Skip to content

feat: Chromium pipeline – headless smoke test, deep file scan, Docker build & artifacts on master#6

Open
Copilot wants to merge 19 commits into
actionsfrom
copilot/turn-into-auto-actions
Open

feat: Chromium pipeline – headless smoke test, deep file scan, Docker build & artifacts on master#6
Copilot wants to merge 19 commits into
actionsfrom
copilot/turn-into-auto-actions

Conversation

Copilot AI commented Jul 2, 2026

Copy link
Copy Markdown

Adds a new GitHub Actions workflow that wires together Chromium headless testing, deep-nested source file discovery, and Docker image build/publish into a single path-aware pipeline on master.

New workflow: .github/workflows/chromium-pipeline.yml

  • Triggers: push/PR to master scoped to src/**, webapp/**, marketing-site/**; also workflow_dispatch
  • chromium-check: installs chromium-browser, runs a Puppeteer headless smoke test via puppeteer-core, uploads log artifact (7d)
  • discover-artifacts: find at depth ≥ 5, excluding .git, node_modules, dist, build, target, .cache; uploads file-list artifact (14d) using heredoc multiline GITHUB_OUTPUT
  • docker-build (depends on chromium-check):
    • PR: load: true + exports image tar via docker save using a shell-computed short SHA (${GITHUB_SHA::7}), uploaded as artifact (3d)
    • master push: pushes to GHCR with sha-, branch, latest tags; uses GHA layer cache
  • pipeline-summary: always-runs job writing a Markdown status table to $GITHUB_STEP_SUMMARY

@Pmaster-dev Pmaster-dev requested a review from Copilot July 2, 2026 13:58
@Pmaster-dev Pmaster-dev added bug Something isn't working enhancement New feature or request invalid This doesn't seem right labels Jul 2, 2026
@Pmaster-dev Pmaster-dev marked this pull request as ready for review July 2, 2026 14:01
@qodo-code-review

Copy link
Copy Markdown

PR Summary by Qodo

Add master-scoped Chromium CI pipeline with deep scan, Docker build, and artifacts

✨ Enhancement ⚙️ Configuration changes 🧪 Tests 🕐 20-40 Minutes

Grey Divider

AI Description

• Add a master-scoped GitHub Actions pipeline for Chromium headless smoke testing.
• Discover and artifact deeply nested source files using a filtered depth scan.
• Build/push Docker images on master and export image tar artifacts for PR validation.
Diagram

graph TD
  E["GitHub event"] --> W["chromium-pipeline.yml"] --> C["chromium-check"] --> A1["Artifacts: smoke log"]
  W --> D["discover-artifacts"] --> A2["Artifacts: file list"]
  W --> B["docker-build"] --> R["GHCR publish"]
  B --> A3["Artifacts: image tar (PR)"]
  W --> S["pipeline-summary"] --> U["Step summary"]
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Use Playwright with browser caching instead of apt + puppeteer-core
  • ➕ More reliable browser provisioning on GitHub runners (built-in install tooling)
  • ➕ Easier to evolve smoke test beyond about:blank without manual Chromium setup
  • ➖ Adds a heavier dependency and potentially longer install times
  • ➖ May diverge from existing Puppeteer-based tooling if the project uses Puppeteer elsewhere
2. Export PR image via buildx outputs instead of docker save
  • ➕ Avoids reliance on tag existence/metadata matching for docker image inspect
  • ➕ Can produce deterministic OCI/tar outputs directly from build-push-action
  • ➖ Slightly more complex buildx configuration and artifact wiring
  • ➖ Less familiar than docker save for some teams
3. Split into reusable workflows (smoke-test / docker / scan) and compose
  • ➕ Improves maintainability and reuse across repos/branches
  • ➕ Clearer separation of concerns and permissions (e.g., packages:write only where needed)
  • ➖ More indirection when debugging runs
  • ➖ Overhead not worth it if only one repo/workflow uses these jobs

Recommendation: Current approach is reasonable for a single-repo, master-centric pipeline: it keeps all gates and artifacts in one place and uses explicit PR vs master branching. If PR image export becomes flaky due to tag/metadata coupling, prefer switching to buildx outputs for direct tar/OCI artifact generation.

