Sync from upstream for 4.17.0

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -54,8 +54,16 @@ body:
   - type: input
     id: version
     attributes:
-      label: Docker Selenium version (tag or chart version)
+      label: Docker Selenium version (image tag)
       description: What version of Docker Selenium are you using?
-      placeholder: 4.16.0-20231206? Please use the full tag, avoid "latest"
+      placeholder: 4.17.0-20240123? Please use the full tag, avoid "latest"
     validations:
       required: true
+  - type: input
+    id: chart-version
+    attributes:
+      label: Selenium Grid chart version (chart version)
+      description: What version of Selenium Grid chart are you using?
+      placeholder: 0.26.2?
+    validations:
+      required: false

.github/workflows/build-test.yml

@@ -2,7 +2,11 @@ name: Build & test
 
 on:
   push:
+    paths-ignore:
+      - '**.md'
   pull_request:
+    paths-ignore:
+      - '**.md'
 
 permissions:
   contents: read

.github/workflows/deploy.yml

@@ -11,6 +11,7 @@ jobs:
     if: contains(toJson(github.event.commits), '[deploy]') == true
     name: Deploy Docker images
     runs-on: ubuntu-latest
+    permissions: write-all
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -20,21 +21,25 @@ jobs:
       - name: Output Docker info
         run: docker info
       - name: Sets build date
-        run: echo "BUILD_DATE=$(date '+%Y%m%d')" >> $GITHUB_ENV
+        run: |
+          echo "BUILD_DATE=$(date '+%Y%m%d')" >> $GITHUB_ENV
+          echo "NAME=${NAMESPACE}" >> $GITHUB_ENV
+        env:
+          NAMESPACE: ${{ vars.DOCKER_NAMESPACE || 'selenium' }}
       - name: Sets prerelease to false by default
         run: echo "PRERELEASE=false" >> $GITHUB_ENV
       - name: Build base image to get Grid version
         run: VERSION="local" BUILD_DATE=${BUILD_DATE} make base
       - name: Get Grid version
         # sed used to remove last comma of Selenium version output
-        run: echo "GRID_VERSION=$(docker run --rm selenium/base:local-${BUILD_DATE} java -jar /opt/selenium/selenium-server.jar hub --version | awk '{print $3}' | sed 's/\(.*\),/\1 /')" | awk '{$1=$1;print}' >> $GITHUB_ENV
+        run: echo "GRID_VERSION=$(docker run --rm ${NAME}/base:local-${BUILD_DATE} java -jar /opt/selenium/selenium-server.jar hub --version | awk '{print $3}' | sed 's/\(.*\),/\1 /')" | awk '{$1=$1;print}' >> $GITHUB_ENV
       - name: Is it a prerelease?
         run: echo "GRID_VERSION=${GRID_VERSION}-prerelease" >> $GITHUB_ENV && echo "PRERELEASE=true" >> $GITHUB_ENV
         if: contains(toJson(github.event.commits), '[prerelease]') == true
       - name: Display Grid version
         run: echo ${GRID_VERSION}
       - name: Remove local Docker tag
-        run: docker rmi selenium/base:local-${BUILD_DATE}
+        run: docker rmi ${NAME}/base:local-${BUILD_DATE}
       - name: Sets env var for the next tag
         run: echo "NEXT_TAG=${GRID_VERSION}-${BUILD_DATE}" >> $GITHUB_ENV
       - name: Get latest tag
@@ -57,19 +62,19 @@ jobs:
           max_attempts: 3
           command: VERSION="${GRID_VERSION}" BUILD_DATE=${BUILD_DATE} make release
       - name: Tag images as latest
-        uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # v2
+        uses: nick-invision/retry@master
         with:
           timeout_minutes: 20
           max_attempts: 3
           command: VERSION="${GRID_VERSION}" BUILD_DATE=${BUILD_DATE} make tag_latest
       - name: Deploy latest tag
-        uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # v2
+        uses: nick-invision/retry@master
         with:
           timeout_minutes: 20
           max_attempts: 3
           command: VERSION="${GRID_VERSION}" BUILD_DATE=${BUILD_DATE} make release_latest
       - name: Tag browser images
-        uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # v2
+        uses: nick-invision/retry@master
         with:
           timeout_minutes: 20
           max_attempts: 3
@@ -80,20 +85,21 @@ jobs:
           git config --local user.name "Selenium CI Bot"
           git commit -m "Update tag in docs and files" -a
       - name: Push changes
-        uses: ad-m/github-push-action@d91a481090679876dfc4178fef17f286781251df # master
+        uses: ad-m/github-push-action@master
         with:
           github_token: ${{ secrets.SELENIUM_CI_TOKEN }}
           branch: trunk
       - name: Create release notes (release_notes.md)
         run: ./generate_release_notes.sh ${LATEST_TAG} origin/trunk ${GRID_VERSION} ${BUILD_DATE}
       - name: Create Release
         id: create_release
-        uses: actions/create-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        uses: softprops/action-gh-release@master
         with:
+          token: ${{ secrets.GITHUB_TOKEN }}
           tag_name: ${{ env.GRID_VERSION }}-${{ env.BUILD_DATE }}
-          release_name: ${{ env.GRID_VERSION }}-${{ env.BUILD_DATE }}
-          body_path: release_notes.md
-          draft: false
+          name: ${{ env.GRID_VERSION }}-${{ env.BUILD_DATE }}
+          body_path: "release_notes.md"
+          generate_release_notes: true
           prerelease: ${{ env.PRERELEASE }}
+          draft: false
+          append_body: false

