Propagate changes from development into feature/beta-release#637
Merged
Wikid82 merged 4 commits intofeature/beta-releasefrom Feb 4, 2026
Merged
Propagate changes from development into feature/beta-release#637Wikid82 merged 4 commits intofeature/beta-releasefrom
Wikid82 merged 4 commits intofeature/beta-releasefrom
Conversation
fix: Firefox Caddy import compatibility and cross-browser test coverage
…execution based on Docker build success
Propagate changes from main into development
Contributor
There was a problem hiding this comment.
Pull request overview
This automated PR propagates changes from the development branch into feature/beta-release, primarily updating CI/CD workflows and bumping the version number.
Changes:
- Version bump from v0.16.13 to v0.17.0
- Removal of
pull_requesttrigger from integration test workflows (WAF, rate-limit, CrowdSec, Cerberus, and E2E tests) - Simplification of workflow conditional logic to only run on successful
workflow_runor manualworkflow_dispatchtriggers - Updates to image tag determination logic to remove PR-specific handling from
workflow_runtriggers
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
.version |
Version bump from v0.16.13 to v0.17.0 |
.github/workflows/waf-integration.yml |
Removed pull_request trigger; added duplicate "Determine image tag" step (bug) |
.github/workflows/rate-limit-integration.yml |
Removed pull_request trigger; added duplicate "Determine image tag" step (bug) |
.github/workflows/e2e-tests.yml |
Removed pull_request trigger; simplified image tag determination logic |
.github/workflows/crowdsec-integration.yml |
Removed pull_request trigger; added multiple duplicate steps and incomplete fallback logic (bugs) |
.github/workflows/cerberus-integration.yml |
Removed pull_request trigger; added duplicate "Determine image tag" step (bug) |
Comment on lines
+98
to
154
| - name: Determine image tag | ||
| id: image | ||
| env: | ||
| EVENT: ${{ github.event.workflow_run.event }} | ||
| REF: ${{ github.event.workflow_run.head_branch }} | ||
| SHA: ${{ github.event.workflow_run.head_sha }} | ||
| MANUAL_TAG: ${{ inputs.image_tag }} | ||
| run: | | ||
| # Manual trigger uses provided tag | ||
| if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | ||
| if [[ -n "$MANUAL_TAG" ]]; then | ||
| echo "tag=${MANUAL_TAG}" >> $GITHUB_OUTPUT | ||
| else | ||
| # Default to latest if no tag provided | ||
| echo "tag=latest" >> $GITHUB_OUTPUT | ||
| fi | ||
| echo "source_type=manual" >> $GITHUB_OUTPUT | ||
| exit 0 | ||
| fi | ||
|
|
||
| # Extract 7-character short SHA | ||
| SHORT_SHA=$(echo "$SHA" | cut -c1-7) | ||
|
|
||
| if [[ "$EVENT" == "pull_request" ]]; then | ||
| # Use native pull_requests array (no API calls needed) | ||
| PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number') | ||
|
|
||
| if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then | ||
| echo "❌ ERROR: Could not determine PR number" | ||
| echo "Event: $EVENT" | ||
| echo "Ref: $REF" | ||
| echo "SHA: $SHA" | ||
| echo "Pull Requests JSON: ${{ toJson(github.event.workflow_run.pull_requests) }}" | ||
| exit 1 | ||
| fi | ||
|
|
||
| # Immutable tag with SHA suffix prevents race conditions | ||
| echo "tag=pr-${PR_NUM}-${SHORT_SHA}" >> $GITHUB_OUTPUT | ||
| echo "source_type=pr" >> $GITHUB_OUTPUT | ||
| else | ||
| # Branch push: sanitize branch name and append SHA | ||
| # Sanitization: lowercase, replace / with -, remove special chars | ||
| SANITIZED=$(echo "$REF" | \ | ||
| tr '[:upper:]' '[:lower:]' | \ | ||
| tr '/' '-' | \ | ||
| sed 's/[^a-z0-9-._]/-/g' | \ | ||
| sed 's/^-//; s/-$//' | \ | ||
| sed 's/--*/-/g' | \ | ||
| cut -c1-121) # Leave room for -SHORT_SHA (7 chars) | ||
|
|
||
| echo "tag=${SANITIZED}-${SHORT_SHA}" >> $GITHUB_OUTPUT | ||
| echo "source_type=branch" >> $GITHUB_OUTPUT | ||
| fi | ||
|
|
||
| echo "sha=${SHORT_SHA}" >> $GITHUB_OUTPUT | ||
| echo "Determined image tag: $(cat $GITHUB_OUTPUT | grep tag=)" | ||
|
|
There was a problem hiding this comment.
