resolved conflicts from upstream

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -54,8 +54,16 @@ body:
   - type: input
     id: version
     attributes:
-      label: Docker Selenium version (tag or chart version)
+      label: Docker Selenium version (image tag)
       description: What version of Docker Selenium are you using?
-      placeholder: 4.16.0-20231206? Please use the full tag, avoid "latest"
+      placeholder: 4.16.1-20231219? Please use the full tag, avoid "latest"
     validations:
       required: true
+  - type: input
+    id: chart-version
+    attributes:
+      label: Selenium Grid chart version (chart version)
+      description: What version of Selenium Grid chart are you using?
+      placeholder: 0.26.2?
+    validations:
+      required: false

.github/workflows/deploy.yml

@@ -80,7 +80,7 @@ jobs:
           git config --local user.name "Selenium CI Bot"
           git commit -m "Update tag in docs and files" -a
       - name: Push changes
-        uses: ad-m/github-push-action@d91a481090679876dfc4178fef17f286781251df # master
+        uses: ad-m/github-push-action@master
         with:
           github_token: ${{ secrets.SELENIUM_CI_TOKEN }}
           branch: trunk

.github/workflows/helm-chart-test.yml

@@ -63,14 +63,14 @@ jobs:
         run: make chart_cluster_cleanup
       - name: Upload Helm chart package
         if: always()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
-          name: ${{ env.CHART_FILE_NAME }}
+          name: ${{ matrix.test-strategy }}_${{ env.CHART_FILE_NAME }}
           path: ${{ env.CHART_PACKAGE_PATH }}
-      - name: Upload Helm chart template rendered
+      - name: Upload chart test artifacts
         if: always()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
-          name: chart_template_rendered.yaml
-          path: ./tests/tests/output_deployment.yaml
+          name: ${{ matrix.test-strategy }}-artifacts
+          path: ./tests/tests/
           if-no-files-found: ignore

.github/workflows/lock.yml

@@ -14,12 +14,12 @@ jobs:
   action:
     runs-on: ubuntu-latest
     steps:
-      - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v3
+      - uses: dessant/lock-threads@v5
         with:
           process-only: 'issues'
-          issue-lock-inactive-days: '30'
+          issue-inactive-days: '30'
           issue-lock-reason: ''
-          issue-lock-comment: >
+          issue-comment: >
             This issue has been automatically locked since there
             has not been any recent activity after it was closed.
             Please open a new issue for related bugs.

.github/workflows/scan-dockerfile.yml

@@ -0,0 +1,53 @@
+name: Scan Dockerfile vulnerabilities
+
+on:
+  push:
+    paths:
+      - '**/Dockerfile'
+  pull_request:
+    paths:
+      - '**/Dockerfile'
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  build-and-scan:
+    name: Scan Dockerfile vulnerabilities
+    permissions: write-all
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set severity for PRs
+        if: github.event_name == 'pull_request' || github.event_name == 'push'
+        run: |
+          echo "SEVERITY=HIGH,CRITICAL" >> $GITHUB_ENV
+          echo "EXIT_CODE=1" >> $GITHUB_ENV
+      - name: Set severity for others
+        if: github.event_name != 'pull_request' && github.event_name != 'push'
+        run: |
+          echo "SEVERITY=LOW,MEDIUM,HIGH,CRITICAL" >> $GITHUB_ENV
+          echo "EXIT_CODE=0" >> $GITHUB_ENV
+      - name: Scan source code
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          format: 'sarif'
+          output: 'source-results.sarif'
+          scanners: 'vuln,secret,misconfig'
+          skip-dirs: 'tests,Video'
+          exit-code: '${{ env.EXIT_CODE }}'
+          severity: '${{ env.SEVERITY }}'
+          limit-severities-for-sarif: true
+      - name: Upload source scan results to annotations
+        if: always()
+        uses: Ayrx/sarif_to_github_annotations@master
+        with:
+          sarif_file: 'source-results.sarif'
+      - name: Upload source scan results to GitHub Security tab
+        if: github.event_name != 'pull_request'
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'source-results.sarif'
+          category: source-results