.github/workflows/helm-chart-release.yml

@@ -25,5 +25,8 @@ jobs:
 
       - name: Run chart-releaser
         uses: helm/[email protected]
+        with:
+          mark_as_latest: false
+          skip_existing: true
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/helm-chart-test.yml

@@ -2,7 +2,11 @@ name: Lint and Test Helm Charts
 
 on:
   push:
+    paths-ignore:
+      - '**.md'
   pull_request:
+    paths-ignore:
+      - '**.md'
   workflow_dispatch:
 
 permissions:
@@ -13,8 +17,9 @@ jobs:
     name: Test Helm charts
     runs-on: ubuntu-latest
     strategy:
+      fail-fast: false
       matrix:
-        test-strategy: [chart_test, chart_test_parallel_autoscaling]
+        test-strategy: [chart_test, chart_test_parallel_autoscaling, chart_test_https, chart_test_parallel_autoscaling_https]
     steps:
       - uses: actions/checkout@v4
       - name: Output Docker info
@@ -24,6 +29,11 @@ jobs:
         with:
           python-version: '3.11'
           check-latest: true
+      - name: Install CA certificates
+        run: |
+          sudo apt install openssl -y
+          sudo apt install ca-certificates -y
+          sudo update-ca-certificates --fresh
       - name: Get branch name (only for push to branch)
         if: github.event_name == 'push'
         run: echo "BRANCH=$(echo ${PUSH_BRANCH##*/})" >> $GITHUB_ENV
@@ -43,7 +53,7 @@ jobs:
       - name: Setup Kubernetes environment
         run: make chart_setup_env
       - name: Build Docker images
-        run: NAME=${IMAGE_REGISTRY} VERSION=${BRANCH} BUILD_DATE=${BUILD_DATE} make build
+        run: NAME=${IMAGE_REGISTRY} VERSION=${BRANCH} BUILD_DATE=${BUILD_DATE} make build_multi
       - name: Build and lint charts
         run: |
           BUILD_DATE=${BUILD_DATE} make chart_build
@@ -63,14 +73,14 @@ jobs:
         run: make chart_cluster_cleanup
       - name: Upload Helm chart package
         if: always()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
-          name: ${{ env.CHART_FILE_NAME }}
+          name: ${{ matrix.test-strategy }}_${{ env.CHART_FILE_NAME }}
           path: ${{ env.CHART_PACKAGE_PATH }}
-      - name: Upload Helm chart template rendered
+      - name: Upload chart test artifacts
         if: always()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
-          name: chart_template_rendered.yaml
-          path: ./tests/tests/output_deployment.yaml
+          name: ${{ matrix.test-strategy }}-artifacts
+          path: ./tests/tests/
           if-no-files-found: ignore

.github/workflows/lock.yml

@@ -14,12 +14,12 @@ jobs:
   action:
     runs-on: ubuntu-latest
     steps:
-      - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v3
+      - uses: dessant/lock-threads@v5
         with:
           process-only: 'issues'
-          issue-lock-inactive-days: '30'
+          issue-inactive-days: '30'
           issue-lock-reason: ''
-          issue-lock-comment: >
+          issue-comment: >
             This issue has been automatically locked since there
             has not been any recent activity after it was closed.
             Please open a new issue for related bugs.

