SeleniumHQ · titusfortner · Jan 20, 2026 · Jan 18, 2026 · Jan 18, 2026 · Jan 19, 2026
diff --git a/.github/workflows/bazel.yml b/.github/workflows/bazel.yml
@@ -7,6 +7,11 @@ on:
         description: Name of workflow
         required: false
         type: string
+      ref:
+        description: Git ref to checkout (branch, tag, or SHA)
+        required: false
+        type: string
+        default: ''
       run:
         description: Bazel command to run
         required: true
@@ -56,16 +61,16 @@ on:
         required: false
         type: string
         default: ''
-      nightly-release-files:
-        description: Files to upload to the Nightly release tag
+      artifact-name:
+        description: Name of artifact to upload
         required: false
         type: string
         default: ''
-      artifact-name:
-        description: Name of artifact to upload
+      artifact-path:
+        description: Path/glob of files to upload (if empty, uploads git diff as changes.patch)
         required: false
         type: string
-        default: 'ignore-artifacts'
+        default: ''
       rerun-with-debug:
         description: Rerun failing tests with debugging enabled
         required: false
@@ -76,6 +81,11 @@ on:
         required: false
         type: boolean
         default: false
+      fetch-depth:
+        description: Number of commits to fetch (0 for full history)
+        required: false
+        type: number
+        default: 1
 
 jobs:
   bazel:
@@ -92,6 +102,9 @@ jobs:
     steps:
       - name: Checkout source tree
         uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref || github.ref }}
+          fetch-depth: ${{ inputs.fetch-depth }}
       - name: Pull latest changes from head ref for PRs
         if: contains(github.head_ref, 'renovate/')
         run: git pull origin "$HEAD_REF"
@@ -238,23 +251,14 @@ jobs:
         uses: mxschmitt/action-tmate@v3
         with:
           limit-access-to-actor: false
-      - name: Release Nightly
-        if: inputs.nightly-release-files != ''
-        uses: marvinpinto/action-automatic-releases@v1.2.1
-        with:
-          repo_token: "${{ secrets.GITHUB_TOKEN }}"
-          automatic_release_tag: "nightly"
-          title: "Nightly"
-          prerelease: true
-          files: ${{ inputs.nightly-release-files }}
-      - name: Save changes
-        if: ${{ always() && inputs.artifact-name != 'ignore-artifacts' }}
-        run: |
-          git diff > changes.patch
-      - name: "Upload changes"
-        if: ${{ always() && inputs.artifact-name != 'ignore-artifacts' }}
+      - name: Save git diff
+        if: always() && inputs.artifact-name != '' && inputs.artifact-path == ''
+        run: git diff --binary > changes.patch
+      - name: Upload artifact
+        if: always() && inputs.artifact-name != ''
         uses: actions/upload-artifact@v5
         with:
           name: ${{ inputs.artifact-name }}
-          path: changes.patch
+          path: ${{ inputs.artifact-path || 'changes.patch' }}
           retention-days: 6
+          if-no-files-found: ${{ inputs.artifact-path != '' && 'error' || 'warn' }}
diff --git a/.github/workflows/ci-lint.yml b/.github/workflows/ci-lint.yml
@@ -23,22 +23,14 @@ jobs:
       - name: Validate workflows
         uses: raven-actions/actionlint@v2.1.0
 
-  format:
-    name: Format
-    if: startsWith(github.head_ref, 'renovate/') != true
+  check-protected:
+    name: Check Protected Files
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      actions: write
-      pull-requests: read
-    outputs:
-      format_exit_code: ${{ steps.check_format.outputs.exit_code }}
-      patch_uploaded: ${{ steps.patch_uploaded.outputs.outcome }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Check for protected files
-        if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
         uses: dorny/paths-filter@v3
         id: filter
         with:
@@ -51,53 +43,27 @@ jobs:
         run: |
           echo "::notice::PR from fork modifies format script"
           exit 1
-      - name: Setup curl for Ubuntu
-        run: sudo apt-get update && sudo apt-get install -y libcurl4-openssl-dev
-      - name: Setup Bazel
-        uses: bazel-contrib/setup-bazel@0.18.0
-        with:
-          cache-save: false
-          bazelisk-cache: true
-          external-cache: |
-            manifest:
-              crates: rust/Cargo.Bazel.lock
-              rules_ruby++ruby+ruby: rb/.ruby-version
-          repository-cache: true
-          bazelrc: common --color=yes
-      - name: Check code formatting
-        id: check_format
-        run: |
-          set +e
-          ./scripts/github-actions/check-format.sh
-          exit_code=$?
-          echo "exit_code=${exit_code}" >> "$GITHUB_OUTPUT"
-          exit "${exit_code}"
-      - name: Save changes
-        if: failure() && steps.check_format.outputs.exit_code == '1' && github.event_name == 'pull_request'
-        run: git diff > changes.patch
-      - name: "Upload changes"
-        id: upload_changes
-        if: failure() && steps.check_format.outputs.exit_code == '1' && github.event_name == 'pull_request'
-        uses: actions/upload-artifact@v5
-        with:
-          name: format-changes
-          path: changes.patch
-      - name: Mark patch uploaded
-        id: patch_uploaded
-        if: always()
-        run: echo outcome=${{ steps.upload_changes.outcome }} >> "$GITHUB_OUTPUT"
+
+  format:
+    name: Format
+    if: startsWith(github.head_ref, 'renovate/') != true
+    uses: ./.github/workflows/bazel.yml
+    with:
+      name: Check Format
+      run: ./scripts/github-actions/check-format.sh
+      artifact-name: format-changes
 
