ci(tests): port to github actions

[Garbee]

This patch ports the main test workflow over to GHA. This is not removing Circle CI configuration as we need to convert required checks over. As well as only removing that after the publishing is ported over to GitHub.

One key change in the patterns from the CircleCI system, is the browser tests and the examples have to do the build internally instead of using the build artifact. I have not had the time to fully investigate what is going on with the differences. I believe it fails in re-use now because of some slight difference in the way the caches were done before vs how they are done in GitHub Actions.

As an aside, I realized in the previous nightly PR I did mess up one aspect. Since the browsers are individual steps now, if the first running fails it was blocking the second from proceeding. For that situation, I added an instruction to always run the second browser. This is good enough for now and we can further optimize later when we setup better failure reporting.

Refs: #4912

[Garbee]

Nifty trick for disabling all permissions in one sweep. So we refine permissions needed (if any) at the job level.

Ref: https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#defining-access-for-the-github_token-scopes

[Garbee]

I got confused somewhere and had the wrong method in here. It just wasn't hit in the nightly testing where I was setting this env change up since it used a different variable.

Why does Webdriver not have uniform method naming for doing the same action between browsers? No clue. But we also can't use // @ts-check in this file since so many other things are broken. That will need a bigger effort to go fix on its own to help avoid these issues.

[Copilot]

Pull Request Overview

This PR updates the CI workflow configuration and fixes the Firefox WebDriver binary path configuration method. The workflow has been restructured to separate concerns into individual jobs with improved security practices and updated action versions.

• Changed Firefox WebDriver configuration from setBinaryPath to setBinary
• Restructured GitHub Actions workflow into separate jobs for linting, formatting, building, and testing
• Added workflow concurrency control and the always() condition to nightly tests

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
test/integration/full/test-webdriver.js	Updates Firefox options to use setBinary() method instead of setBinaryPath()
.github/workflows/test.yml	Restructures CI workflow into separate jobs with pinned action versions, YAML anchors, and Node 24 support
.github/workflows/nightly-tests.yml	Adds always() condition to Chrome Beta tests to ensure they run even if previous tests fail

Comments suppressed due to low confidence (1)

test/integration/full/test-webdriver.js:137

• Inconsistent API usage between Chrome and Firefox options. Chrome uses setBinaryPath() while Firefox uses setBinary(). For consistency and correctness, Chrome should also use setBinary() if both selenium-webdriver Options classes support this method, or there should be a comment explaining why different methods are used.

      options.setBinaryPath(process.env.CHROME_BIN);

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[straker]

All LGTM, but I would like @dbjorge or @WilcoFiers approval so we don't miss anything.

I did notice we didn't port over the test_rule_help_version step which should be fine as that should only run on a pr to master but we were running it on develop, which I don't think we need to do since a pr to develop will never increase the version number before it goes to master.

[straker]

So if I understand everything correctly, calling &install-deps-with-xvfb will reinstall the node modules for every step and not cache it, whereas in circle we found a way to cache the build and the node modules so it only happened once for the entire run. This isn't so much a problem for now as as you said for the build we can worry about optimizing after. Looking at the runs, each of the tests take ~2mins longer than their circleCI counterpart, but since it all runs in parallel it doesn't add too much time in the long run.

[WilcoFiers]

That feels like a step back. I don't care if we do that in this PR or a separate one but I don't think we should call this done until we've sorted this.

[Garbee]

So, cacheing of node modules is handled by actions/setup-node. It caches the local cache of node_modules and not the modules in the repo after installation. Reason being, just restoring the cache in the repo may miss running install scripts that make things work. (This is probably why some of the tests broke after the move.)

The build time is like 30 seconds of effort when we do need to re-run it. Not enough time to run up a bill too much.

Ideally, we'd ultimately end up building docker images we run against that have all the OS deps pre-installed (aside from nightly stuff which of course we need to install at runtime.) This would reduce the bulk of that extra ~2m time. Since most of it is spent downloading and installing the same OS packages on every runner.

No one that I'm aware of in the org has done Docker Images for CI yet in GHA. This "install deps" shared action is how every other project has done this that I've seen. So it's a trade-off the org has accepted for the initial conversion of these projects to GHA. If we want to prioritize setting up the infrastructure for making docker images and refreshing them regularly for CI to run against, I'm all for it. But that's a bigger task that will need to be planned out with PO buy-in so it has accounted time to work on it and get it done.

[dbjorge]

Garbee is correct, actions/setup-node provides caching that is more robust than what we were doing in circleci and I agree that we should use that rather than caching the whole node_modules folder - I've had to debug issues caused by over-caching of whole node_modules folders before, it's a rough debugging experience I don't think caching node_modules instead is worth 20s of wall time.