.github/workflows/nightly.yaml

@@ -0,0 +1,108 @@
+name: Nightly
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 1 * * *'
+
+jobs:
+  deploy:
+    name: Nightly build
+    runs-on: ubuntu-latest
+    permissions: write-all
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+      - name: Output Docker info
+        run: docker info
+      - name: Sets build date
+        run: echo "BUILD_DATE=$(date '+%Y%m%d')" >> $GITHUB_ENV
+      - name: Sets prerelease to nightly
+        run: |
+          echo "PRERELEASE=true" >> $GITHUB_ENV
+          echo "NAME=${NAMESPACE}" >> $GITHUB_ENV
+        env:
+          NAMESPACE: ${{ vars.DOCKER_NAMESPACE || 'selenium' }}
+      - name: Build base image to get Grid version
+        run: VERSION="local" BUILD_DATE=${BUILD_DATE} make base_nightly
+      - name: Get Grid version
+        # sed used to remove last comma of Selenium version output
+        run: |
+          echo "GRID_VERSION=$(docker run --rm ${{ env.NAME }}/base:local-${BUILD_DATE} java -jar /opt/selenium/selenium-server.jar hub --version | awk '{print $3}' | sed 's/\(.*\),/\1 /')" | awk '{$1=$1;print}' >> $GITHUB_ENV
+      - name: Display Grid version and set Base version
+        run: |
+          echo ${GRID_VERSION}
+          echo "BASE_VERSION=$(echo ${GRID_VERSION})" >> $GITHUB_ENV
+          echo "BASE_RELEASE=nightly" >> $GITHUB_ENV
+      - name: Update tag nightly
+        uses: richardsimko/[email protected]
+        with:
+          tag_name: ${{ env.BASE_RELEASE }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Remove local Docker tag
+        run: docker rmi ${{ env.NAME }}/base:local-${BUILD_DATE}
+      - name: Build images
+        run: VERSION="${GRID_VERSION}" BUILD_DATE=${BUILD_DATE} make build
+      - name: Login Docker Hub
+        run: docker login -u="$DOCKER_USERNAME" -p="$DOCKER_PASSWORD"
+        env:
+          DOCKER_USERNAME: ${{secrets.DOCKER_USERNAME}}
+          DOCKER_PASSWORD: ${{secrets.DOCKER_PASSWORD}}
+      - name: Tag images as nightly
+        uses: nick-invision/retry@master
+        with:
+          timeout_minutes: 20
+          max_attempts: 3
+          command: VERSION="${GRID_VERSION}" BUILD_DATE=${BUILD_DATE} make tag_nightly
+      - name: Deploy nightly tag
+        uses: nick-invision/retry@master
+        with:
+          timeout_minutes: 20
+          max_attempts: 3
+          command: VERSION="${GRID_VERSION}" BUILD_DATE=${BUILD_DATE} make release_nightly
+      - name: Get current latest tag
+        run: echo "LATEST_TAG=$(git describe --tags --abbrev=0 --exclude=nightly --exclude=selenium-grid*)" >> $GITHUB_ENV
+      - name: Display latest tag
+        run: echo ${LATEST_TAG}
+      - name: Sets env var for nightly tag
+        run: |
+          echo "NEXT_TAG=nightly" >> $GITHUB_ENV
+          echo "FILTER_IMAGE_TAG=nightly" >> $GITHUB_ENV
+      - name: Create release notes (release_notes.md)
+        run: ./generate_release_notes.sh ${LATEST_TAG} origin/trunk ${GRID_VERSION} ${BUILD_DATE}
+      - name: Set up Python
+        uses: actions/[email protected]
+        with:
+          python-version: '3.11'
+          check-latest: true
+      - name: Update tag in docs and files
+        run: ./update_tag_in_docs_and_files.sh ${LATEST_TAG} ${NEXT_TAG}
+      - name: Setup environment to build chart
+        run: make chart_setup_env
+      - name: Build and lint charts
+        run: |
+          make chart_build_nightly
+          echo "CHART_PACKAGE_PATH=$(cat /tmp/selenium_chart_version)" >> $GITHUB_ENV
+          echo "CHART_FILE_NAME=$(basename $(cat /tmp/selenium_chart_version))" >> $GITHUB_ENV
+      - name: Delete previous nightly tag if any
+        uses: cb80/delrel@main
+        with:
+          tag: ${{ env.BASE_RELEASE }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Create Nightly Release
+        id: create_release
+        uses: softprops/action-gh-release@master
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          tag_name: ${{ env.BASE_RELEASE }}
+          name: "Nightly"
+          body_path: "release_notes.md"
+          files: |
+            ${{ env.CHART_PACKAGE_PATH }}
+          generate_release_notes: true
+          draft: false
+          prerelease: true
+          append_body: false

.github/workflows/scan-dockerfile.yml

@@ -0,0 +1,53 @@
+name: Scan Dockerfile vulnerabilities
+
+on:
+  push:
+    paths:
+      - '**/Dockerfile'
+  pull_request:
+    paths:
+      - '**/Dockerfile'
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  build-and-scan:
+    name: Scan Dockerfile vulnerabilities
+    permissions: write-all
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set severity for PRs
+        if: github.event_name == 'pull_request' || github.event_name == 'push'
+        run: |
+          echo "SEVERITY=HIGH,CRITICAL" >> $GITHUB_ENV
+          echo "EXIT_CODE=1" >> $GITHUB_ENV
+      - name: Set severity for others
+        if: github.event_name != 'pull_request' && github.event_name != 'push'
+        run: |
+          echo "SEVERITY=LOW,MEDIUM,HIGH,CRITICAL" >> $GITHUB_ENV
+          echo "EXIT_CODE=0" >> $GITHUB_ENV
+      - name: Scan source code
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          format: 'sarif'
+          output: 'source-results.sarif'
+          scanners: 'vuln,secret,misconfig'
+          skip-dirs: 'tests,Video'
+          exit-code: '${{ env.EXIT_CODE }}'
+          severity: '${{ env.SEVERITY }}'
+          limit-severities-for-sarif: true
+      - name: Upload source scan results to annotations
+        if: always()
+        uses: Ayrx/sarif_to_github_annotations@master
+        with:
+          sarif_file: 'source-results.sarif'
+      - name: Upload source scan results to GitHub Security tab
+        if: github.event_name != 'pull_request'
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'source-results.sarif'
+          category: source-results