# ───────────────────────────────────────────────────────────────────────────── # verify-cloak.yml — re-runnable CLOAK + WEBGL-MASKING GUARDS for an EXISTING # build run's artifacts, WITHOUT rebuilding Firefox (~3h on the mac legs). # # release.yml runs these same guards in its `gate` job against each freshly-built # artifact. This re-runs them against the artifacts of a PRIOR build run (input # `run_id`) using the CURRENT wrapper code on the default branch — so a test-only # fix (e.g. making the macOS leg tolerant of the runner's missing WebGL) can be # validated against the real binaries in ~10 min instead of paying a full rebuild. # # Same guard command as release.yml's gate. Headed-but-cloaked; zero proxy / zero # secrets. The macOS legs are the only place the cocoa cloak patch actually RUNS. # ───────────────────────────────────────────────────────────────────────────── name: verify-cloak on: workflow_dispatch: inputs: run_id: description: 'build run id whose asset-* artifacts to re-gate (e.g. 27346856197)' required: true permissions: contents: read actions: read # download-artifact needs this to read another run's artifacts jobs: guard: name: guard-${{ matrix.leg }} runs-on: ${{ matrix.runner }} timeout-minutes: 25 strategy: fail-fast: false matrix: # Same legs/runners/assets as release.yml's gate matrix. include: - leg: linux-x86_64 runner: ubuntu-24.04 kind: linux asset: firefox-150.0.1-stealth-linux-x86_64.tar.gz - leg: linux-arm64 runner: ubuntu-24.04-arm kind: linux asset: firefox-150.0.1-stealth-linux-arm64.tar.gz - leg: win-x86_64 runner: windows-latest kind: win asset: firefox-150.0.1-stealth-win-x86_64.zip - leg: macos-arm64 runner: macos-15 kind: mac asset: firefox-150.0.1-stealth-macos-arm64.tar.gz - leg: macos-x86_64 runner: macos-15-intel kind: mac asset: firefox-150.0.1-stealth-macos-x86_64.tar.gz steps: - name: Checkout wrapper (current default branch — the FIXED tests) uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: { fetch-depth: 1 } - name: Download build asset from the prior run (no rebuild) uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: asset-${{ matrix.leg }} path: art run-id: ${{ github.event.inputs.run_id }} github-token: ${{ secrets.GITHUB_TOKEN }} - name: Set up Python uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: { python-version: '3.11' } - name: Install Playwright driver (no bundled browser — we override executable_path) # Single-source pin (see release.yml); the wrapper enforces juggler compat. shell: bash run: python -m pip install --quiet "playwright==$(cat scripts/playwright_pin.txt)" - name: Linux system deps for headless firefox if: matrix.kind == 'linux' run: sudo "$(which python)" -m playwright install-deps firefox - name: Extract + locate firefox binary shell: bash run: | set -e mkdir -p ff A="art/${{ matrix.asset }}" case "${{ matrix.kind }}" in win) python -c "import zipfile; zipfile.ZipFile('$A').extractall('ff')"; EXE="ff/firefox.exe";; linux) tar xzf "$A" -C ff; EXE="ff/firefox";; mac) tar xzf "$A" -C ff; EXE="ff/Firefox.app/Contents/MacOS/firefox";; esac [ -e "$EXE" ] || { echo "ERROR: firefox binary not found at $EXE"; exit 1; } chmod +x "$EXE" 2>/dev/null || true echo "FF_EXE=$EXE" >> "$GITHUB_ENV" echo "located: $EXE" - name: Install pyobjc Quartz (macOS — to read the cloak window alpha) if: matrix.kind == 'mac' run: python -m pip install --quiet pyobjc-framework-Quartz - name: Cloak + WebGL-masking guards (headed) shell: bash run: | python -m pip install --quiet ".[dev]" INVPW_BINARY_PATH="$FF_EXE" python -m pytest \ tests/test_cloak.py \ "tests/test_fingerprint_surface.py::test_webgl_readpixels_no_masking_signature" \ -m e2e -o addopts='' -q