Docker: Update Firefox binary installed in node

[VietND96]

User description

Thanks for contributing to the Docker-Selenium project!
A PR well described will help maintainers to quickly review and merge it

Before submitting your PR, please check our contributing guidelines, applied for this repository.
Avoid large PRs, help reviewers by making them as simple and short as possible.

Description

Fixes #2487 - Pinning the version in building the node-firefox image for arch ARM64
Fixes #2457 Fixes #2463 - Similar above
Fixes #2473 - Moving installed Firefox directory back to /opt/firefox-$VERSION from /home/seluser/firefox

Motivation and Context

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist

• I have read the contributing document.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.

---

PR Type

Enhancement, Bug fix

---

Description

• Introduced a new FIREFOX_DOWNLOAD_URL variable in the Makefile to specify the Firefox download URL, allowing for more controlled builds.
• Updated the Dockerfile for NodeFirefox to utilize the FIREFOX_DOWNLOAD_URL argument, ensuring the correct version of Firefox is downloaded and installed.
• Changed the installation directory of Firefox to /opt/firefox-$FIREFOX_VERSION to better manage versions.
• Improved the setup process for Firefox cleanup scripts and ensured language packs are downloaded during the build.
• Updated the README to reflect changes in Firefox version handling for ARM64 and clarified instructions for accessing pre-built language packs.

---

Changes walkthrough 📝

	Relevant files
Enhancement	Makefile Add Firefox download URL variable and update build target Makefile Added FIREFOX_DOWNLOAD_URL variable for specifying Firefox download URL. Updated firefox target to use FIREFOX_DOWNLOAD_URL for building the image. +2/-1      Dockerfile Update Firefox installation and cleanup process                    NodeFirefox/Dockerfile Added FIREFOX_DOWNLOAD_URL argument for downloading Firefox. Changed Firefox installation path to /opt/firefox-$FIREFOX_VERSION. Moved Firefox cleanup script setup to an earlier stage. Ensured language pack download during build. +18/-17
Documentation	README.md Update README with Firefox version and language pack details README.md Updated information about Firefox version differences for ARM64. Clarified instructions for accessing language packs. +2/-2

---

💡 PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

[qodo-merge-pro]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🎫 Ticket compliance analysis 🔶 2457 - Fully compliant Compliant requirements: Fixes Firefox version mismatch by pinning specific version using FIREFOX_DOWNLOAD_URL 2487 - Fully compliant Compliant requirements: Introduces FIREFOX_DOWNLOAD_URL to pin specific versions across architectures 2473 - Fully compliant Compliant requirements: Moves Firefox installation back to /opt/firefox-$VERSION Updates binary location and permissions 2463 - Fully compliant Compliant requirements: Updates Firefox installation and configuration

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review File Permissions Verify that Firefox binary and related files have correct permissions after moving installation to /opt/firefox-$VERSION Version Control Validate that the hardcoded Firefox download URL in FIREFOX_DOWNLOAD_URL default value is appropriate and won't cause issues

[qodo-merge-pro]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Score
Security	Verify downloaded binary integrity using SHA256 checksum to prevent supply chain attacks The Firefox installation should verify the downloaded archive's integrity using SHA256 checksums to prevent tampering with the downloaded binary. NodeFirefox/Dockerfile [29-31] wget --no-verbose -O /tmp/firefox.tar.bz2 $FIREFOX_DOWNLOAD_URL \ +&& wget --no-verbose -O /tmp/firefox.tar.bz2.sha256 "${FIREFOX_DOWNLOAD_URL}.sha256" \ +&& echo "$(cat /tmp/firefox.tar.bz2.sha256) /tmp/firefox.tar.bz2" | sha256sum -c \ && rm -rf /opt/firefox \ && tar -C /opt -xjf /tmp/firefox.tar.bz2 || tar -C /opt -xJf /tmp/firefox.tar.bz2 Apply this suggestion Suggestion importance[1-10]: 9 Why: Adding SHA256 checksum verification is a critical security enhancement that helps prevent supply chain attacks by ensuring the integrity of downloaded Firefox binaries.	9
Possible issue	Handle archive extraction errors explicitly instead of silently falling back to alternative formats The fallback extraction with xJf should be in a separate condition to avoid silent failures, as mixing compression formats could indicate tampering. NodeFirefox/Dockerfile [31] -tar -C /opt -xjf /tmp/firefox.tar.bz2 || tar -C /opt -xJf /tmp/firefox.tar.bz2 +if ! tar -C /opt -xjf /tmp/firefox.tar.bz2; then + echo "bzip2 extraction failed, trying xz format..." + tar -C /opt -xJf /tmp/firefox.tar.bz2 || exit 1 +fi Apply this suggestion Suggestion importance[1-10]: 7 Why: The suggestion improves error handling and security by making extraction failures explicit and visible, preventing silent failures that could mask potential security issues or corrupted downloads.	7