This PR is caching the build between most jobs already (that's what &restore-axe-build does). But I agree with Garbee's choice to not use the cached build in the long-pole jobs; because build is faster than install_deps (even cached), the total wall-time of "wait for build job -> install_deps_with_xvfb -> download build" is less than the wall-time of "start immediately -> install_deps_with_xvfb -> redundant build". Unfortunately, GitHub Actions' needs dependencies only operate at the job level, not the step level; I'm not aware of a great way to represent "let the test_chrome job start doing its dep installation in parallel with the build job, and don't block on the build job until you actually get to the 'download artifact' step", which is the behavior you'd really want here.

I agree with Garbee that the part of dep installation that is actually most expensive in the long-pole test_chrome and test_firefox jobs is the xvfb/browser installation , and that the way you'd want to optimize that is to run builds against docker images that already have those pre-installed. We have an issue at https://github.com/dequelabs/on-prem-services/issues/8 tracking that we'd like to implement a centralized setup for automatically-refreshed common docker images for different teams to use, but haven't found time to implement it yet. I've updated that ticket to note that we'd like an image for this use case.

Playwright publishes docker images that come with xvfb and browser deps pre-installed that we might consider using here even without otherwise using Playwright (docs). But I think we should leave experimenting with that for a separate PR/issue, the jobs this PR sets up are already faster than circle as-is (the total runtime for GHA here is 5m59s, vs 6m49s for circle)

[Garbee]

On test_rule_help_version this is a part of the next PR since it seems to be deployment related only (since it only runs on master). I'm doing one last check right now of the entire Circle CI config to make sure I have everything before working on that PR draft.

[dbjorge]

Looks good to me overall, only two suggested changes are both minor.

[dbjorge]

Garbee is correct, actions/setup-node provides caching that is more robust than what we were doing in circleci and I agree that we should use that rather than caching the whole node_modules folder - I've had to debug issues caused by over-caching of whole node_modules folders before, it's a rough debugging experience I don't think caching node_modules instead is worth 20s of wall time.

This PR is caching the build between most jobs already (that's what &restore-axe-build does). But I agree with Garbee's choice to not use the cached build in the long-pole jobs; because build is faster than install_deps (even cached), the total wall-time of "wait for build job -> install_deps_with_xvfb -> download build" is less than the wall-time of "start immediately -> install_deps_with_xvfb -> redundant build". Unfortunately, GitHub Actions' needs dependencies only operate at the job level, not the step level; I'm not aware of a great way to represent "let the test_chrome job start doing its dep installation in parallel with the build job, and don't block on the build job until you actually get to the 'download artifact' step", which is the behavior you'd really want here.

I agree with Garbee that the part of dep installation that is actually most expensive in the long-pole test_chrome and test_firefox jobs is the xvfb/browser installation , and that the way you'd want to optimize that is to run builds against docker images that already have those pre-installed. We have an issue at https://github.com/dequelabs/on-prem-services/issues/8 tracking that we'd like to implement a centralized setup for automatically-refreshed common docker images for different teams to use, but haven't found time to implement it yet. I've updated that ticket to note that we'd like an image for this use case.

Playwright publishes docker images that come with xvfb and browser deps pre-installed that we might consider using here even without otherwise using Playwright (docs). But I think we should leave experimenting with that for a separate PR/issue, the jobs this PR sets up are already faster than circle as-is (the total runtime for GHA here is 5m59s, vs 6m49s for circle)

Both changes verified and were applied. Thank you for catching those.

[dbjorge]

The code changes look good to me, but we should see if we can root cause/fix the flaky test_firefox failure before switching - I tried running the job 10x here and it failed 4/10 times in the same test with the same signature in this PR's latest run in GHA, vs in circleci where I looked through the last 2 months' history of develop builds and didn't see any hits of the same flakiness issue.

http://localhost:9876/test/integration/full/preload-cssom/preload-cssom.html [firefox]
passes: 14, failures: 1, duration: 1.779s
Expected getPreload to reject.

...

URL: http://localhost:9876/test/integration/full/preload-cssom/preload-cssom.html
Browser: firefox
Describe: preload cssom integration test > tests for nested document
it throws if cross-origin stylesheet fail to load
commonTestsForRootNodeAndNestedFrame/</</<@http://localhost:9876/test/integration/full/preload-cssom/preload-cssom.js:161:20

[Garbee]

On Firefox being flaky, this was observed in the development of converting the tests. Part of me thought it might have been more pre-ready changes maybe conflicting at times. But now that the last few commits have settled and we still see this, it's definitely a flaky test.