This workflow contains a duplicate "Determine image tag" step with the same id image. The first instance appears at line 37 (from the original file) and this duplicate was added at line 98 in the diff. This will cause the second step to overwrite the outputs of the first step, making the first step's execution pointless and potentially breaking the workflow logic that depends on steps.image.outputs.
The duplicate step should be removed. Based on the diff context, it appears the intention was to update the existing step (lines 37-94), not add a second one.
Suggested change
| - name: Determine image tag | |
| id: image | |
| env: | |
| EVENT: ${{ github.event.workflow_run.event }} | |
| REF: ${{ github.event.workflow_run.head_branch }} | |
| SHA: ${{ github.event.workflow_run.head_sha }} | |
| MANUAL_TAG: ${{ inputs.image_tag }} | |
| run: | | |
| # Manual trigger uses provided tag | |
| if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | |
| if [[ -n "$MANUAL_TAG" ]]; then | |
| echo "tag=${MANUAL_TAG}" >> $GITHUB_OUTPUT | |
| else | |
| # Default to latest if no tag provided | |
| echo "tag=latest" >> $GITHUB_OUTPUT | |
| fi | |
| echo "source_type=manual" >> $GITHUB_OUTPUT | |
| exit 0 | |
| fi | |
| # Extract 7-character short SHA | |
| SHORT_SHA=$(echo "$SHA" | cut -c1-7) | |
| if [[ "$EVENT" == "pull_request" ]]; then | |
| # Use native pull_requests array (no API calls needed) | |
| PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number') | |
| if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then | |
| echo "❌ ERROR: Could not determine PR number" | |
| echo "Event: $EVENT" | |
| echo "Ref: $REF" | |
| echo "SHA: $SHA" | |
| echo "Pull Requests JSON: ${{ toJson(github.event.workflow_run.pull_requests) }}" | |
| exit 1 | |
| fi | |
| # Immutable tag with SHA suffix prevents race conditions | |
| echo "tag=pr-${PR_NUM}-${SHORT_SHA}" >> $GITHUB_OUTPUT | |
| echo "source_type=pr" >> $GITHUB_OUTPUT | |
| else | |
| # Branch push: sanitize branch name and append SHA | |
| # Sanitization: lowercase, replace / with -, remove special chars | |
| SANITIZED=$(echo "$REF" | \ | |
| tr '[:upper:]' '[:lower:]' | \ | |
| tr '/' '-' | \ | |
| sed 's/[^a-z0-9-._]/-/g' | \ | |
| sed 's/^-//; s/-$//' | \ | |
| sed 's/--*/-/g' | \ | |
| cut -c1-121) # Leave room for -SHORT_SHA (7 chars) | |
| echo "tag=${SANITIZED}-${SHORT_SHA}" >> $GITHUB_OUTPUT | |
| echo "source_type=branch" >> $GITHUB_OUTPUT | |
| fi | |
| echo "sha=${SHORT_SHA}" >> $GITHUB_OUTPUT | |
| echo "Determined image tag: $(cat $GITHUB_OUTPUT | grep tag=)" |
Comment on lines
+98
to
154
| - name: Determine image tag | ||
| id: image | ||
| env: | ||
| EVENT: ${{ github.event.workflow_run.event }} | ||
| REF: ${{ github.event.workflow_run.head_branch }} | ||
| SHA: ${{ github.event.workflow_run.head_sha }} | ||
| MANUAL_TAG: ${{ inputs.image_tag }} | ||
| run: | | ||
| # Manual trigger uses provided tag | ||
| if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | ||
| if [[ -n "$MANUAL_TAG" ]]; then | ||
| echo "tag=${MANUAL_TAG}" >> $GITHUB_OUTPUT | ||
| else | ||
| # Default to latest if no tag provided | ||
| echo "tag=latest" >> $GITHUB_OUTPUT | ||
| fi | ||
| echo "source_type=manual" >> $GITHUB_OUTPUT | ||
| exit 0 | ||
| fi | ||
|
|
||
| # Extract 7-character short SHA | ||
| SHORT_SHA=$(echo "$SHA" | cut -c1-7) | ||
