stabilize subsequent ChromeDriver instantiations and document the resolution.
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Action Logging: The workflow performs network calls and commits without explicit audit logging of who/what performed actions beyond default GitHub Actions metadata, which may or may not satisfy required audit trail depth. Referred Code - name: Read api.github.com and filter response run: | cd common/mirror export JQ_FILTER="[.[] | {tag_name: .tag_name, assets: [.assets[] | {browser_download_url: .browser_download_url} ] } ]" curl -H "Authorization: ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/SeleniumHQ/selenium/releases | jq "$JQ_FILTER" > selenium - name: Commit files id: git run: | export CHANGES=$(git status -s) if [ -n "$CHANGES" ]; then git config --local user.email "selenium-ci@users.noreply.github.com" git config --local user.name "Selenium CI Bot" git add common/mirror/selenium git commit -m "Update mirror info (`date`)" -a echo "::set-output name=commit::true" fi - name: Push changes if: steps.git.outputs.commit == 'true' uses: ad-m/github-push-action@master with: github_token: ${{ secrets.SELENIUM_CI_TOKEN }} ... (clipped 1 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Missing Error Handling: Steps like curl/jq parsing and git operations lack explicit failure handling or retries, relying on default shell behavior which may not provide contextual errors or handle edge cases. Referred Code - name: Read api.github.com and filter response run: | cd common/mirror export JQ_FILTER="[.[] | {tag_name: .tag_name, assets: [.assets[] | {browser_download_url: .browser_download_url} ] } ]" curl -H "Authorization: ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/SeleniumHQ/selenium/releases | jq "$JQ_FILTER" > selenium - name: Commit files id: git run: | export CHANGES=$(git status -s) if [ -n "$CHANGES" ]; then git config --local user.email "selenium-ci@users.noreply.github.com" git config --local user.name "Selenium CI Bot" git add common/mirror/selenium git commit -m "Update mirror info (`date`)" -a echo "::set-output name=commit::true" Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Token Exposure Risk: The workflow uses secrets in curl headers and a push action without explicit masking or redaction steps, depending on GitHub’s default masking which may be insufficient if commands echo or fail verbosely. Referred Code curl -H "Authorization: ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/SeleniumHQ/selenium/releases | jq "$JQ_FILTER" > selenium - name: Commit files id: git run: | export CHANGES=$(git status -s) if [ -n "$CHANGES" ]; then git config --local user.email "selenium-ci@users.noreply.github.com" git config --local user.name "Selenium CI Bot" git add common/mirror/selenium git commit -m "Update mirror info (`date`)" -a echo "::set-output name=commit::true" fi - name: Push changes if: steps.git.outputs.commit == 'true' uses: ad-m/github-push-action@master with: github_token: ${{ secrets.SELENIUM_CI_TOKEN }} Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Unvalidated Input: The workflow ingests data from api.github.com and writes it to a file without validating or sanitizing the structure or handling malformed responses beyond jq filtering. Referred Code - name: Read api.github.com and filter response run: | cd common/mirror export JQ_FILTER="[.[] | {tag_name: .tag_name, assets: [.assets[] | {browser_download_url: .browser_download_url} ] } ]" curl -H "Authorization: ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/SeleniumHQ/selenium/releases | jq "$JQ_FILTER" > selenium - name: Commit files id: git Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Insecure token usage Description: The workflow pushes directly to the repository using a long-lived secret secrets.SELENIUM_CI_TOKEN with a third-party action (ad-m/github-push-action@master), which increases risk of token misuse or supply-chain compromise compared to using the ephemeral GITHUB_TOKEN. mirror-selenium-releases.yml [21-38] Referred Code curl -H "Authorization: ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/SeleniumHQ/selenium/releases | jq "$JQ_FILTER" > selenium - name: Commit files id: git run: | export CHANGES=$(git status -s) if [ -n "$CHANGES" ]; then git config --local user.email "selenium-ci@users.noreply.github.com" git config --local user.name "Selenium CI Bot" git add common/mirror/selenium git commit -m "Update mirror info (`date`)" -a echo "::set-output name=commit::true" fi - name: Push changes if: steps.git.outputs.commit == 'true' uses: ad-m/github-push-action@master with: github_token: ${{ secrets.SELENIUM_CI_TOKEN }} branch: ${{ github.ref }}
	Unpinned GitHub Action Description: The workflow uses ad-m/github-push-action@master, pinning to a mutable branch instead of a specific commit or version, exposing the workflow to supply-chain attacks if the action changes maliciously. mirror-selenium-releases.yml [35-35] Referred Code uses: ad-m/github-push-action@master with:
Ticket Compliance
🟡	🎫 #1234 🔴 Ensure clicking links with javascript in href triggers expected JS execution in Firefox 42 when using Selenium 2.48.x (regression from 2.47.1). ⚪ Provide tests or verification that alerts are triggered as expected when clicking such links.