.github/workflows/test-video.yml

@@ -37,17 +37,17 @@ jobs:
       - name: Run Docker Compose to record video
         run: USE_RANDOM_USER_ID=${USE_RANDOM_USER} VERSION=${BRANCH} BUILD_DATE=${BUILD_DATE} make test_video
       - name: Upload recorded Chrome video
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: chrome_video
           path: ./tests/videos/chrome_video.mp4
       - name: Upload recorded Edge video
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: edge_video
           path: ./tests/videos/edge_video.mp4
       - name: Upload recorded Firefox video
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: firefox_video
           path: ./tests/videos/firefox_video.mp4

.github/workflows/update-chart-changelog.yaml

@@ -0,0 +1,33 @@
+name: Update Chart CHANGELOG
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    permissions: write-all
+    if: ${{ contains(github.event.release.tag_name, 'selenium-grid') || github.event_name == 'workflow_dispatch' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Update chart CHANGELOG
+        run: ./generate_chart_changelog.sh
+
+      - name: Commit files
+        run: |
+          git config --local user.email "[email protected]"
+          git config --local user.name "Selenium CI Bot"
+          git commit -m "Update chart CHANGELOG [skip ci]" -a
+
+      - name: Push changes
+        uses: ad-m/github-push-action@master
+        with:
+          github_token: ${{ secrets.SELENIUM_CI_TOKEN }}
+          branch: trunk

.github/workflows/update-dev-beta-browser-images.yml

@@ -25,7 +25,7 @@ jobs:
     - uses: actions/checkout@v4
     - name: Setup environment variables
       run: |
-        export SELENIUM_VERSION=$(grep selenium-server Base/Dockerfile | sed 's/.*-\([^-]*\)\.jar \\/\1/' | head -n 1)
+        export SELENIUM_VERSION=$(grep BASE_VERSION Makefile | sed 's/.*,\([^)]*\))/\1/p' | head -n 1)
         echo "SELENIUM_VERSION="$SELENIUM_VERSION >> $GITHUB_ENV
         export BUILD_DATE=$(date '+%Y%m%d')
         echo "BUILD_DATE="$BUILD_DATE >> $GITHUB_ENV

Base/Dockerfile

@@ -5,11 +5,26 @@
 #FROM ubuntu:focal-20220415
 #FROM ubuntu:focal-20220531
 #FROM ubuntu:focal-20230301
+#FROM ubuntu:jammy-20231128
 FROM debian:bookworm
+
 LABEL authors="Selenium <[email protected]>"
 
+# Arguments to define the version of dependencies to download
 ARG VERSION
 ARG RELEASE=selenium-${VERSION}
+# Default value should be aligned with upstream Selenium (https://github.com/SeleniumHQ/selenium/blob/trunk/java/maven_deps.bzl)
+ARG OPENTELEMETRY_VERSION=1.28.0
+ARG GRPC_VERSION=1.57.1
+
+#Arguments to define the user running Selenium
+ARG SEL_USER=seluser
+ARG SEL_GROUP=${SEL_USER}
+ARG SEL_PASSWD=secret
+ARG UID=1200
+ARG GID=1201
+
+USER root
 #================================================
 # Customize sources for apt-get
 #================================================
@@ -42,6 +57,7 @@ RUN apt-get -qqy update \
     curl \
     supervisor \
     gnupg2 \
+    libnss3-tools \
   && mkdir -p /etc/apt/keyrings \
   && wget -O - https://packages.adoptium.net/artifactory/api/gpg/key/public | tee /etc/apt/keyrings/adoptium.asc \
   && echo "deb [signed-by=/etc/apt/keyrings/adoptium.asc] https://packages.adoptium.net/artifactory/deb $(awk -F= '/^VERSION_CODENAME/{print$2}' /etc/os-release) main" | tee /etc/apt/sources.list.d/adoptium.list \
@@ -58,7 +74,6 @@ RUN if [ $TARGETARCH = "arm" ] && [ $TARGETVARIANT = "v7" ]; then \
     fi \
     && sed -i 's/securerandom\.source=file:\/dev\/random/securerandom\.source=file:\/dev\/urandom/' ./usr/lib/jvm/temurin-11-jre-$ARCH/conf/security/java.security
 
-
 #===================
 # Timezone settings
 # Possible alternative: https://github.com/docker/docker/issues/3359#issuecomment-32150214
@@ -68,25 +83,33 @@ RUN ln -fs /usr/share/zoneinfo/${TZ} /etc/localtime && \
     dpkg-reconfigure -f noninteractive tzdata && \
     cat /etc/timezone
 
