[ci] Make a PR for updating mirror file instead of pushing directly to trunk

[bonigarcia]

User description

🔗 Related Issues

After protecting the trunk branch for security reasons, the workflow for updating the mirror file (used by SM) has started to fail:

https://github.com/SeleniumHQ/selenium/actions/workflows/mirror-selenium-releases.yml

💥 What does this PR do?

This PR makes to create automatically a new PR (to be manually merged) instead of pushing directly to trunk, which is not possible anymore.

🔄 Types of changes

• CI

---

PR Type

Enhancement

---

Description

• Replace direct trunk push with automated PR creation

• Add timestamped commit messages for better traceability

• Configure PR with labels, reviewers, and auto-cleanup

• Adapt workflow to trunk branch protection requirements

---

Diagram Walkthrough

flowchart LR
  A["Fetch Selenium Releases"] --> B["Generate Timestamp"]
  B --> C["Commit Mirror Changes"]
  C --> D["Create PR to Trunk"]
  D --> E["Auto-assign Reviewers"]
  E --> F["Delete Feature Branch"]

Loading

File Walkthrough

Relevant files

Configuration changes

mirror-selenium-releases.yml Convert mirror workflow from push to PR creation                  .github/workflows/mirror-selenium-releases.yml Added timestamp generation step for consistent commit dating Changed commit message to use environment variable for date Replaced direct push action with create-pull-request action Configured PR with title, body, labels, reviewers, and auto-cleanup Set PR base to trunk and feature branch to ci/mirror-selenium-releases +21/-5

---

[qodo-code-review]

PR Compliance Guide 🔍

(Compliance updated until commit b886cec)

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
🟡	🎫 #1234 🔴 Investigate and ensure that clicking links with JavaScript in href triggers as in 2.47.1 on Firefox 42 (issue reproduction and fix).
🟡	🎫 #5678 🔴 Diagnose and resolve recurring "Error: ConnectFailure (Connection refused)" when instantiating multiple ChromeDriver instances on Ubuntu 16.04.4 with Selenium 3.9.0 and Chrome 65/ChromeDriver 2.35.
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Limited auditing: The workflow performs critical actions (commits and PR creation) without explicit audit logging of actor or outcomes beyond commit message, which may be insufficient for comprehensive audit trails. Referred Code - name: Set current date run: echo "DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV - name: Commit files id: git run: | export CHANGES=$(git status -s) if [ -n "$CHANGES" ]; then git config --local user.email "[email protected]" git config --local user.name "Selenium CI Bot" git add common/mirror/selenium git commit -m "Update mirror info (${{ env.DATE }})" -a echo "::set-output name=commit::true" fi - name: Create PR if: steps.git.outputs.commit == 'true' uses: peter-evans/create-pull-request@v6 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: "Update mirror info (${{ env.DATE }})" title: "[ci] Update mirror info (${{ env.DATE }})" body: | ... (clipped 12 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Missing error handling: The added steps (date export, commit, and PR creation) do not include explicit error handling or retries, potentially causing silent failures in edge cases. Referred Code - name: Set current date run: echo "DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV - name: Commit files id: git run: | export CHANGES=$(git status -s) if [ -n "$CHANGES" ]; then git config --local user.email "[email protected]" git config --local user.name "Selenium CI Bot" git add common/mirror/selenium git commit -m "Update mirror info (${{ env.DATE }})" -a echo "::set-output name=commit::true" fi - name: Create PR if: steps.git.outputs.commit == 'true' uses: peter-evans/create-pull-request@v6 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: "Update mirror info (${{ env.DATE }})" title: "[ci] Update mirror info (${{ env.DATE }})" body: | ... (clipped 12 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Token usage: The workflow uses ${{ secrets.GITHUB_TOKEN }} without explicit safeguards around log outputs, which may risk accidental exposure if any step echoes environment variables. Referred Code token: ${{ secrets.GITHUB_TOKEN }} commit-message: "Update mirror info (${{ env.DATE }})" title: "[ci] Update mirror info (${{ env.DATE }})" body: | Automated update of `common/mirror/selenium`. - Trigger: ${{ github.event_name }} - Committer: Selenium CI Bot branch: ci/mirror-selenium-releases Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: External data handling: The workflow fetches external release data and commits it without explicit validation or sanitation steps in the new code, which may introduce risks if upstream content is malformed. Referred Code run: | cd common/mirror export JQ_FILTER="[.[] | {tag_name: .tag_name, assets: [.assets[] | {browser_download_url: .browser_download_url} ] } ]" curl -H "Authorization: ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/SeleniumHQ/selenium/releases | jq "$JQ_FILTER" > selenium - name: Set current date run: echo "DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV - name: Commit files id: git run: | export CHANGES=$(git status -s) if [ -n "$CHANGES" ]; then git config --local user.email "[email protected]" git config --local user.name "Selenium CI Bot" git add common/mirror/selenium git commit -m "Update mirror info (${{ env.DATE }})" -a echo "::set-output name=commit::true" Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