Files changed (1) +218 / -0

Other (1) +218 / -0
chromium-pipeline.ymlAdd multi-job Chromium + deep-scan + Docker pipeline with artifacts and summary +218/-0

Add multi-job Chromium + deep-scan + Docker pipeline with artifacts and summary

• Introduces a new GitHub Actions workflow triggered on master push/PR (path-scoped) and manual dispatch. Adds jobs for a Chromium headless smoke test (Puppeteer-core), deep nested file discovery with filtered 'find' and multiline job output, and conditional Docker build/push to GHCR plus PR-only tar export. Appends an always-run job that writes a markdown status table to the run summary.

.github/workflows/chromium-pipeline.yml

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new GitHub Actions workflow that combines a Chromium headless smoke test, deep file discovery, and Docker build/publish steps into a single pipeline for master-scoped changes.

Changes:

  • Introduces chromium-check to install Chromium and run a Puppeteer-based headless smoke test.
  • Adds discover-artifacts to scan for deeply nested files and upload a file list artifact.
  • Adds docker-build to build (and on master pushes, publish) a Docker image, plus a pipeline-summary job that reports job status.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/chromium-pipeline.yml Outdated
Comment thread .github/workflows/chromium-pipeline.yml Outdated
Comment thread .github/workflows/chromium-pipeline.yml Outdated
Comment thread .github/workflows/chromium-pipeline.yml Outdated
Copilot AI requested a review from Pmaster-dev July 2, 2026 14:05
@qodo-code-review

qodo-code-review Bot commented Jul 2, 2026

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (3) 📘 Rule violations (0) 📎 Requirement gaps (0) 🎨 UX issues (0) 🔗 Cross-repo conflicts (0) 📜 Skill insights (0)

Grey Divider


Action required

1. Misnamed Docker image 🐞 Bug ≡ Correctness
Description
docker-build builds marketing-site/Dockerfile but tags/publishes under `IMAGE_NAME:
.../pinkflow-app`, which will store the marketing-site container under an incorrect package name and
can collide with any intended “pinkflow-app” image naming.
Code

.github/workflows/chromium-pipeline.yml[R20-23]

+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}/pinkflow-app
+
Evidence
The pipeline’s IMAGE_NAME is set to .../pinkflow-app, while the Docker build step explicitly
uses marketing-site/Dockerfile. The repo’s existing marketing-site workflow uses
.../marketing-site as the image name for that same Dockerfile, indicating the new pipeline’s name
is inconsistent with established behavior.

.github/workflows/chromium-pipeline.yml[20-23]
.github/workflows/chromium-pipeline.yml[150-168]
.github/workflows/deploy-marketing-site.yml[11-14]
.github/workflows/deploy-marketing-site.yml[68-76]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The workflow builds `marketing-site/Dockerfile` but sets `IMAGE_NAME` to `.../pinkflow-app`, making the produced/pushed image name inconsistent with the actual content.

## Issue Context
The existing marketing-site deployment workflow builds the same Dockerfile and names the image `.../marketing-site`, suggesting this pipeline should follow the same convention.