+#======================================
+# Configure environement
+#======================================
+ENV SEL_USER=${SEL_USER}
+ENV SEL_UID=${UID}
+ENV SEL_GID=${GID}
+ENV HOME=/home/${SEL_USER}
+ENV SEL_DOWNLOAD_DIR=${HOME}/Downloads
+
 #========================================
 # Add normal user and group with passwordless sudo
 #========================================
-RUN groupadd seluser \
-         --gid 1201 \
-  && useradd seluser \
+RUN groupadd ${SEL_GROUP} \
+         --gid ${SEL_GID} \
+  && useradd ${SEL_USER} \
          --create-home \
-         --gid 1201 \
+         --gid ${SEL_GID} \
          --shell /bin/bash \
-         --uid 1200 \
-  && usermod -a -G sudo seluser \
+         --uid ${SEL_UID} \
+  && usermod -a -G sudo ${SEL_USER} \
   && echo 'ALL ALL = (ALL) NOPASSWD: ALL' >> /etc/sudoers \
-  && echo 'seluser:secret' | chpasswd
-ENV HOME=/home/seluser
+  && echo "${SEL_USER}:${SEL_PASSWD}" | chpasswd
 
 #======================================
 # Add Grid check script
 #======================================
-COPY check-grid.sh entry_point.sh /opt/bin/
+COPY --chown="${SEL_UID}:${SEL_GID}" check-grid.sh entry_point.sh /opt/bin/
 
 #======================================
 # Add Supervisor configuration file
@@ -96,14 +119,17 @@ COPY supervisord.conf /etc
 #==========
 # Selenium & relaxing permissions for OpenShift and other non-sudo environments
 #==========
-RUN  mkdir -p /opt/selenium /opt/selenium/assets /var/run/supervisor /var/log/supervisor \
+RUN mkdir -p /opt/selenium /opt/selenium/assets /var/run/supervisor /var/log/supervisor ${SEL_DOWNLOAD_DIR} ${HOME}/.mozilla ${HOME}/.vnc \
   && touch /opt/selenium/config.toml \
-  && chmod -R 777 /opt/selenium /opt/selenium/assets /var/run/supervisor /var/log/supervisor /etc/passwd \
+  && chown -R ${SEL_USER}:${SEL_GROUP} /opt/selenium /var/run/supervisor /var/log/supervisor /etc/passwd ${HOME} \
+  && chmod -R 775 /opt/selenium /var/run/supervisor /var/log/supervisor /etc/passwd ${HOME} \
   && wget --no-verbose https://github.com/SeleniumHQ/selenium/releases/download/${RELEASE}/selenium-server-${VERSION}.jar \
     -O /opt/selenium/selenium-server.jar \
+  && echo "${SEL_PASSWD}" > /opt/selenium/initialPasswd \
   && chgrp -R 0 /opt/selenium ${HOME} /opt/selenium/assets /var/run/supervisor /var/log/supervisor \
   && chmod -R g=u /opt/selenium ${HOME} /opt/selenium/assets /var/run/supervisor /var/log/supervisor \
-  && setfacl -Rm u:seluser:rwx /opt /opt/selenium ${HOME} /opt/selenium/assets /var/run/supervisor /var/log/supervisor
+  && setfacl -Rm u:${SEL_USER}:rwx /opt /opt/selenium ${HOME} /opt/selenium/assets /var/run/supervisor /var/log/supervisor \
+  && setfacl -Rm g:${SEL_GROUP}:rwx /opt /opt/selenium ${HOME} /opt/selenium/assets /var/run/supervisor /var/log/supervisor
 
 #=====
 # Download observability related jaegar jars and make them available in a separate directory
@@ -120,9 +146,9 @@ RUN if [ `arch` = "aarch64" ]; then \
 
 RUN if [ -f "/tmp/cs" ]; then \ 
     /tmp/cs fetch --classpath --cache /external_jars \
-    io.opentelemetry:opentelemetry-exporter-otlp:1.31.0 \
-    io.opentelemetry:opentelemetry-exporter-jaeger:1.31.0 \
-    io.grpc:grpc-netty:1.59.0 > /external_jars/.classpath.txt ; \
+    io.opentelemetry:opentelemetry-exporter-otlp:${OPENTELEMETRY_VERSION} \
+    io.opentelemetry:opentelemetry-exporter-jaeger:${OPENTELEMETRY_VERSION} \
+    io.grpc:grpc-netty:${GRPC_VERSION} > /external_jars/.classpath.txt ; \
     fi
 
