Change "/update-vrt" workflow (#5952)

Author: MatissJanis

.github/workflows/update-vrt.yml

@@ -0,0 +1,156 @@
+name: VRT Update - Apply
+# SECURITY: This workflow runs in trusted base repo context.
+# It treats the patch artifact as untrusted data, validates it contains only PNGs,
+# and safely applies it to the contributor's fork branch.
+on:
+  workflow_run:
+    workflows: ['VRT Update - Generate']
+    types:
+      - completed
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  apply-vrt-updates:
+    name: Apply VRT Updates
+    runs-on: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      - name: Download patch artifact
+        uses: actions/download-artifact@v4
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          run-id: ${{ github.event.workflow_run.id }}
+          pattern: vrt-patch-*
+          path: /tmp/artifacts
+
+      - name: Download metadata artifact
+        uses: actions/download-artifact@v4
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          run-id: ${{ github.event.workflow_run.id }}
+          pattern: vrt-metadata-*
+          path: /tmp/metadata
+
+      - name: Extract metadata
+        id: metadata
+        run: |
+          # Find the metadata directory (will be vrt-metadata-{PR_NUMBER})
+          METADATA_DIR=$(find /tmp/metadata -mindepth 1 -maxdepth 1 -type d | head -n 1)
+
+          if [ -z "$METADATA_DIR" ]; then
+            echo "No metadata found, skipping..."
+            exit 0
+          fi
+
+          PR_NUMBER=$(cat "$METADATA_DIR/pr-number.txt")
+          HEAD_REF=$(cat "$METADATA_DIR/head-ref.txt")
+          HEAD_REPO=$(cat "$METADATA_DIR/head-repo.txt")
+
+          echo "pr_number=$PR_NUMBER" >> "$GITHUB_OUTPUT"
+          echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"
+          echo "head_repo=$HEAD_REPO" >> "$GITHUB_OUTPUT"
+
+          echo "Found PR #$PR_NUMBER: $HEAD_REPO @ $HEAD_REF"
+
+      - name: Checkout fork branch
+        if: steps.metadata.outputs.pr_number != ''
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ steps.metadata.outputs.head_repo }}
+          ref: ${{ steps.metadata.outputs.head_ref }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+          fetch-depth: 0
+
+      - name: Validate and apply patch
+        if: steps.metadata.outputs.pr_number != ''
+        id: apply
+        run: |
+          # Find the patch file
+          PATCH_DIR=$(find /tmp/artifacts -mindepth 1 -maxdepth 1 -type d | head -n 1)
+          PATCH_FILE="$PATCH_DIR/vrt-update.patch"
+
+          if [ ! -f "$PATCH_FILE" ]; then
+            echo "No patch file found"
+            exit 0
+          fi
+
+          echo "Found patch file: $PATCH_FILE"
+
+          # Validate patch only contains PNG files
+          echo "Validating patch contains only PNG files..."
+          if grep -E '^(\+\+\+|---) [ab]/' "$PATCH_FILE" | grep -v '\.png$'; then
+            echo "ERROR: Patch contains non-PNG files! Rejecting for security."
+            echo "applied=false" >> "$GITHUB_OUTPUT"
+            echo "error=Patch validation failed: contains non-PNG files" >> "$GITHUB_OUTPUT"
+            exit 1
+          fi
+
+          # Extract file list for verification
+          FILES_CHANGED=$(grep -E '^\+\+\+ b/' "$PATCH_FILE" | sed 's/^+++ b\///' | wc -l)
+          echo "Patch modifies $FILES_CHANGED PNG file(s)"
+
+          # Configure git
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+
+          # Apply patch
+          echo "Applying patch..."
+          if git apply --check "$PATCH_FILE" 2>&1; then
+            git apply "$PATCH_FILE"
+
+            # Stage only PNG files (extra safety)
+            git add "**/*.png"
+
+            if git diff --staged --quiet; then
+              echo "No changes after applying patch"
+              echo "applied=false" >> "$GITHUB_OUTPUT"
+              exit 0
+            fi
+
+            # Commit
+            git commit -m "Update VRT screenshots" -m "Auto-generated by VRT workflow" -m "PR: #${{ steps.metadata.outputs.pr_number }}"
+
+            echo "applied=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "Patch could not be applied cleanly"
+            echo "applied=false" >> "$GITHUB_OUTPUT"
+            echo "error=Patch conflicts with current branch state" >> "$GITHUB_OUTPUT"
+            exit 1
+          fi
+
+      - name: Push changes
+        if: steps.apply.outputs.applied == 'true'
+        env:
+          HEAD_REF: ${{ steps.metadata.outputs.head_ref }}
+          HEAD_REPO: ${{ steps.metadata.outputs.head_repo }}
+        run: |
+          git push origin "HEAD:refs/heads/$HEAD_REF"
+          echo "Successfully pushed VRT updates to $HEAD_REPO@$HEAD_REF"
+
+      - name: Comment on PR - Success
+        if: steps.apply.outputs.applied == 'true'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            await github.rest.issues.createComment({
+              issue_number: ${{ steps.metadata.outputs.pr_number }},
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: '✅ VRT screenshots have been automatically updated.'
+            });
+
+      - name: Comment on PR - Failure
+        if: failure() && steps.metadata.outputs.pr_number != ''
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const error = `${{ steps.apply.outputs.error }}` || 'Unknown error occurred';
+            await github.rest.issues.createComment({
+              issue_number: ${{ steps.metadata.outputs.pr_number }},
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: `❌ Failed to apply VRT updates: ${error}\n\nPlease check the workflow logs for details.`
+            });