---

Previous compliance checks

Compliance check up to commit b886cec

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
🟡	🎫 #1234 🔴 Investigate and fix regression where clicking links with JavaScript in href no longer triggers in Selenium 2.48.x on Firefox 42 (works in 2.47.1). Ensure alert is triggered as in prior versions when href contains JavaScript. Provide compatibility with affected Firefox version in Selenium.
🟡	🎫 #5678 🔴 Diagnose and resolve "Error: ConnectFailure (Connection refused)" when instantiating multiple ChromeDriver instances on Ubuntu 16.04 with Chrome 65 / ChromeDriver 2.35 using Selenium 3.9.0. Ensure subsequent ChromeDriver instantiations work reliably without connection failures. Provide guidance or code changes to prevent the error across runs.
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Limited audit context: The workflow creates and commits updates with a timestamp and creates a PR, but it does not log user identity beyond a static bot name nor record outcome details of API calls, which may be insufficient for comprehensive audit trails. Referred Code - name: Set current date run: echo "DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV - name: Commit files id: git run: | export CHANGES=$(git status -s) if [ -n "$CHANGES" ]; then git config --local user.email "[email protected]" git config --local user.name "Selenium CI Bot" git add common/mirror/selenium git commit -m "Update mirror info (${{ env.DATE }})" -a echo "::set-output name=commit::true" fi - name: Create PR if: steps.git.outputs.commit == 'true' uses: peter-evans/create-pull-request@v6 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: "Update mirror info (${{ env.DATE }})" title: "[ci] Update mirror info (${{ env.DATE }})" body: | ... (clipped 12 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: No failure handling: Newly added steps (setting DATE and creating PR) lack explicit error handling or retries, and the commit step assumes success without validating curl/jq results, which may cause silent workflow failures. Referred Code - name: Set current date run: echo "DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV - name: Commit files id: git run: | export CHANGES=$(git status -s) if [ -n "$CHANGES" ]; then git config --local user.email "[email protected]" git config --local user.name "Selenium CI Bot" git add common/mirror/selenium git commit -m "Update mirror info (${{ env.DATE }})" -a echo "::set-output name=commit::true" fi - name: Create PR if: steps.git.outputs.commit == 'true' uses: peter-evans/create-pull-request@v6 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: "Update mirror info (${{ env.DATE }})" title: "[ci] Update mirror info (${{ env.DATE }})" body: | ... (clipped 12 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Token usage review: The workflow uses GITHUB_TOKEN to call GitHub APIs and create PRs without explicit permission scoping or validation of external data from the releases API, which may require a security review of permissions and data handling. Referred Code curl -H "Authorization: ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/SeleniumHQ/selenium/releases | jq "$JQ_FILTER" > selenium - name: Set current date run: echo "DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV - name: Commit files id: git run: | export CHANGES=$(git status -s) if [ -n "$CHANGES" ]; then git config --local user.email "[email protected]" git config --local user.name "Selenium CI Bot" git add common/mirror/selenium git commit -m "Update mirror info (${{ env.DATE }})" -a echo "::set-output name=commit::true" fi - name: Create PR if: steps.git.outputs.commit == 'true' uses: peter-evans/create-pull-request@v6 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: "Update mirror info (${{ env.DATE }})" title: "[ci] Update mirror info (${{ env.DATE }})" ... (clipped 13 lines) Learn more about managing compliance generic rules or creating your own custom rules

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Fix PR creation by removing redundant commit Remove the redundant git commit command and the invalid add-paths parameter to allow the create-pull-request action to function correctly. .github/workflows/mirror-selenium-releases.yml [24-54] -- name: Commit files +- name: Stage files and check for changes id: git run: | - export CHANGES=$(git status -s) - if [ -n "$CHANGES" ]; then + git add common/mirror/selenium + if [ -n "$(git status -s)" ]; then git config --local user.email "[email protected]" git config --local user.name "Selenium CI Bot" - git add common/mirror/selenium - git commit -m "Update mirror info (${{ env.DATE }})" -a echo "::set-output name=commit::true" fi - name: Create PR if: steps.git.outputs.commit == 'true' uses: peter-evans/create-pull-request@v6 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: "Update mirror info (${{ env.DATE }})" title: "[ci] Update mirror info (${{ env.DATE }})" body: | Automated update of `common/mirror/selenium`. - Trigger: ${{ github.event_name }} - Committer: Selenium CI Bot branch: ci/mirror-selenium-releases base: trunk labels: ci, automated delete-branch: true signoff: false reviewers: | bonigarcia - add-paths: | - common/mirror/selenium Apply / Chat Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies a critical flaw where a premature git commit would prevent the create-pull-request action from detecting changes, and it also correctly removes the invalid add-paths parameter, making the workflow functional.	High
Learned best practice	Add retries and error checks Add retry and failure handling around the API call and parsing to prevent silent failures and make errors explicit. .github/workflows/mirror-selenium-releases.yml [21] -curl -H "Authorization: ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/SeleniumHQ/selenium/releases | jq "$JQ_FILTER" > selenium +set -euo pipefail +for i in 1 2 3; do + if curl -fsSL -H "Authorization: ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/SeleniumHQ/selenium/releases | jq "$JQ_FILTER" > selenium; then + break + fi + echo "Fetch failed (attempt $i), retrying..." >&2 + sleep 2 +done +test -s selenium || { echo "Empty selenium file after fetch"; exit 1; } Apply / Chat Suggestion importance[1-10]: 6 __ Why: Relevant best practice - Guard external API and I/O operations with validation and fallbacks to avoid crashes and surface clear errors.	Low
More