 RUN if [ -f "/tmp/cs" ]; then chmod 664 /external_jars/.classpath.txt ; fi
@@ -131,9 +157,19 @@ RUN rm -fr /root/.cache/*
 #===================================================
 # Run the following commands as non-privileged user
 #===================================================
-USER 1200:1201
+USER ${SEL_UID}:${SEL_GID}
+VOLUME ${SEL_DOWNLOAD_DIR}
 
 # Boolean value, maps "--bind-host"
 ENV SE_BIND_HOST false
 
+# A too high maximum number of file descriptors (with the default value
+# inherited from the docker host) can cause issues with some of our tools:
+#  - sanitizers hanging: https://github.com/google/sanitizers/issues/1662
+#  - valgrind crashing: https://stackoverflow.com/a/75293014
+# This is not be a problem on our CI hosts, but developers who run the image
+# on their machines may run into this (e.g., on Arch Linux), so warn them.
+# (Note that .bashrc is only executed in interactive bash shells.)
+RUN echo 'if [[ $(ulimit -n) -gt 200000 ]]; then echo "WARNING: Very high value reported by \"ulimit -n\". Consider passing \"--ulimit nofile=32768\" to \"docker run\"."; fi' >> ${HOME}/.bashrc
+
 CMD ["/opt/bin/entry_point.sh"]

Distributor/Dockerfile

@@ -4,15 +4,15 @@ ARG AUTHORS
 FROM ${NAMESPACE}/base:${VERSION}
 LABEL authors=${AUTHORS}
 
-USER 1200
+USER ${SEL_UID}
 
 #========================
 # Selenium Distributor Configuration
 #========================
 
 EXPOSE 5553
 
-COPY start-selenium-grid-distributor.sh \
+COPY --chown="${SEL_UID}:${SEL_GID}" start-selenium-grid-distributor.sh \
     /opt/bin/
 
 COPY selenium-grid-distributor.conf /etc/supervisor/conf.d/

Distributor/start-selenium-grid-distributor.sh

@@ -54,6 +54,11 @@ if [ ! -z "$SE_DISTRIBUTOR_PORT" ]; then
   PORT_CONFIG="--port ${SE_DISTRIBUTOR_PORT}"
 fi
 
+if [ ! -z "$SE_LOG_LEVEL" ]; then
+  echo "Appending Selenium options: --log-level ${SE_LOG_LEVEL}"
+  SE_OPTS="$SE_OPTS --log-level ${SE_LOG_LEVEL}"
+fi
+
 EXTRA_LIBS=""
 
 if [ ! -z "$SE_ENABLE_TRACING" ]; then

EventBus/Dockerfile

@@ -4,7 +4,7 @@ ARG AUTHORS
 FROM ${NAMESPACE}/base:${VERSION}
 LABEL authors=${AUTHORS}
 
-USER 1200
+USER ${SEL_UID}
 
 #=================================
 # Selenium Event Bus Configuration
@@ -17,7 +17,7 @@ EXPOSE 4443
 # Event Bus port
 EXPOSE 5557
 
-COPY start-selenium-grid-eventbus.sh \
+COPY --chown="${SEL_UID}:${SEL_GID}" start-selenium-grid-eventbus.sh \
     /opt/bin/
 
 COPY selenium-grid-eventbus.conf /etc/supervisor/conf.d/

EventBus/start-selenium-grid-eventbus.sh

@@ -19,6 +19,11 @@ if [ ! -z "$SE_OPTS" ]; then
   echo "Appending Selenium options: ${SE_OPTS}"
 fi
 
+if [ ! -z "$SE_LOG_LEVEL" ]; then
+  echo "Appending Selenium options: --log-level ${SE_LOG_LEVEL}"
+  SE_OPTS="$SE_OPTS --log-level ${SE_LOG_LEVEL}"
+fi
+
 EXTRA_LIBS=""
 
 if [ ! -z "$SE_ENABLE_TRACING" ]; then