ci(github): add container support for self-hosted runners#9
Merged
justlevine merged 70 commits intomainfrom Apr 12, 2026
Merged
ci(github): add container support for self-hosted runners#9justlevine merged 70 commits intomainfrom
justlevine merged 70 commits intomainfrom
Conversation
dipankardas011
force-pushed
the
ci/self-hosting
branch
from
3298b6c to
15eae35
Compare
Switch all workflows to use containers on self-hosted runners for improved consistency and isolation. Add system dependency installation steps and configure Docker and Git safe directory where needed. Update job dependencies and permissions for better security and workflow reliability. This enables better compatibility with shared self-hosted environments. chore(ci): use public-repo runner in all workflows Replace the custom self-hosted runner labels with [public-repo] in all GitHub Actions workflow files. This change standardizes the runner environment and improves compatibility for public repositories. Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com> fix the core volume mount problem Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com> fix(ci): update wp-env test config and add --update flag - Remove "plugins" field from .wp-env.test.json to prevent broken mounts - Add dynamic host mapping for plugin in test config - Add --update flag to npm run wp-env:test start commands for fresh env Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com> ci: improve Docker mapping and plugin activation Update workflows to fix wp-env host mapping, add plugin activation steps, and ensure Docker environments are properly started and stopped. Switch PHPUnit commands to use tests-cli for accurate environment handling. Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
dipankardas011
force-pushed
the
ci/self-hosting
branch
from
15eae35 to
5e132e8
Compare
Refactor GitHub Actions workflows to standardize environment variable usage and port assignments for wp-env across build, E2E, and PHPUnit jobs. Removes dynamic COMPOSE_PROJECT_NAME generation and sets static WP_ENV_PORT and WP_ENV_TESTS_PORT values to avoid conflicts on shared self-hosted runners. Updates .wp-env.test.json to include testsPort. Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
dipankardas011
force-pushed
the
ci/self-hosting
branch
2 times, most recently
from
f8d1bec to
9289434
Compare
Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
dipankardas011
force-pushed
the
ci/self-hosting
branch
from
9289434 to
872e914
Compare
Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Ensure wp-env uses a dedicated /tmp/wp-env directory for all jobs by setting WP_ENV_HOME and mounting it in the container. This prevents permission issues and data conflicts in CI. Updates all workflow steps to use the new environment variable. Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
- Increase `timeout-minutes` for build, e2e, and phpunit workflows to 30 minutes for more reliable CI runs. - Set `timeout_minutes` to 15 for Docker environment startup steps. - Add `git config --global --add safe.directory '/tmp/wp-env/*'` to address Git safe directory issues in Docker. - Run E2E tests with `--debug` for better diagnostics. - No functional changes to plugin code. Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Update CI workflow to use step outputs for job filtering instead of hardcoded values. This enables more flexible and accurate job execution based on file changes. Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
When running in the Docker-out-of-Docker CI setup, the actions/checkout step creates the workspace files as the `root` user. However, wp-env dynamically configures its internal test containers to run as `wpuser` (UID 1001) to match the host user executing `wp-env start`. This caused a permission collision where the test runner (running as UID 1001) could not write test artifacts (like .phpunit.result.cache and code coverage XML/HTML reports) back to the workspace directory owned by root. This adds a step to `chown -R wpuser:wpuser .` across the build, e2e, and phpunit workflows immediately before starting wp-env. This ensures the containerized test runner has the necessary write privileges to generate and upload coverage reports successfully. Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
dipankardas011
force-pushed
the
ci/self-hosting
branch
from
857f1e8 to
ac888b5
Compare
Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Add --add-host=host.docker.internal:host-gateway to container options in the reusable-e2e.yml workflow. Update WP_BASE_URL to use host.docker.internal for E2E tests, enabling proper connectivity between Playwright and the WordPress instance when running in Docker. Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Use --network=host for the CI container to ensure Playwright shares the host Docker daemon's network. This prevents "ECONNREFUSED" errors when WordPress issues 302 redirects to "localhost", avoiding loopback traps inside the CI container. Also remove WP_BASE_URL env from test command. Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Switch CI container from --network=host to --add-host and socat proxy for localhost:8889. This ensures Playwright and WordPress agree on "localhost" and prevents network isolation issues. Adds socat to dependencies and updates E2E test step to forward traffic, improving test stability. Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Set Playwright to run in headless mode by default for more consistent and reliable test execution in CI and local environments. This avoids issues with UI rendering and ensures tests do not require a display server. Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Removed the --debug flag from the E2E test command in the CI workflow to ensure tests run in standard mode. Updated Playwright config to spread baseConfig.use for better configuration inheritance. These changes improve consistency and maintainability of E2E test execution. Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Updated CI workflow to use dynamic outputs from filter steps instead of hardcoded values. Enabled e2e job to trigger based on detection results and phpunit status. Removed outdated comments for clarity. Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
dipankardas011
commented
Mar 18, 2026
Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Enhance post-run cleanup steps in all reusable GitHub Actions workflows to remove artifacts from both /__w and $HOME directories. This prevents pollution between workflow runs and ensures a cleaner environment for subsequent jobs. Updates the cleanup step name for clarity. Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Enhances the post-run cleanup steps in reusable GitHub Actions workflows. Now uses `sudo` to ensure all files, including hidden ones, are removed from the workspace, home, and workflow directories. Also selectively deletes contents in /__w/_temp/ while preserving locked mount points. This prevents artifact and environment pollution between workflow runs. Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Switch Jest and JS lint workflows to use the ghcr.io/actions/actions-runner:2.333.0 container image instead of node:22. This aligns the CI environment with GitHub Actions runner standards and may improve compatibility and consistency across jobs. Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Add steps to reusable GitHub Actions workflows to remove contents of /tmp/wp-env in build, e2e, and phpunit jobs, and /tmp/playwright-cache in e2e jobs. This ensures a clean environment for each workflow run and prevents leftover files from affecting subsequent jobs. Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Expand setfacl permissions to additional directories in reusable workflows. This ensures runner access to /github/home, /github/workflow, and /tmp/wp-env (plus /tmp/playwright-cache for e2e). Removes redundant commands and streamlines Docker group setup. Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Replaced brace expansion in setfacl commands with explicit paths in GitHub Actions workflows. This improves compatibility with environments where brace expansion is not supported, ensuring correct permissions are set. Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
- Removed redundant Docker group permission steps from e2e workflow - Added Docker Compose setup to phpunit workflow for consistency - Ensured proper environment configuration for CI jobs Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Update reusable GitHub Actions workflows to: - Use current working directory for cleanup to avoid accidental deletion - Remove redundant composer-install working-directory input Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Refactored the cleanup steps in multiple GitHub Actions workflows to use a single `sudo rm -rf ./* .[!.]*` command. This change removes both regular and hidden files more concisely, improving readability and maintainability of the CI scripts. Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Contributor
Author
|
@justlevine I fixed the issue with the composer thing. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the repository’s CI setup to run jobs inside containers on self-hosted runners (for consistency/isolation), while also introducing “-public” reusable workflow variants for GitHub-hosted runners and a workflow to test those public variants.
Changes:
- Switch reusable CI workflows (lint/test/build/playground preview) to run in
ghcr.io/actions/actions-runnercontainers on self-hosted runners, adding Docker socket mounts, ACL fixes, safe.directory config, and cleanup steps. - Add “-public” reusable workflow variants plus a
test-public-workflows.ymlworkflow to validate them on GitHub-hosted runners. - Adjust Playwright config to disable auto
webServerorchestration and force headless mode.
Reviewed changes
Copilot reviewed 21 out of 21 changed files in this pull request and generated 25 comments.
Show a summary per file
| File | Description |
|---|---|
playwright.config.ts |
Disables Playwright webServer orchestration; forces headless and adjusts config merging. |
.wp-env.test.json |
Removes explicit mappings section (keeps plugins-based mounting). |
.github/workflows/test-public-workflows.yml |
New workflow to exercise the “-public” reusable workflows. |
.github/workflows/reusable-wp-playground-pr-preview.yml |
Containerizes playground preview job and switches blueprint generation to jq; adds cleanup. |
.github/workflows/reusable-wp-playground-pr-preview-public.yml |
New public-runner reusable playground preview workflow. |
.github/workflows/reusable-phpunit.yml |
Containerizes PHPUnit workflow; adds Docker socket mounts, permissions tweaks, wp-env path mapping, cleanup. |
.github/workflows/reusable-phpunit-public.yml |
New public-runner reusable PHPUnit workflow. |
.github/workflows/reusable-phpstan.yml |
Containerizes PHPStan workflow; adds safe.directory and cleanup. |
.github/workflows/reusable-phpstan-public.yml |
New public-runner reusable PHPStan workflow. |
.github/workflows/reusable-phpcs.yml |
Containerizes PHPCS workflow; adds safe.directory and cleanup. |
.github/workflows/reusable-phpcs-public.yml |
New public-runner reusable PHPCS workflow. |
.github/workflows/reusable-lint-css-js.yml |
Containerizes JS/CSS lint workflow; adds safe.directory and cleanup. |
.github/workflows/reusable-lint-css-js-public.yml |
New public-runner reusable lint workflow. |
.github/workflows/reusable-jest.yml |
Containerizes Jest workflow; adds safe.directory and cleanup. |
.github/workflows/reusable-jest-public.yml |
New public-runner reusable Jest workflow. |
.github/workflows/reusable-e2e.yml |
Containerizes Playwright E2E workflow; adds wp-env host mapping, Playwright deps install, socat forwarding, cleanup. |
.github/workflows/reusable-e2e-public.yml |
New public-runner reusable E2E workflow. |
.github/workflows/reusable-build.yml |
Containerizes build workflow; adds wp-env host mapping, Docker setup, cleanup. |
.github/workflows/reusable-build-public.yml |
New public-runner reusable build workflow. |
.github/workflows/README.md |
Updates workflow documentation to reference both public/private variants. |
.github/workflows/ci.yml |
Updates main CI to support choosing public vs private reusable workflows; changes job dependencies. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Add `|| true` to `rm -rf` commands in reusable GitHub Actions workflows to prevent failures when target files or directories do not exist. This improves workflow robustness and avoids unnecessary errors during cleanup steps. Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Removes the step that added '/tmp/wp-env/*' to git's safe.directory list from reusable workflow files. Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Contributor
Author
|
@justlevine all tests are passing |
justlevine
approved these changes
Apr 3, 2026
Collaborator
justlevine
left a comment
justlevine
left a comment
There was a problem hiding this comment.
@mrrobot47 any notes before we merge this?
mrrobot47
reviewed
Apr 7, 2026
Pin the GitHub Actions runner container image to a specific SHA256 digest across all reusable workflow files for improved security and reproducibility. Also refactor E2E workflow to check port usage and verify socat startup before running tests. Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Signed-off-by: Dipankar Das <65275144+dipankardas011@users.noreply.github.com>
Collaborator
|
Merging. It's been a month -if there's any additional followup that sys requires we can do it in a followup PR 🙇 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Switch all workflows to use containers on self-hosted runners for improved
consistency and isolation. Add system dependency installation steps and
configure Docker and Git safe directory where needed. Update job dependencies
and permissions for better security and workflow reliability. This enables
better compatibility with shared self-hosted environments.