## Fix Focus Areas
- .github/workflows/chromium-pipeline.yml[20-23]
- .github/workflows/chromium-pipeline.yml[150-168]
- .github/workflows/deploy-marketing-site.yml[11-14]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools



Remediation recommended

2. Find scan not pruned ✓ Resolved 🐞 Bug ➹ Performance
Description
The deep scan uses find with ! -path filters, which still traverses excluded directories (like
.git) and then filters results; combined with capturing all output into a shell variable and
sorting, this can make the job unnecessarily slow/heavy as the repo grows.
Code

.github/workflows/chromium-pipeline.yml[R101-119]

+          echo "=== Deeply nested files (depth >= 5) ==="
+          FILES=$(find . -mindepth 5 -type f \
+            ! -path './.git/*' \
+            ! -path './node_modules/*' \
+            ! -path './.next/*' \
+            ! -path './dist/*' \
+            ! -path './build/*' \
+            ! -path './target/*' \
+            ! -path './.cache/*' \
+            | sort)
+          echo "$FILES"
+          COUNT=$(echo "$FILES" | grep -c . || true)
+          echo "Total: $COUNT files at depth >= 5"
+          {
+            echo "file_list<<EOF"
+            echo "$FILES"
+            echo "EOF"
+          } >> $GITHUB_OUTPUT
+          echo "$FILES" > /tmp/deep-nested-files.txt
Evidence
The scan constructs FILES from a find command that excludes paths using ! -path while not
pruning the directories, meaning traversal still happens; it then sorts and assigns the entire
output to a variable before writing to an artifact file.

.github/workflows/chromium-pipeline.yml[98-120]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The discovery step traverses directories that are meant to be excluded because it uses `! -path` rather than pruning. It also stores the full file list in a shell variable and sorts it, which can be unnecessarily expensive.

## Issue Context
The scan already writes the final list to `/tmp/deep-nested-files.txt`; it can be generated directly without holding it in `FILES` and without traversing `.git`.

## Fix Focus Areas
- .github/workflows/chromium-pipeline.yml[98-120]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


3. PR token too permissive 🐞 Bug ⛨ Security
Description
The workflow grants packages: write at the workflow level while also running on pull_request,
unnecessarily expanding what PR-run steps can do with GITHUB_TOKEN even though registry login/push
only occurs on master pushes.
Code

.github/workflows/chromium-pipeline.yml[R24-27]

+permissions:
+  contents: read
+  packages: write
+
Evidence
The workflow is triggered by pull_request events but still requests packages: write globally. At
the same time, the GHCR login step is restricted to push on master, showing that write access to
packages is not required for PR runs.

.github/workflows/chromium-pipeline.yml[11-17]
.github/workflows/chromium-pipeline.yml[24-27]
.github/workflows/chromium-pipeline.yml[142-149]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Top-level `permissions` includes `packages: write`, which applies to all jobs/events including `pull_request`. This is broader than needed because the workflow only logs into GHCR / pushes on `push` to `master`.

## Issue Context
The `docker/login-action` step is already gated to `push` on `refs/heads/master`, so PR runs do not require `packages: write`.

## Fix Focus Areas
- .github/workflows/chromium-pipeline.yml[24-27]
- .github/workflows/chromium-pipeline.yml[11-17]
- .github/workflows/chromium-pipeline.yml[142-149]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


4. Branch trigger mismatch 🐞 Bug ☼ Reliability
Description
This workflow only triggers for master, while other repo workflows are configured to run on
main, so it will not run for the same push/PR targets if main is the active branch used by CI.
Code

.github/workflows/chromium-pipeline.yml[R3-17]

+on:
+  push:
+    branches: ["master"]
+    paths:
+      - "src/**"
+      - "webapp/**"
+      - "marketing-site/**"
+      - ".github/workflows/chromium-pipeline.yml"
+  pull_request:
+    branches: ["master"]
+    paths:
+      - "src/**"
+      - "webapp/**"
+      - "marketing-site/**"
+      - ".github/workflows/chromium-pipeline.yml"
Evidence
The new workflow limits itself to master for both push and PR events, while existing CI and deploy
workflows in this repo are explicitly configured for main, creating an inconsistent trigger
configuration across the repo.