🟡	🎫 #5678 🔴 Diagnose and fix repeated "ConnectFailure (Connection refused)" when instantiating multiple ChromeDriver instances on Ubuntu with specified versions. ⚪ Add documentation or guidance if configuration changes are required to avoid the error.
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
🔴	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Secrets exposure risk: The curl command passes Authorization header and the push action uses tokens without explicitly masking or preventing echoing, risking token exposure in logs if commands are echoed or errors print headers. Referred Code curl -H "Authorization: ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/SeleniumHQ/selenium/releases | jq "$JQ_FILTER" > selenium - name: Commit files id: git run: | export CHANGES=$(git status -s) if [ -n "$CHANGES" ]; then git config --local user.email "selenium-ci@users.noreply.github.com" git config --local user.name "Selenium CI Bot" git add common/mirror/selenium git commit -m "Update mirror info (`date`)" -a echo "::set-output name=commit::true" fi - name: Push changes if: steps.git.outputs.commit == 'true' uses: ad-m/github-push-action@master with: github_token: ${{ secrets.SELENIUM_CI_TOKEN }} Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Missing auditing: The workflow performs network reads and commits/pushes changes but adds no explicit audit logging of who performed actions or outcomes beyond default GitHub logs. Referred Code - name: Read api.github.com and filter response run: | cd common/mirror export JQ_FILTER="[.[] | {tag_name: .tag_name, assets: [.assets[] | {browser_download_url: .browser_download_url} ] } ]" curl -H "Authorization: ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/SeleniumHQ/selenium/releases | jq "$JQ_FILTER" > selenium - name: Commit files id: git run: | export CHANGES=$(git status -s) if [ -n "$CHANGES" ]; then git config --local user.email "selenium-ci@users.noreply.github.com" git config --local user.name "Selenium CI Bot" git add common/mirror/selenium git commit -m "Update mirror info (`date`)" -a echo "::set-output name=commit::true" fi - name: Push changes if: steps.git.outputs.commit == 'true' uses: ad-m/github-push-action@master with: github_token: ${{ secrets.SELENIUM_CI_TOKEN }} ... (clipped 1 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: No error handling: Shell steps (curl/jq/git/push) lack explicit error handling or set -e/conditional checks to handle failures and provide actionable messages. Referred Code - name: Read api.github.com and filter response run: | cd common/mirror export JQ_FILTER="[.[] | {tag_name: .tag_name, assets: [.assets[] | {browser_download_url: .browser_download_url} ] } ]" curl -H "Authorization: ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/SeleniumHQ/selenium/releases | jq "$JQ_FILTER" > selenium - name: Commit files id: git run: | export CHANGES=$(git status -s) if [ -n "$CHANGES" ]; then git config --local user.email "selenium-ci@users.noreply.github.com" git config --local user.name "Selenium CI Bot" git add common/mirror/selenium git commit -m "Update mirror info (`date`)" -a echo "::set-output name=commit::true" fi - name: Push changes if: steps.git.outputs.commit == 'true' uses: ad-m/github-push-action@master with: github_token: ${{ secrets.SELENIUM_CI_TOKEN }} ... (clipped 1 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Unvalidated input: External data from api.github.com is ingested and written without validation or checks (e.g., jq errors, empty responses), which may lead to incorrect artifacts being committed. Referred Code - name: Read api.github.com and filter response run: | cd common/mirror export JQ_FILTER="[.