[change] CI: Download recent firefox build to show issue with MV2 -> MV3

[asmodehn]

Checklist

• I have read the OpenWISP Contributing Guidelines.
• I have manually tested the changes proposed in this pull request.
• I have written new test cases for new code and/or updated existing tests for changes to existing code.
• I have updated the documentation.

Reference to Existing Issue

Demonstrate #696

Description of Changes

This is a demonstration-only PR — no source code is changed. It adds two
steps to the CI workflow to prove that Firefox ≥135 refuses to load the
Manifest v2 console-capture extension.

Changes to .github/workflows/ci.yml (+9 lines)

1. Install Firefox from Mozilla CDN before running tests:

   - name: Install Firefox with MV2 fully removed
     run: |
       wget -q "..." -O /tmp/firefox.tar.bz2
       tar xjf /tmp/firefox.tar.bz2 -C /tmp
       echo "GECKO_BIN=/tmp/firefox/firefox" >> $GITHUB_ENV

   The directly-downloaded Firefox has MV2 support fully removed, unlike the
   distro-packaged version on ubuntu-24.04 which still permits MV2 temporary
   add-ons (current CI passes).

2. Print Firefox version so the CI log clearly shows which build is
   running:

   - name: Check Firefox version
     run: /tmp/firefox/firefox --version

Expected CI result

FAIL: test_get_browser_logs (test_project.tests.test_selenium
       .TestFirefoxSeleniumHelpers.test_get_browser_logs)
AssertionError: None != []

The root cause is openwisp_utils/tests/firefox-extensions/console_capture_extension/manifest.json
using manifest_version: 2, which modern Firefox refuses to load.
get_browser_logs() → execute_script("return window._console_logs")
returns JS undefined → Python None instead of the expected [].

Next step

The actual fix PR would:

1. Upgrade the extension manifest to v3 (manifest_version: 3 +
   host_permissions).
2. Add a fallback in get_browser_logs() so it works when the extension fails
   to load (e.g. on about:blank where content scripts never run).

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds explicit Firefox installation steps to the GitHub Actions CI workflow on Ubuntu. The change downloads the latest Firefox binary, extracts it to a known location, sets the GECKO_BIN environment variable to point to the extracted executable, and verifies the installation by printing the Firefox version. This ensures Firefox is available for test execution in the CI environment.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title follows the required [type] format with 'change' prefix and clearly describes the CI modification to download recent Firefox to demonstrate MV2 compatibility issues.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Bug Fixes	✅ Passed	This demonstration-only PR modifies CI config only; it does not fix the bug (MV3 upgrade not included per PR objectives). Check applies only to bug fixes; valid exception for GitHub Actions workflows.
Description check	✅ Passed	The PR description is comprehensive and well-structured, covering all required template sections including a completed checklist, issue reference, and detailed description of changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 80: The CI currently downloads a moving target via wget for
"firefox-latest"; update the wget invocation in the .github/workflows/ci.yml
step that contains the wget command so it requests a specific release tarball
(e.g., Firefox 135.0.1) instead of "firefox-latest" by replacing the query URL
with the explicit release download URL from Mozilla's releases (for example
using the
`https://download-installer.cdn.mozilla.net/pub/firefox/releases/<VERSION>/linux-x86_64/en-US/firefox-<VERSION>.tar.bz2`
pattern), ensuring the workflow consistently pulls the pinned Firefox version
for reproducible demos.
- Line 80: The wget download step that fetches
"https://download.mozilla.org/?product=firefox-latest&os=linux64&lang=en-US"
should verify integrity before use: add checksum (e.g., SHA256/SHA512) or
signature verification after the download and fail the job if verification
fails. Modify the CI step that runs the wget command to also fetch a trusted
checksum/signature (or embed an expected checksum variable), run a verifier such
as sha512sum (or gpg --verify for signatures) against /tmp/firefox.tar.bz2, and
exit non‑zero on mismatch so the workflow aborts on tampered or corrupted
artifacts.
- Around line 78-82: Add robust error handling around the Firefox
download/extract steps: enable strict shell failure (set -euo pipefail) before
running wget and tar, use wget with a timeout and allow it to surface errors
instead of -q, check the exit status of tar extraction, and verify the GECKO_BIN
target (/tmp/firefox/firefox) exists and is executable (test -x) before
appending GECKO_BIN to the environment; if any step fails, exit the job with a
clear error so the workflow doesn't continue with a missing binary.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9dd0eff6-2fab-439f-95c1-5db600713962

📥 Commits

Reviewing files that changed from the base of the PR and between 66f9a6f and d433f5f.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

📜 Review details

🔇 Additional comments (1)

.github/workflows/ci.yml (1)

84-85: Version check looks good for verification.

The version check step effectively verifies that Firefox was installed correctly. If you implement the earlier suggestions (error handling and version pinning), this step will provide useful logging showing exactly which Firefox version is being tested.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add error handling to prevent silent failures.

The installation commands lack error handling. If wget fails (especially with -q suppressing output) or tar extraction fails, the workflow continues and sets GECKO_BIN to a non-existent path, causing cryptic test failures.