   commit-fixes:
     name: Commit fixes
     needs: format
-    if: ${{ failure() && needs.format.outputs.patch_uploaded == 'success' }}
+    if: failure() && github.event_name == 'pull_request'
     runs-on: ubuntu-latest
     permissions:
       contents: write
       actions: read
     steps:
       - name: Check Permissions
-        if: ${{ github.event.pull_request.head.repo.fork == true }}
+        if: github.event.pull_request.head.repo.fork == true
         run: |
           echo "::error::Code needs formatting. Run ./scripts/format.sh locally and push changes."
           exit 1
@@ -110,14 +76,20 @@ jobs:
         with:
           name: format-changes
       - name: Apply and commit fixes
+        id: apply
         run: |
-          git apply changes.patch
-          rm changes.patch
-          git config --local user.name "Selenium CI Bot"
-          git config --local user.email "selenium-ci@users.noreply.github.com"
-          git add -A
-          git commit -m "Auto-format code"
+          if [ -s changes.patch ]; then
+            git apply --index changes.patch
+            rm changes.patch
+            git config --local user.name "Selenium CI Bot"
+            git config --local user.email "selenium-ci@users.noreply.github.com"
+            git commit -m "Auto-format code"
+            echo "has_changes=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "::notice::No formatting changes needed."
+          fi
       - name: Push fixes
+        if: steps.apply.outputs.has_changes == 'true'
         run: |
           git push
           echo "::notice::Auto-formatted and pushed. New CI run will start."

diff --git a/.github/workflows/ci-renovate-rbe.yml b/.github/workflows/ci-renovate-rbe.yml
@@ -11,56 +11,62 @@ permissions:
 
 jobs:
   pin:
-    permissions:
-      contents: write  # for pushing repinned dependencies
-    runs-on: ubuntu-latest
+    name: Repin Dependencies
+    if: github.event.repository.fork == false
+    uses: ./.github/workflows/bazel.yml
+    with:
+      name: Repin Dependencies
+      run: |
+        COMMITS="${{ join(github.event.commits.*.message, ' ') }}"
+        if [[ "$COMMITS" == *"[java]"* ]]; then
+          RULES_JVM_EXTERNAL_REPIN=1 bazel run @maven//:pin
+        fi
+        if [[ "$COMMITS" == *"[rust]"* ]]; then
+          CARGO_BAZEL_REPIN=true bazel run @crates//:all
+        fi
+        if [[ "$COMMITS" == *"[js]"* ]]; then
+          bazel run -- @pnpm//:pnpm install --dir "$PWD" --lockfile-only
+        fi
+        if [[ "$COMMITS" == *"[dotnet]"* ]]; then
+          ./dotnet/update-deps.sh
+        fi
+        if [[ "$COMMITS" == *"[py]"* ]]; then
+          bazel run //py:requirements.update
+        fi
+        if [[ "$COMMITS" == *"[rb]"* ]]; then
+          ./go rb:pin
+        fi
+      artifact-name: repin-changes
+
+  commit-repins:
+    name: Commit Repins
+    needs: pin
     if: github.event.repository.fork == false
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
-      - name: Checkout Repository
+      - name: Checkout
         uses: actions/checkout@v4
-      - name: Setup Bazel
-        uses: bazel-contrib/setup-bazel@0.18.0
+      - name: Download repin patch
+        uses: actions/download-artifact@v4
         with:
-          cache-save: false
-          bazelisk-cache: true
-          external-cache: |
-            manifest:
-              crates: rust/Cargo.Bazel.lock
-              rules_ruby++ruby+ruby: rb/.ruby-version
-          repository-cache: true
-          bazelrc: common --color=yes
-      - name: java - repin dependencies
-        if: contains(join(github.event.commits.*.message), '[java]')
-        run: RULES_JVM_EXTERNAL_REPIN=1 bazel run @maven//:pin
-      - name: rust - repin dependencies
-        if: contains(join(github.event.commits.*.message), '[rust]')
-        run: CARGO_BAZEL_REPIN=true bazel run @crates//:all
-      - name: js - repin dependencies
-        if: contains(join(github.event.commits.*.message), '[js]')
-        run: bazel run -- @pnpm//:pnpm install --dir "$PWD" --lockfile-only
-      - name: dotnet - repin dependencies
-        if: contains(join(github.event.commits.*.message), '[dotnet]')
-        run: ./dotnet/update-deps.sh
-      - name: py - repin dependencies
-        if: contains(join(github.event.commits.*.message), '[py]')
-        run: bazel run //py:requirements.update
-      - name: rb - repin dependencies
-        if: contains(join(github.event.commits.*.message), '[rb]')
-        run: ./go rb:pin
-      - name: Commit files
+          name: repin-changes
+        continue-on-error: true
+      - name: Apply patch and commit
         run: |
-          CHANGES=$(git status -s)
-          export CHANGES
-          if [ -n "$CHANGES" ]; then
+          if [ -f changes.patch ] && [ -s changes.patch ]; then
+            git apply --index changes.patch
             git config --local user.email "selenium-ci@users.noreply.github.com"
             git config --local user.name "Selenium CI Bot"
-            git add .
             git commit -m 'Repin dependencies'
             git push
+          else
+            echo "No changes to commit"
           fi
 
   check-format:
-    needs: pin
+    needs: commit-repins
     name: Check format
     if: github.event.repository.fork == false
     uses: ./.github/workflows/bazel.yml
@@ -72,7 +78,7 @@ jobs:
 
   test:
     name: Test
-    needs: pin
+    needs: commit-repins
     if: github.event.repository.fork == false
     uses: ./.github/workflows/bazel.yml
     with:
@@ -83,6 +89,6 @@ jobs:
 
   ci-gh:
     name: CI - GitHub
-    needs: pin
+    needs: commit-repins
     if: github.event.repository.fork == false
     uses: ./.github/workflows/ci.yml