|
|
||
| if [[ "$EVENT" == "pull_request" ]]; then | ||
| # Use native pull_requests array (no API calls needed) | ||
| PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number') | ||
|
|
||
| if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then | ||
| echo "❌ ERROR: Could not determine PR number" | ||
| echo "Event: $EVENT" | ||
| echo "Ref: $REF" | ||
| echo "SHA: $SHA" | ||
| echo "Pull Requests JSON: ${{ toJson(github.event.workflow_run.pull_requests) }}" | ||
| exit 1 | ||
| fi | ||
|
|
||
| # Immutable tag with SHA suffix prevents race conditions | ||
| echo "tag=pr-${PR_NUM}-${SHORT_SHA}" >> $GITHUB_OUTPUT | ||
| echo "source_type=pr" >> $GITHUB_OUTPUT | ||
| else | ||
| # Branch push: sanitize branch name and append SHA | ||
| # Sanitization: lowercase, replace / with -, remove special chars | ||
| SANITIZED=$(echo "$REF" | \ | ||
| tr '[:upper:]' '[:lower:]' | \ | ||
| tr '/' '-' | \ | ||
| sed 's/[^a-z0-9-._]/-/g' | \ | ||
| sed 's/^-//; s/-$//' | \ | ||
| sed 's/--*/-/g' | \ | ||
| cut -c1-121) # Leave room for -SHORT_SHA (7 chars) | ||
|
|
||
| echo "tag=${SANITIZED}-${SHORT_SHA}" >> $GITHUB_OUTPUT | ||
| echo "source_type=branch" >> $GITHUB_OUTPUT | ||
| fi | ||
|
|
||
| echo "sha=${SHORT_SHA}" >> $GITHUB_OUTPUT | ||
| echo "Determined image tag: $(cat $GITHUB_OUTPUT | grep tag=)" | ||
|
|
There was a problem hiding this comment.
This workflow contains a duplicate "Determine image tag" step with the same id image. The first instance appears at line 37 (from the original file) and this duplicate was added at line 98 in the diff. This will cause the second step to overwrite the outputs of the first step, making the first step's execution pointless and potentially breaking the workflow logic that depends on steps.image.outputs.
The duplicate step should be removed. Based on the diff context, it appears the intention was to update the existing step (lines 37-94), not add a second one.
Suggested change
| - name: Determine image tag | |
| id: image | |
| env: | |
| EVENT: ${{ github.event.workflow_run.event }} | |
| REF: ${{ github.event.workflow_run.head_branch }} | |
| SHA: ${{ github.event.workflow_run.head_sha }} | |
| MANUAL_TAG: ${{ inputs.image_tag }} | |
| run: | | |
| # Manual trigger uses provided tag | |
| if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | |
| if [[ -n "$MANUAL_TAG" ]]; then | |
| echo "tag=${MANUAL_TAG}" >> $GITHUB_OUTPUT | |
| else | |
| # Default to latest if no tag provided | |
| echo "tag=latest" >> $GITHUB_OUTPUT | |
| fi | |
| echo "source_type=manual" >> $GITHUB_OUTPUT | |
| exit 0 | |
| fi | |
| # Extract 7-character short SHA | |
| SHORT_SHA=$(echo "$SHA" | cut -c1-7) | |
| if [[ "$EVENT" == "pull_request" ]]; then | |
| # Use native pull_requests array (no API calls needed) | |
| PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number') | |
| if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then | |
| echo "❌ ERROR: Could not determine PR number" | |
| echo "Event: $EVENT" | |
| echo "Ref: $REF" | |
| echo "SHA: $SHA" | |
| echo "Pull Requests JSON: ${{ toJson(github.event.workflow_run.pull_requests) }}" | |
| exit 1 | |
| fi | |
| # Immutable tag with SHA suffix prevents race conditions | |
| echo "tag=pr-${PR_NUM}-${SHORT_SHA}" >> $GITHUB_OUTPUT | |
| echo "source_type=pr" >> $GITHUB_OUTPUT | |
| else | |
| # Branch push: sanitize branch name and append SHA | |
| # Sanitization: lowercase, replace / with -, remove special chars | |
| SANITIZED=$(echo "$REF" | \ | |
| tr '[:upper:]' '[:lower:]' | \ | |
| tr '/' '-' | \ | |
| sed 's/[^a-z0-9-._]/-/g' | \ | |
| sed 's/^-//; s/-$//' | \ | |
| sed 's/--*/-/g' | \ | |
| cut -c1-121) # Leave room for -SHORT_SHA (7 chars) | |
| echo "tag=${SANITIZED}-${SHORT_SHA}" >> $GITHUB_OUTPUT | |
| echo "source_type=branch" >> $GITHUB_OUTPUT | |
| fi | |
| echo "sha=${SHORT_SHA}" >> $GITHUB_OUTPUT | |
| echo "Determined image tag: $(cat $GITHUB_OUTPUT | grep tag=)" |
Comment on lines
+96
to
+151
| # Determine the correct image tag based on trigger context | ||
| # For PRs: pr-{number}-{sha}, For branches: {sanitized-branch}-{sha} | ||
| - name: Determine image tag | ||
| id: image | ||
| env: | ||
| EVENT: ${{ github.event.workflow_run.event }} | ||
| REF: ${{ github.event.workflow_run.head_branch }} | ||
| SHA: ${{ github.event.workflow_run.head_sha }} | ||
| MANUAL_TAG: ${{ inputs.image_tag }} | ||
| run: | | ||
| # Manual trigger uses provided tag | ||
| if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | ||
| if [[ -n "$MANUAL_TAG" ]]; then | ||
| echo "tag=${MANUAL_TAG}" >> $GITHUB_OUTPUT | ||
| else | ||
| # Default to latest if no tag provided | ||
| echo "tag=latest" >> $GITHUB_OUTPUT | ||
| fi | ||
| echo "source_type=manual" >> $GITHUB_OUTPUT | ||
| exit 0 | ||
| fi | ||
|
|
||
| # Extract 7-character short SHA | ||
| SHORT_SHA=$(echo "$SHA" | cut -c1-7) | ||
|
|
||
| if [[ "$EVENT" == "pull_request" ]]; then | ||
| # Use native pull_requests array (no API calls needed) | ||
| PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number') | ||
|
|
||
| if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then | ||
| echo "❌ ERROR: Could not determine PR number" | ||
| echo "Event: $EVENT" | ||
| echo "Ref: $REF" | ||
| echo "SHA: $SHA" | ||
| echo "Pull Requests JSON: ${{ toJson(github.event.workflow_run.pull_requests) }}" | ||
| exit 1 | ||
| fi | ||
|
|
||
| # Immutable tag with SHA suffix prevents race conditions | ||
| echo "tag=pr-${PR_NUM}-${SHORT_SHA}" >> $GITHUB_OUTPUT | ||
| echo "source_type=pr" >> $GITHUB_OUTPUT | ||
| else | ||
| # Branch push: sanitize branch name and append SHA | ||
| # Sanitization: lowercase, replace / with -, remove special chars | ||
| SANITIZED=$(echo "$REF" | \ | ||
| tr '[:upper:]' '[:lower:]' | \ | ||
| tr '/' '-' | \ | ||
| sed 's/[^a-z0-9-._]/-/g' | \ | ||
| sed 's/^-//; s/-$//' | \ | ||
| sed 's/--*/-/g' | \ | ||
| cut -c1-121) # Leave room for -SHORT_SHA (7 chars) | ||
|
|
||
| echo "tag=${SANITIZED}-${SHORT_SHA}" >> $GITHUB_OUTPUT | ||
| echo "source_type=branch" >> $GITHUB_OUTPUT | ||
| fi | ||
|
|
There was a problem hiding this comment.
This workflow contains a duplicate "Determine image tag" step with the same id image. The first instance appears at line 37 (from the original file) and this duplicate was added at line 98 in the diff. This will cause the second step to overwrite the outputs of the first step, making the first step's execution pointless and potentially breaking the workflow logic that depends on steps.image.outputs.
The duplicate step should be removed. Based on the diff context, it appears the intention was to update the existing step (lines 37-94), not add a second one.