🛡️ Proposed fix with error checking

       - name: Install Firefox with MV2 fully removed
         run: |
+          set -euo pipefail
-          wget -q "https://download.mozilla.org/?product=firefox-latest&os=linux64&lang=en-US" -O /tmp/firefox.tar.bz2
+          wget --timeout=30 "https://download.mozilla.org/?product=firefox-latest&os=linux64&lang=en-US" -O /tmp/firefox.tar.bz2
           tar xjf /tmp/firefox.tar.bz2 -C /tmp
+          test -x /tmp/firefox/firefox || { echo "Firefox binary not found or not executable"; exit 1; }
           echo "GECKO_BIN=/tmp/firefox/firefox" >> $GITHUB_ENV

This ensures:

• set -euo pipefail stops execution on any command failure
• wget --timeout=30 prevents indefinite hangs and shows errors
• test -x verifies the binary exists and is executable before setting GECKO_BIN

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Install Firefox with MV2 fully removed
	run: |
	wget -q "https://download.mozilla.org/?product=firefox-latest&os=linux64&lang=en-US" -O /tmp/firefox.tar.bz2
	tar xjf /tmp/firefox.tar.bz2 -C /tmp
	echo "GECKO_BIN=/tmp/firefox/firefox" >> $GITHUB_ENV
	- name: Install Firefox with MV2 fully removed
	run: |
	set -euo pipefail
	wget --timeout=30 "https://download.mozilla.org/?product=firefox-latest&os=linux64&lang=en-US" -O /tmp/firefox.tar.bz2
	tar xjf /tmp/firefox.tar.bz2 -C /tmp
	test -x /tmp/firefox/firefox || { echo "Firefox binary not found or not executable"; exit 1; }
	echo "GECKO_BIN=/tmp/firefox/firefox" >> $GITHUB_ENV

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 78 - 82, Add robust error handling
around the Firefox download/extract steps: enable strict shell failure (set -euo
pipefail) before running wget and tar, use wget with a timeout and allow it to
surface errors instead of -q, check the exit status of tar extraction, and
verify the GECKO_BIN target (/tmp/firefox/firefox) exists and is executable
(test -x) before appending GECKO_BIN to the environment; if any step fails, exit
the job with a clear error so the workflow doesn't continue with a missing
binary.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin Firefox version for reproducible demonstration.

Downloading "firefox-latest" means the CI will fetch different versions over time, reducing reproducibility. For a demonstration PR showing Firefox ≥135 behavior, consider pinning to a specific version (e.g., Firefox 135.0.1) so the demo consistently reproduces the MV2 issue.

📌 Example: Pin to Firefox 135.0.1

-          wget --timeout=30 "https://download.mozilla.org/?product=firefox-latest&os=linux64&lang=en-US" -O /tmp/firefox.tar.bz2
+          # Pin to Firefox 135.0.1 to demonstrate MV2 removal
+          wget --timeout=30 "https://download-installer.cdn.mozilla.net/pub/firefox/releases/135.0.1/linux-x86_64/en-US/firefox-135.0.1.tar.bz2" -O /tmp/firefox.tar.bz2

You can find available versions at https://download-installer.cdn.mozilla.net/pub/firefox/releases/.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 80, The CI currently downloads a moving
target via wget for "firefox-latest"; update the wget invocation in the
.github/workflows/ci.yml step that contains the wget command so it requests a
specific release tarball (e.g., Firefox 135.0.1) instead of "firefox-latest" by
replacing the query URL with the explicit release download URL from Mozilla's
releases (for example using the
`https://download-installer.cdn.mozilla.net/pub/firefox/releases/<VERSION>/linux-x86_64/en-US/firefox-<VERSION>.tar.bz2`
pattern), ensuring the workflow consistently pulls the pinned Firefox version
for reproducible demos.

---

🧹 Nitpick | 🔵 Trivial | ⚖️ Poor tradeoff

Consider adding checksum verification for security.

The downloaded Firefox binary is not verified against a checksum or signature. While this may be acceptable for a demonstration PR, note that the actual fix should include verification to prevent supply-chain attacks.

🔐 Example with SHA512 verification (if implementing for production)

+          # Download Firefox and checksum
+          wget --timeout=30 "https://download-installer.cdn.mozilla.net/pub/firefox/releases/135.0.1/linux-x86_64/en-US/firefox-135.0.1.tar.bz2" -O /tmp/firefox.tar.bz2
+          wget --timeout=30 "https://download-installer.cdn.mozilla.net/pub/firefox/releases/135.0.1/SHA512SUMS" -O /tmp/SHA512SUMS
+          # Verify checksum
+          cd /tmp && sha512sum -c <(grep firefox-135.0.1.tar.bz2 SHA512SUMS)
           tar xjf /tmp/firefox.tar.bz2 -C /tmp

Note: For a demo PR, this adds complexity with minimal benefit. Consider adding only when converting to a production fix.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 80, The wget download step that fetches
"https://download.mozilla.org/?product=firefox-latest&os=linux64&lang=en-US"
should verify integrity before use: add checksum (e.g., SHA256/SHA512) or
signature verification after the download and fail the job if verification
fails. Modify the CI step that runs the wget command to also fetch a trusted
checksum/signature (or embed an expected checksum variable), run a verifier such
as sha512sum (or gpg --verify for signatures) against /tmp/firefox.tar.bz2, and
exit non‑zero on mismatch so the workflow aborts on tampered or corrupted
artifacts.

[openwisp-companion]

The CI is failing due to transient infrastructure issues (not related to your code). I have restarted the failed jobs automatically (1/3).