.github/workflows/chromium-pipeline.yml[3-17]
.github/workflows/ci-matrix.yml[3-15]
.github/workflows/deploy-marketing-site.yml[3-9]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The workflow is scoped to `branches: ["master"]` for both push and pull_request, but other workflows in this repo are scoped to `main`. If `main` is the default/active branch, this pipeline will not execute when expected.

## Issue Context
Multiple existing workflows use `branches: [main]`, indicating branch naming inconsistency.

## Fix Focus Areas
- .github/workflows/chromium-pipeline.yml[3-17]
- .github/workflows/ci-matrix.yml[3-15]
- .github/workflows/deploy-marketing-site.yml[3-9]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Qodo Logo

Comment on lines +20 to +23
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}/pinkflow-app

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. Misnamed docker image 🐞 Bug ≡ Correctness

docker-build builds marketing-site/Dockerfile but tags/publishes under `IMAGE_NAME:
.../pinkflow-app`, which will store the marketing-site container under an incorrect package name and
can collide with any intended “pinkflow-app” image naming.
Agent Prompt
## Issue description
The workflow builds `marketing-site/Dockerfile` but sets `IMAGE_NAME` to `.../pinkflow-app`, making the produced/pushed image name inconsistent with the actual content.

## Issue Context
The existing marketing-site deployment workflow builds the same Dockerfile and names the image `.../marketing-site`, suggesting this pipeline should follow the same convention.

## Fix Focus Areas
- .github/workflows/chromium-pipeline.yml[20-23]
- .github/workflows/chromium-pipeline.yml[150-168]
- .github/workflows/deploy-marketing-site.yml[11-14]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Comment on lines +3 to +17
on:
push:
branches: ["master"]
paths:
- "src/**"
- "webapp/**"
- "marketing-site/**"
- ".github/workflows/chromium-pipeline.yml"
pull_request:
branches: ["master"]
paths:
- "src/**"
- "webapp/**"
- "marketing-site/**"
- ".github/workflows/chromium-pipeline.yml"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remediation recommended

2. Branch trigger mismatch 🐞 Bug ☼ Reliability

This workflow only triggers for master, while other repo workflows are configured to run on
main, so it will not run for the same push/PR targets if main is the active branch used by CI.
Agent Prompt
## Issue description
The workflow is scoped to `branches: ["master"]` for both push and pull_request, but other workflows in this repo are scoped to `main`. If `main` is the default/active branch, this pipeline will not execute when expected.

## Issue Context
Multiple existing workflows use `branches: [main]`, indicating branch naming inconsistency.

## Fix Focus Areas
- .github/workflows/chromium-pipeline.yml[3-17]
- .github/workflows/ci-matrix.yml[3-15]
- .github/workflows/deploy-marketing-site.yml[3-9]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Comment on lines +24 to +27
permissions:
contents: read
packages: write

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remediation recommended

3. Pr token too permissive 🐞 Bug ⛨ Security

The workflow grants packages: write at the workflow level while also running on pull_request,
unnecessarily expanding what PR-run steps can do with GITHUB_TOKEN even though registry login/push
only occurs on master pushes.
Agent Prompt
## Issue description
Top-level `permissions` includes `packages: write`, which applies to all jobs/events including `pull_request`. This is broader than needed because the workflow only logs into GHCR / pushes on `push` to `master`.

## Issue Context
The `docker/login-action` step is already gated to `push` on `refs/heads/master`, so PR runs do not require `packages: write`.

## Fix Focus Areas
- .github/workflows/chromium-pipeline.yml[24-27]
- .github/workflows/chromium-pipeline.yml[11-17]
- .github/workflows/chromium-pipeline.yml[142-149]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Comment thread .github/workflows/chromium-pipeline.yml Outdated
Pmaster-dev and others added 4 commits July 2, 2026 09:26
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@Pmaster-dev

Copy link
Copy Markdown
Owner

@copilot would electron help for remoteuser n internal%?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working enhancement New feature or request invalid This doesn't seem right

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants