chore: Automate RC creation [WPB-22028]

[thisisamir98]

WPB-22028 [Web] Automate RC creation (branch + stable deps + PR)

Pull Request

Summary

• What did I change and why?
  Introduced a new workflow to automate creation of RC
• Risks and how to roll out / roll back (e.g. feature flags):
  none

---

Security Checklist (required)

• External inputs are validated & sanitized on client and/or server where applicable.
• API responses are validated; unexpected shapes are handled safely (fallbacks or errors).
• No unsafe HTML is rendered; if unavoidable, sanitization is applied and documented where it happens.
• Injection risks (XSS/SQL/command) are prevented via safe APIs and/or escaping.

Standards Acknowledgement (required)

• I have read and this PR upholds our Coding Standards and Tech Radar Choices.

[Copilot]

Pull request overview

This PR introduces an automated GitHub Actions workflow to streamline the creation of Release Candidate (RC) branches. The workflow updates Wire-internal dependencies to their latest stable versions from dev and creates a PR targeting master.

Key changes:

• New prepare-rc.yml workflow triggered manually via workflow_dispatch
• Automated dependency bumping for 11 @wireapp/* packages to latest stable versions
• Creates a PR from a new RC branch to master with updated dependencies

[Copilot]

[Important] Using GITHUB_TOKEN for automated PR creation is inconsistent with other workflows in this repository. All other automated PR workflows (cherry-pick, translations sync) use OTTO_THE_BOT_GH_TOKEN, which:

1. Properly attributes the PR to the bot user
2. Allows triggered workflows to run (GITHUB_TOKEN-created PRs don't trigger workflows by design)
3. Maintains consistency across the repository

Change to:

token: ${{ secrets.OTTO_THE_BOT_GH_TOKEN }}

Suggested change

	token: ${{ secrets.GITHUB_TOKEN }}
	token: ${{ secrets.OTTO_THE_BOT_GH_TOKEN }}

[Copilot]

[Important] Node.js version 22.x is inconsistent with the majority of workflows in this repository, which use 18.16.x. This could lead to:

1. Dependency resolution differences
2. Different build behavior
3. Potential compatibility issues

Unless there's a specific reason to use Node 22 for RC preparation (which should be documented), change to match other workflows:

node-version: 18.16.x

Suggested change

	node-version: 22.x
	node-version: 18.16.x

[Copilot]

[Suggestion] The commit message and PR title use the full RC branch name which may not be descriptive. Consider a more informative format:

commit-message: 'chore: Prepare release candidate ${{ inputs.rc_branch }}'

And for the title (line 68):

title: 'chore: Prepare release candidate ${{ inputs.rc_branch }}'

This makes it clearer that this is an RC preparation PR when reviewing the commit history.

Suggested change

	commit-message: 'chore: ${{ inputs.rc_branch }}'
	branch: ${{ inputs.rc_branch }}
	base: master
	title: 'chore: ${{ inputs.rc_branch }}'
	commit-message: 'chore: Prepare release candidate ${{ inputs.rc_branch }}'
	branch: ${{ inputs.rc_branch }}
	base: master
	title: 'chore: Prepare release candidate ${{ inputs.rc_branch }}'

[Copilot]

[Important] sign-commits: true may not work correctly with GITHUB_TOKEN. According to peter-evans/create-pull-request documentation, signed commits require either:

1. A Personal Access Token (PAT) with signing configured
2. The bot token to have GPG signing set up

Since line 64 uses GITHUB_TOKEN (which should be changed to OTTO_THE_BOT_GH_TOKEN per another comment), ensure that otto-the-bot has GPG signing configured. If not, remove this line or configure signing for the bot account.

Suggested change

sign-commits: true

[Copilot]

[Important] The rc_branch input lacks validation and could be exploited for command injection or create unintended branch names. Although GitHub Actions provides some sanitization, it's best practice to explicitly validate the input format.

Consider adding a validation step after checkout:

- name: Validate RC branch name format
  run: |
    if ! [[ "${{ inputs.rc_branch }}" =~ ^rc/[0-9]{4}-[0-9]{2}-[0-9]{2}$ ]]; then
      echo "Invalid RC branch name format. Expected: rc/YYYY-MM-DD" >&2
      exit 1
    fi

[Copilot]

[Important] Missing error handling for npm view commands. If any package doesn't exist or the registry is unreachable, the command will fail silently or with unclear errors due to command substitution happening before yarn add executes.

Consider adding explicit checks or error handling:

- name: Update @wireapp/* to latest stable
  run: |
    set -euo pipefail
    
    # Fetch all versions first to fail fast if registry is unreachable
    STORE_ENGINE=$(npm view @wireapp/store-engine dist-tags.latest) || exit 1
    COMMONS=$(npm view @wireapp/commons dist-tags.latest) || exit 1
    # ... repeat for other packages
    
    yarn add \
      @wireapp/store-engine@${STORE_ENGINE} \
      @wireapp/commons@${COMMONS} \
      # ... etc

Suggested change

	yarn add \
	@wireapp/store-engine@$(npm view @wireapp/store-engine dist-tags.latest) \
	@wireapp/commons@$(npm view @wireapp/commons dist-tags.latest) \
	@wireapp/core@$(npm view @wireapp/core dist-tags.latest) \
	@wireapp/promise-queue@$(npm view @wireapp/promise-queue dist-tags.latest) \
	@wireapp/react-ui-kit@$(npm view @wireapp/react-ui-kit dist-tags.latest) \
	@wireapp/store-engine-dexie@$(npm view @wireapp/store-engine-dexie dist-tags.latest) \
	@wireapp/telemetry@$(npm view @wireapp/telemetry dist-tags.latest) \
	@wireapp/webapp-events@$(npm view @wireapp/webapp-events dist-tags.latest) \
	@wireapp/copy-config@$(npm view @wireapp/copy-config dist-tags.latest) \
	@wireapp/eslint-config@$(npm view @wireapp/eslint-config dist-tags.latest) \
	@wireapp/prettier-config@$(npm view @wireapp/prettier-config dist-tags.latest)
	# Fetch all versions first to fail fast if registry is unreachable or a package is missing
	STORE_ENGINE=$(npm view @wireapp/store-engine dist-tags.latest) || { echo "Failed to fetch @wireapp/store-engine version" >&2; exit 1; }
	COMMONS=$(npm view @wireapp/commons dist-tags.latest) || { echo "Failed to fetch @wireapp/commons version" >&2; exit 1; }
	CORE=$(npm view @wireapp/core dist-tags.latest) || { echo "Failed to fetch @wireapp/core version" >&2; exit 1; }
	PROMISE_QUEUE=$(npm view @wireapp/promise-queue dist-tags.latest) || { echo "Failed to fetch @wireapp/promise-queue version" >&2; exit 1; }
	REACT_UI_KIT=$(npm view @wireapp/react-ui-kit dist-tags.latest) || { echo "Failed to fetch @wireapp/react-ui-kit version" >&2; exit 1; }
	STORE_ENGINE_DEXIE=$(npm view @wireapp/store-engine-dexie dist-tags.latest) || { echo "Failed to fetch @wireapp/store-engine-dexie version" >&2; exit 1; }
	TELEMETRY=$(npm view @wireapp/telemetry dist-tags.latest) || { echo "Failed to fetch @wireapp/telemetry version" >&2; exit 1; }
	WEBAPP_EVENTS=$(npm view @wireapp/webapp-events dist-tags.latest) || { echo "Failed to fetch @wireapp/webapp-events version" >&2; exit 1; }
	COPY_CONFIG=$(npm view @wireapp/copy-config dist-tags.latest) || { echo "Failed to fetch @wireapp/copy-config version" >&2; exit 1; }
	ESLINT_CONFIG=$(npm view @wireapp/eslint-config dist-tags.latest) || { echo "Failed to fetch @wireapp/eslint-config version" >&2; exit 1; }
	PRETTIER_CONFIG=$(npm view @wireapp/prettier-config dist-tags.latest) || { echo "Failed to fetch @wireapp/prettier-config version" >&2; exit 1; }
	yarn add \
	@wireapp/store-engine@${STORE_ENGINE} \
	@wireapp/commons@${COMMONS} \
	@wireapp/core@${CORE} \
	@wireapp/promise-queue@${PROMISE_QUEUE} \
	@wireapp/react-ui-kit@${REACT_UI_KIT} \
	@wireapp/store-engine-dexie@${STORE_ENGINE_DEXIE} \
	@wireapp/telemetry@${TELEMETRY} \
	@wireapp/webapp-events@${WEBAPP_EVENTS} \
	@wireapp/copy-config@${COPY_CONFIG} \
	@wireapp/eslint-config@${ESLINT_CONFIG} \
	@wireapp/prettier-config@${PRETTIER_CONFIG}

[Copilot]

[Blocker] The dependency update list is incomplete. Based on package.json, the following @wireapp packages are missing from this update:

• @wireapp/avs (dependency)
• @wireapp/avs-debugger (dependency)
• @wireapp/kalium-backup (dependency)

These packages should either be included in the update or explicitly documented why they're excluded. If they follow a different versioning strategy, that should be noted in a comment.

Suggested change

	@wireapp/store-engine@$(npm view @wireapp/store-engine dist-tags.latest) \
	@wireapp/commons@$(npm view @wireapp/commons dist-tags.latest) \
	@wireapp/core@$(npm view @wireapp/core dist-tags.latest) \
	@wireapp/promise-queue@$(npm view @wireapp/promise-queue dist-tags.latest) \
	@wireapp/react-ui-kit@$(npm view @wireapp/react-ui-kit dist-tags.latest) \
	@wireapp/store-engine-dexie@$(npm view @wireapp/store-engine-dexie dist-tags.latest) \
	@wireapp/telemetry@$(npm view @wireapp/telemetry dist-tags.latest) \
	@wireapp/webapp-events@$(npm view @wireapp/webapp-events dist-tags.latest) \
	@wireapp/copy-config@$(npm view @wireapp/copy-config dist-tags.latest) \
	@wireapp/eslint-config@$(npm view @wireapp/eslint-config dist-tags.latest) \
	@wireapp/prettier-config@$(npm view @wireapp/prettier-config dist-tags.latest)
	@wireapp/avs@$(npm view @wireapp/avs dist-tags.latest) \
	@wireapp/avs-debugger@$(npm view @wireapp/avs-debugger dist-tags.latest) \
	@wireapp/commons@$(npm view @wireapp/commons dist-tags.latest) \
	@wireapp/copy-config@$(npm view @wireapp/copy-config dist-tags.latest) \
	@wireapp/core@$(npm view @wireapp/core dist-tags.latest) \
	@wireapp/eslint-config@$(npm view @wireapp/eslint-config dist-tags.latest) \
	@wireapp/kalium-backup@$(npm view @wireapp/kalium-backup dist-tags.latest) \
	@wireapp/prettier-config@$(npm view @wireapp/prettier-config dist-tags.latest) \
	@wireapp/promise-queue@$(npm view @wireapp/promise-queue dist-tags.latest) \
	@wireapp/react-ui-kit@$(npm view @wireapp/react-ui-kit dist-tags.latest) \
	@wireapp/store-engine@$(npm view @wireapp/store-engine dist-tags.latest) \
	@wireapp/store-engine-dexie@$(npm view @wireapp/store-engine-dexie dist-tags.latest) \
	@wireapp/telemetry@$(npm view @wireapp/telemetry dist-tags.latest) \
	@wireapp/webapp-events@$(npm view @wireapp/webapp-events dist-tags.latest)

[Copilot]

[nitpick] [Suggestion] The Show diff step is helpful for debugging but doesn't fail the workflow if there are no changes. Consider adding a check to ensure dependencies were actually updated:

- name: Show diff and verify changes
  run: |
    git diff
    if ! git diff --quiet; then
      echo "✓ Dependencies updated successfully"
    else
      echo "⚠️  Warning: No changes detected after dependency update" >&2
    fi

This helps catch scenarios where all packages are already at the latest version.

Suggested change

	- name: Show diff
	run: git diff
	- name: Show diff and verify changes
	run: |
	git diff
	if git diff --quiet; then
	echo "⚠️ Warning: No changes detected after dependency update" >&2
	else
	echo "✓ Dependencies updated successfully"
	fi

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 43.46%. Comparing base (0315fc1) to head (c5d9ddd).

Additional details and impacted files

@@           Coverage Diff           @@
##              dev   #19812   +/-   ##
=======================================
  Coverage   43.46%   43.46%           
=======================================
  Files        1296     1296           
  Lines       32570    32570           
  Branches     7232     7232           
=======================================
+ Hits        14157    14158    +1     
  Misses      16698    16698           
+ Partials     1715     1714    -1     

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🔗 Download Full Report Artifact

🧪 Playwright Test Summary

• ✅ Passed: 7
• ❌ Failed: 4
• ⏭ Skipped: 0
• 🔁 Flaky: 3
• 📊 Total: 14
• ⏱ Total Runtime: 1089.4s (~ 18 min 9 sec)

Failed Tests:

❌ Team owner adds whole team to an all team chat (tags: TC-8631, crit-flow-web)

Location: specs/CriticalFlow/addMembersToChat-TC-8631.spec.ts:43
Duration: 54395ms