.github/workflows/vrt-update-apply.yml

@@ -0,0 +1,105 @@
+name: VRT Update - Generate
+# SECURITY: This workflow runs in untrusted fork context with no write permissions.
+# It only generates VRT patch artifacts that are later applied by vrt-update-apply.yml
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    paths:
+      - 'packages/**'
+      - '.github/workflows/vrt-update-generate.yml'
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  generate-vrt-updates:
+    name: Generate VRT Updates
+    runs-on: ubuntu-latest
+    container:
+      image: mcr.microsoft.com/playwright:v1.56.0-jammy
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Set up environment
+        uses: ./.github/actions/setup
+
+      - name: Run VRT Tests on Desktop app
+        continue-on-error: true
+        run: |
+          xvfb-run --auto-servernum --server-args="-screen 0 1920x1080x24" -- yarn e2e:desktop --update-snapshots
+
+      - name: Wait for Netlify build to finish
+        id: netlify
+        env:
+          COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: ./.github/actions/netlify-wait-for-build
+
+      - name: Run VRT Tests on Netlify URL
+        continue-on-error: true
+        run: yarn vrt --update-snapshots
+        env:
+          E2E_START_URL: ${{ steps.netlify.outputs.url }}
+
+      - name: Create patch with PNG changes only
+        id: create-patch
+        run: |
+          # Trust the repository directory (required for container environments)
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+
+          # Stage only PNG files
+          git add "**/*.png"
+
+          # Check if there are any changes
+          if git diff --staged --quiet; then
+            echo "has_changes=false" >> "$GITHUB_OUTPUT"
+            echo "No VRT changes to commit"
+            exit 0
+          fi
+
+          echo "has_changes=true" >> "$GITHUB_OUTPUT"
+
+          # Create commit and patch
+          git commit -m "Update VRT screenshots"
+          git format-patch -1 HEAD --stdout > vrt-update.patch
+
+          # Validate patch only contains PNG files
+          if grep -E '^(\+\+\+|---) [ab]/' vrt-update.patch | grep -v '\.png$'; then
+            echo "ERROR: Patch contains non-PNG files!"
+            exit 1
+          fi
+
+          echo "Patch created successfully with PNG changes only"
+
+      - name: Upload patch artifact
+        if: steps.create-patch.outputs.has_changes == 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: vrt-patch-${{ github.event.pull_request.number }}
+          path: vrt-update.patch
+          retention-days: 5
+
+      - name: Save PR metadata
+        if: steps.create-patch.outputs.has_changes == 'true'
+        run: |
+          mkdir -p pr-metadata
+          echo "${{ github.event.pull_request.number }}" > pr-metadata/pr-number.txt
+          echo "${{ github.event.pull_request.head.ref }}" > pr-metadata/head-ref.txt
+          echo "${{ github.event.pull_request.head.repo.full_name }}" > pr-metadata/head-repo.txt
+
+      - name: Upload PR metadata
+        if: steps.create-patch.outputs.has_changes == 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: vrt-metadata-${{ github.event.pull_request.number }}
+          path: pr-metadata/
+          retention-days: 5

.github/workflows/vrt-update-generate.yml

@@ -0,0 +1,7 @@
+---
+category: Maintenance
+authors: [MatissJanis]
+---
+
+Refactor VRT workflow into two stages for improved testing and patch validation.
+