There are two main things that I know of which can be in play.

First, pure resource difference between the runners at Circle CI and GHA's default runners. Maybe bumping the runner resources up one notch so it has slightly more CPU would fix it without any effort in the code.

Second, because Circle CI was caching node_modules after install to the repo and reloading that. Maybe some of the processing was tied to it. It was absolutely observed in trying to re-use the built axe.js artifact for testing where things weren't setup quite right. Causing me to need to move to building before running the tests in the job. So maybe something else was going in that situation too that led the Firefox tests to pass due to the setup being different.

Short term, we have the OIDC deployment that needs to get done by the 19th, so 7 days from now. I think we need to try and get this merged, but not disable Circle CI yet. Once deployment is functional, we can circle back to triaging why the runtime difference exists and try to nail down what the solution is once the true root cause is known between the two platforms. Trying to do that before the Nov 19th deadline puts the OIDC conversion at risk. Unless we move other commitments just to work on triaging this situation in time.

[dbjorge]

I debugged the flaky test and created a fix in #4938. The fix is independent of this PR.

[scottmries]

Looks ok to me, given the above the discussion.

[Garbee]

The last push updated the concurrency model again. Taking it back to how it was before in desire. Pull requests are the same, cancelling the previous run if it is still on the stack. While push events run sequentially.

The reason to run sequentially is to avoid the condition where 2 (or more) commits land in short succession. Merge 1 gets a box having network issues so it is slower, but still finishes. While Merge 2 gets a box with no network issue and finishes before Merge 1. Once the deploy is in, with concurrent operation, Merge 2 would be behind Merge 1 in the @next tag. Leaving the NPM deploy in a state of improper knowledge that we can't fix.

This prevents that, since one run has to finish before the next. It is NOT bulletproof in ensuring next is always in alignment. That can only come from hardening the deploy step further. Which for right now is out of scope of the initial conversion since it was never guarded against previously. If a workflow fails for Merge 1 while Merge 2 passes; then someone re-runs Merge 1 manually, it will eventually overtake with the next tag even though that is behind. I will try to address it preemptively in the deploy patch, but depending on complexity we may hold off on that to its own PR to follow-up the initial implementation.

Visual Representation

A diagram of the explained flows to highlight where potential issues can occur.

%%{init: {'theme': 'base', 'themeVariables': { 'primaryTextColor':'#000000', 'tertiaryTextColor':'#000000'}}}%%
graph LR
    subgraph "Git History"
        direction LR
        M0["(earlier commits)"]
        M1["Merge 1<br/>commit: abc123"]
        M2["Merge 2<br/>commit: def456"]
        M0 --> M1 --> M2
    end
    
    subgraph "Concurrent Deploys ❌"
        direction TB
        Q1["Queue: Merge 1, Merge 2"]
        R1["Box A: Slow ⏳"]
        R2["Box B: Fast ⚡"]
        E1["Merge 1 finish: 5s later"]
        E2["Merge 2 finish: 1s later"]
        D2["Deploy Merge 2 FIRST<br/>@next → def456"]
        D1["Deploy Merge 1 SECOND<br/>@next → abc123"]
        
        Q1 -.->|splits| R1
        Q1 -.->|splits| R2
        R1 -.-> E1
        R2 -.-> E2
        E2 -->|faster| D2
        E1 -->|slower| D1
        
        style D1 fill:#FFB6C6,color:#000000
        style D2 fill:#FFB6C6,color:#000000
        style M1 fill:#ADD8E6,color:#000000
        style M2 fill:#90EE90,color:#000000
    end
    
    subgraph "Sequential Deploys ✓"
        direction TB
        Q3["Queue: [Merge 1→Merge 2]"]
        P1["Deploy Merge 1<br/>@next → abc123"]
        P2["Deploy Merge 2<br/>@next → def456"]
        
        Q3 --> P1
        P1 -->|releases lock| P2
        
        style P1 fill:#ADD8E6,color:#000000
        style P2 fill:#90EE90,color:#000000
    end
    
    subgraph "Problem: Manual Re-run ⚠️"
        direction TB
        S1["Merge 2 deploys first<br/>@next → def456"]
        S2["Merge 1 fails, skipped"]
        S3["Manual re-run Merge 1<br/>@next → abc123"]
        
        S1 --> S2
        S2 --> S3
        
        style S3 fill:#FFB6C6,color:#000000
        style S1 fill:#90EE90,color:#000000
    end
    
    M2 -.-> Q1
    M2 -.-> Q3
    M2 -.-> S1

Loading