[] | {tag_name: .tag_name, assets: [.assets[] | {browser_download_url: .browser_download_url} ] } ]" curl -H "Authorization: ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/SeleniumHQ/selenium/releases | jq "$JQ_FILTER" > selenium - name: Commit files id: git run: | export CHANGES=$(git status -s) if [ -n "$CHANGES" ]; then git config --local user.email "selenium-ci@users.noreply.github.com" git config --local user.name "Selenium CI Bot" git add common/mirror/selenium git commit -m "Update mirror info (`date`)" -a echo "::set-output name=commit::true" Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Reconsider abandoning the PR-based workflow The PR replaces a pull-request-based workflow with a direct push for automated mirror updates. It is suggested to retain the PR-based approach for safety and reviewability, and instead fix any underlying issues with the create-pull-request action. Examples: .github/workflows/mirror-selenium-releases.yml [33-38] - name: Push changes if: steps.git.outputs.commit == 'true' uses: ad-m/github-push-action@master with: github_token: ${{ secrets.SELENIUM_CI_TOKEN }} branch: ${{ github.ref }} Solution Walkthrough: Before: # .github/workflows/mirror-selenium-releases.yml ... - name: Push changes if: steps.git.outputs.commit == 'true' uses: ad-m/github-push-action@master with: github_token: ${{ secrets.SELENIUM_CI_TOKEN }} branch: ${{ github.ref }} After: # .github/workflows/mirror-selenium-releases.yml ... - name: Create PR if: steps.git.outputs.commit == 'true' uses: peter-evans/create-pull-request@v6 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: "Update mirror info" title: "[ci] Update mirror info" body: | Automated update of `common/mirror/selenium`. branch: ci/mirror-selenium-releases base: trunk reviewers: bonigarcia Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies that the PR removes a PR-based workflow, and rightly points out that this eliminates a crucial safety and review gate for automated changes, which is a significant process regression.	High
Security	Pin action to a specific version To improve workflow stability and security, pin the ad-m/github-push-action to a specific version (e.g., @v0.8.0) instead of using the volatile @master branch. .github/workflows/mirror-selenium-releases.yml [33-38] - name: Push changes if: steps.git.outputs.commit == 'true' - uses: ad-m/github-push-action@master + uses: ad-m/github-push-action@v0.8.0 with: github_token: ${{ secrets.SELENIUM_CI_TOKEN }} branch: ${{ github.ref }} Apply / Chat Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies a security and reliability risk by using @master for a GitHub Action and proposes the best practice of pinning to a specific version, which prevents unexpected workflow failures or vulnerabilities.	High
General	Use a standardized date format Revert the commit message's date format to the standardized ISO 8601 format (date -u +'%Y-%m-%dT%H:%M:%SZ') to ensure consistent and readable commit history across different environments. .github/workflows/mirror-selenium-releases.yml [30] -git commit -m "Update mirror info (`date`)" -a +git commit -m "Update mirror info ($(date -u +'%Y-%m-%dT%H:%M:%SZ'))" -a Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly points out that the PR replaced a standardized date format with a non-standard one, and reverting this change would improve the consistency and readability of commit messages.	Medium
Learned best practice	Validate required push inputs Validate that required secrets and branch ref are present before pushing, and fail with a clear message if missing. .github/workflows/mirror-selenium-releases.yml [33-38] +- name: Validate push inputs + if: steps.git.outputs.commit == 'true' + run: | + test -n "${{ secrets.SELENIUM_CI_TOKEN }}" || { echo "Missing SELENIUM_CI_TOKEN secret"; exit 1; } + test -n "${{ github.ref }}" || { echo "Missing github.ref"; exit 1; } - name: Push changes if: steps.git.outputs.commit == 'true' uses: ad-m/github-push-action@master with: github_token: ${{ secrets.SELENIUM_CI_TOKEN }} branch: ${{ github.ref }} Apply / Chat Suggestion importance[1-10]: 6 __ Why: Relevant best practice - Guard external API and I/O operations with validation and clear errors to avoid silent failures.	Low
More