Comment on lines
+116
to
+207
| # Fallback: Download artifact if registry pull failed | ||
| - name: Fallback to artifact download | ||
| if: steps.pull_image.outcome == 'failure' | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| SHA: ${{ steps.image.outputs.sha }} | ||
| run: | | ||
| echo "⚠️ Registry pull failed, falling back to artifact..." | ||
|
|
||
| # Determine artifact name based on source type | ||
| if [[ "${{ steps.image.outputs.source_type }}" == "pr" ]]; then | ||
| PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number') | ||
| ARTIFACT_NAME="pr-image-${PR_NUM}" | ||
| else | ||
| ARTIFACT_NAME="push-image" | ||
| fi | ||
|
|
||
| # Determine the correct image tag based on trigger context | ||
| # For PRs: pr-{number}-{sha}, For branches: {sanitized-branch}-{sha} | ||
| - name: Determine image tag | ||
| id: image | ||
| env: | ||
| EVENT: ${{ github.event.workflow_run.event }} | ||
| REF: ${{ github.event.workflow_run.head_branch }} | ||
| SHA: ${{ github.event.workflow_run.head_sha }} | ||
| MANUAL_TAG: ${{ inputs.image_tag }} | ||
| run: | | ||
| # Manual trigger uses provided tag | ||
| if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | ||
| if [[ -n "$MANUAL_TAG" ]]; then | ||
| echo "tag=${MANUAL_TAG}" >> $GITHUB_OUTPUT | ||
| else | ||
| # Default to latest if no tag provided | ||
| echo "tag=latest" >> $GITHUB_OUTPUT | ||
| fi | ||
| echo "source_type=manual" >> $GITHUB_OUTPUT | ||
| exit 0 | ||
| fi | ||
|
|
||
| # Extract 7-character short SHA | ||
| SHORT_SHA=$(echo "$SHA" | cut -c1-7) | ||
|
|
||
| if [[ "$EVENT" == "pull_request" ]]; then | ||
| # Use native pull_requests array (no API calls needed) | ||
| PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number') | ||
|
|
||
| if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then | ||
| echo "❌ ERROR: Could not determine PR number" | ||
| echo "Event: $EVENT" | ||
| echo "Ref: $REF" | ||
| echo "SHA: $SHA" | ||
| echo "Pull Requests JSON: ${{ toJson(github.event.workflow_run.pull_requests) }}" | ||
| exit 1 | ||
| fi | ||
|
|
||
| # Immutable tag with SHA suffix prevents race conditions | ||
| echo "tag=pr-${PR_NUM}-${SHORT_SHA}" >> $GITHUB_OUTPUT | ||
| echo "source_type=pr" >> $GITHUB_OUTPUT | ||
| else | ||
| # Branch push: sanitize branch name and append SHA | ||
| # Sanitization: lowercase, replace / with -, remove special chars | ||
| SANITIZED=$(echo "$REF" | \ | ||
| tr '[:upper:]' '[:lower:]' | \ | ||
| tr '/' '-' | \ | ||
| sed 's/[^a-z0-9-._]/-/g' | \ | ||
| sed 's/^-//; s/-$//' | \ | ||
| sed 's/--*/-/g' | \ | ||
| cut -c1-121) # Leave room for -SHORT_SHA (7 chars) | ||
|
|
||
| echo "tag=${SANITIZED}-${SHORT_SHA}" >> $GITHUB_OUTPUT | ||
| echo "source_type=branch" >> $GITHUB_OUTPUT | ||
| fi | ||
|
|
||
| echo "sha=${SHORT_SHA}" >> $GITHUB_OUTPUT | ||
| echo "Determined image tag: $(cat $GITHUB_OUTPUT | grep tag=)" | ||
|
|
||
| # Pull image from registry with retry logic (dual-source strategy) | ||
| # Try registry first (fast), fallback to artifact if registry fails | ||
| - name: Pull Docker image from registry | ||
| id: pull_image | ||
| uses: nick-fields/retry@v3 | ||
| with: | ||
| timeout_minutes: 5 | ||
| max_attempts: 3 | ||
| retry_wait_seconds: 10 | ||
| command: | | ||
| IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/charon:${{ steps.image.outputs.tag }}" | ||
| echo "Pulling image: $IMAGE_NAME" | ||
| docker pull "$IMAGE_NAME" | ||
| docker tag "$IMAGE_NAME" charon:local | ||
| echo "✅ Successfully pulled from registry" | ||
| continue-on-error: true |
There was a problem hiding this comment.
This workflow contains duplicate "Determine image tag" and "Pull Docker image from registry" steps. The first "Determine image tag" appears at line 37, and duplicates were added at lines 135 and 195. This creates three instances of steps with conflicting ids, which will cause the later steps to overwrite earlier outputs and break the workflow logic.
Additionally, there's an incomplete "Fallback to artifact download" step at lines 117-131 that appears to be cut off mid-execution (the script doesn't complete after determining the artifact name).
These duplicate steps should be removed, keeping only the first instance of each step.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Automated PR to propagate changes from development into feature/beta-release.
Triggered by push to development.