💡 Need additional feedback ? start a PR chat

[qodo-merge-pro]

CI Failure Feedback 🧐

(Checks updated until commit 6ac3451)

Action: Rerun workflow when failure

Failed stage: Authenticate GitHub CLI for PR [❌]

Failure summary: The action failed because the GitHub CLI authentication process encountered an error: The token used for authentication is missing the required scope read:org. This resulted in the process completing with exit code 1.

Relevant error logs: 1: ##[group]Operating System 2: Ubuntu ... 28: SecurityEvents: write 29: Statuses: write 30: ##[endgroup] 31: Secret source: Actions 32: Prepare workflow directory 33: Prepare all required actions 34: Getting action download info 35: Download action repository 'actions/checkout@main' (SHA:cbb722410c2e876e24abbe8de2cc27693e501dcb) 36: Complete job name: Rerun workflow when failure ... 48: show-progress: true 49: lfs: false 50: submodules: false 51: set-safe-directory: true 52: env: 53: GH_CLI_TOKEN: *** 54: GH_CLI_TOKEN_PR: *** 55: RUN_ID: 12133025987 56: RERUN_FAILED_ONLY: true ... 119: ##[group]Run sudo apt update 120: �[36;1msudo apt update�[0m 121: �[36;1msudo apt install gh�[0m 122: shell: /usr/bin/bash -e {0} 123: env: 124: GH_CLI_TOKEN: *** 125: GH_CLI_TOKEN_PR: *** 126: RUN_ID: 12133025987 127: RERUN_FAILED_ONLY: true ... 152: 0 upgraded, 0 newly installed, 0 to remove and 38 not upgraded. 153: ##[group]Run echo "$GH_CLI_TOKEN_PR" | gh auth login --with-token 154: �[36;1mecho "$GH_CLI_TOKEN_PR" | gh auth login --with-token�[0m 155: shell: /usr/bin/bash -e {0} 156: env: 157: GH_CLI_TOKEN: *** 158: GH_CLI_TOKEN_PR: *** 159: RUN_ID: 12133025987 160: RERUN_FAILED_ONLY: true 161: RUN_ATTEMPT: 1 162: ##[endgroup] 163: error validating token: missing required scope 'read:org' 164: ##[error]Process completed with exit code 1.

---

✨ CI feedback usage guide:

---

The CI feedback tool (/checks) automatically triggers when a PR has a failed check.
The tool analyzes the failed checks and provides several feedbacks:

• Failed stage
• Failed test name
• Failure summary
• Relevant error logs

In addition to being automatically triggered, the tool can also be invoked manually by commenting on a PR:

/checks "https://github.com/{repo_name}/actions/runs/{run_number}/job/{job_number}"

where {repo_name} is the name of the repository, {run_number} is the run number of the failed check, and {job_number} is the job number of the failed check.

Configuration options

• enable_auto_checks_feedback - if set to true, the tool will automatically provide feedback when a check is failed. Default is true.
• excluded_checks_list - a list of checks to exclude from the feedback, for example: ["check1", "check2"]. Default is an empty list.
• enable_help_text - if set to true, the tool will provide a help message with the feedback. Default is true.
• persistent_comment - if set to true, the tool will overwrite a previous checks comment with the new feedback. Default is true.
• final_update_message - if persistent_comment is true and updating a previous checks message, the tool will also create a new message: "Persistent checks updated to latest commit". Default is true.

See more information about the checks tool in the docs.

[AB-xdev]

Isn't there one ) too many?

[VietND96]

Good catch! A typo when I tried to copy a line from source to README without updating properly 😅