Errors:

Error: expect(locator).toBeVisible() failed

Locator: locator('[data-uie-name="item-message"][data-uie-send-status="2"]').filter({ hasText: 'Hello from Ewald!' }).locator('[data-uie-name="message-reactions"]').locator('[data-uie-name="emoji-pill"][title="heart"]')
Expected: visible
Timeout: 10000ms
Error: element(s) not found

Call log:
  - Expect "toBeVisible" with timeout 10000ms
  - waiting for locator('[data-uie-name="item-message"][data-uie-send-status="2"]').filter({ hasText: 'Hello from Ewald!' }).locator('[data-uie-name="message-reactions"]').locator('[data-uie-name="emoji-pill"][title="heart"]')


  185 |       await pages.conversationList().openConversation(conversationName);
  186 |       const ownerMessage = pages.conversation().getMessage({content: `Hello from ${owner.firstName}!`});
> 187 |       await expect(pages.conversation().getReactionOnMessage(ownerMessage, 'heart')).toBeVisible();
      |                                                                                      ^
  188 |       await expect(pages.conversation().getReactionOnMessage(ownerMessage, 'joy')).toBeVisible();
  189 |
  190 |       // Member1 verifies they can see thumbs up (+1) and joy (😂) reactions on their message from owner and member2
    at /home/runner/actions-runner/_work/wire-webapp/wire-webapp/test/e2e_tests/specs/CriticalFlow/addMembersToChat-TC-8631.spec.ts:187:86
    at /home/runner/actions-runner/_work/wire-webapp/wire-webapp/test/e2e_tests/specs/CriticalFlow/addMembersToChat-TC-8631.spec.ts:183:5

❌ Planning group call with sending various messages during call (tags: TC-8632, crit-flow-web)

Location: specs/CriticalFlow/groupCalls-TC-8632.spec.ts:37
Duration: 31978ms

Errors:

Error: expect(received).toBeFalsy()

Received: true

  122 |       await memberCalling.unmuteSelfInFullScreen();
  123 |       await memberPageManager.waitForTimeout(250);
> 124 |       expect(await memberCalling.isSelfUserMutedInFullScreen()).toBeFalsy();
      |                                                                 ^
  125 |     });
  126 |
  127 |     await test.step('Validation: Owner sees member is unmuted', async () => {
    at /home/runner/actions-runner/_work/wire-webapp/wire-webapp/test/e2e_tests/specs/CriticalFlow/groupCalls-TC-8632.spec.ts:124:65
    at /home/runner/actions-runner/_work/wire-webapp/wire-webapp/test/e2e_tests/specs/CriticalFlow/groupCalls-TC-8632.spec.ts:121:5

❌ Group Video call (tags: TC-8637, crit-flow-web)

Location: specs/CriticalFlow/groupVideoCall-TC-8637.spec.ts:39
Duration: 41485ms

Errors:

TimeoutError: locator.waitFor: Timeout 20000ms exceeded.
Call log:
  - waiting for locator('#add-participants [data-uie-name="search-list"] [aria-label="Open profile of Arjun Kertzmann"]').locator('input[type="checkbox"]')


   at pageManager/webapp/pages/conversationDetails.page.ts:68

  66 |       await userLocator.click();
  67 |       // Wait for the user to be selected (checkbox should be checked)
> 68 |       await userLocator.locator('input[type="checkbox"]').waitFor({state: 'attached'});
     |                                                           ^
  69 |     }
  70 |
  71 |     await this.page.locator(`${selectById('add-participants')} ${selectByDataAttribute('do-create')}`).click();
    at ConversationDetailsPage.addUsersToConversation (/home/runner/actions-runner/_work/wire-webapp/wire-webapp/test/e2e_tests/pageManager/webapp/pages/conversationDetails.page.ts:68:59)
    at /home/runner/actions-runner/_work/wire-webapp/wire-webapp/test/e2e_tests/specs/CriticalFlow/groupVideoCall-TC-8637.spec.ts:127:7
    at /home/runner/actions-runner/_work/wire-webapp/wire-webapp/test/e2e_tests/specs/CriticalFlow/groupVideoCall-TC-8637.spec.ts:123:5

❌ New person joins team and setups up device (tags: TC-8635, crit-flow-web)

Location: specs/CriticalFlow/joinTeam-TC-8635.spec.ts:38
Duration: 66977ms

Errors:

TimeoutError: locator.waitFor: Timeout 20000ms exceeded.
Call log:
  - waiting for locator('#add-participants [data-uie-name="search-list"] [aria-label="Open profile of Deondre Witting"]').locator('input[type="checkbox"]')


   at pageManager/webapp/pages/conversationDetails.page.ts:68

  66 |       await userLocator.click();
  67 |       // Wait for the user to be selected (checkbox should be checked)
> 68 |       await userLocator.locator('input[type="checkbox"]').waitFor({state: 'attached'});
     |                                                           ^
  69 |     }
  70 |
  71 |     await this.page.locator(`${selectById('add-participants')} ${selectByDataAttribute('do-create')}`).click();
    at ConversationDetailsPage.addUsersToConversation (/home/runner/actions-runner/_work/wire-webapp/wire-webapp/test/e2e_tests/pageManager/webapp/pages/conversationDetails.page.ts:68:59)
    at /home/runner/actions-runner/_work/wire-webapp/wire-webapp/test/e2e_tests/specs/CriticalFlow/joinTeam-TC-8635.spec.ts:125:7
    at /home/runner/actions-runner/_work/wire-webapp/wire-webapp/test/e2e_tests/specs/CriticalFlow/joinTeam-TC-8635.spec.ts:114:5

Flaky Tests:

⚠️ Account Management (tags: TC-8639, crit-flow-web)

Location: specs/CriticalFlow/accountManagement-TC-8639.spec.ts:37

Attempt 1
Result: ❌ Failed
Duration: 85730ms

Errors:

Error: Matching URL not found in the email body

   at backend/inbucketClient.e2e.ts:120

  118 |
  119 |     if (this.isValidURL(matchingUrl) === false) {
> 120 |       throw new Error('Matching URL not found in the email body');
      |             ^
  121 |     }
  122 |
  123 |     return matchingUrl;
    at InbucketClientE2E.getMatchingURLFromEmailBody (/home/runner/actions-runner/_work/wire-webapp/wire-webapp/test/e2e_tests/backend/inbucketClient.e2e.ts:120:13)
    at /home/runner/actions-runner/_work/wire-webapp/wire-webapp/test/e2e_tests/specs/CriticalFlow/accountManagement-TC-8639.spec.ts:133:30
    at /home/runner/actions-runner/_work/wire-webapp/wire-webapp/test/e2e_tests/specs/CriticalFlow/accountManagement-TC-8639.spec.ts:124:3

Attempt 2
Result: ✅ Passed
Duration: 30184ms

⚠️ Calls in channels with device switch and screenshare (tags: TC-8754, crit-flow-web)

Location: specs/CriticalFlow/channelsCall-TC-8755.spec.ts:39

Attempt 1
Result: ❌ Failed
Duration: 62023ms

Errors:

TimeoutError: locator.waitFor: Timeout 20000ms exceeded.
Call log:
  - waiting for locator('[data-uie-name="item-call"]') to be visible


   at pageManager/webapp/pages/calling.page.ts:90

  88 |
  89 |   waitForCell(): Promise<void> {
> 90 |     return this.callCell.waitFor({state: 'visible'});
     |                          ^
  91 |   }
  92 |
  93 |   isFullScreenVisible(): Promise<boolean> {
    at CallingPage.waitForCell (/home/runner/actions-runner/_work/wire-webapp/wire-webapp/test/e2e_tests/pageManager/webapp/pages/calling.page.ts:90:26)
    at /home/runner/actions-runner/_work/wire-webapp/wire-webapp/test/e2e_tests/specs/CriticalFlow/channelsCall-TC-8755.spec.ts:99:34
    at /home/runner/actions-runner/_work/wire-webapp/wire-webapp/test/e2e_tests/specs/CriticalFlow/channelsCall-TC-8755.spec.ts:97:16

Attempt 2
Result: ✅ Passed
Duration: 78642ms

⚠️ Messages in Groups (tags: TC-8751, crit-flow-web)

Location: specs/CriticalFlow/messagesInGroups-TC-8751.spec.ts:42

Attempt 1
Result: ❌ Failed
Duration: 25527ms

Errors:

Error: expect(locator).toBeVisible() failed

Locator: locator('[data-uie-name="item-message"][data-uie-send-status="2"]').filter({ hasText: '@Eladio Franey Hello, this is a test message!' })
Expected: visible
Timeout: 10000ms
Error: element(s) not found

Call log:
  - Expect "toBeVisible" with timeout 10000ms
  - waiting for locator('[data-uie-name="item-message"][data-uie-send-status="2"]').filter({ hasText: '@Eladio Franey Hello, this is a test message!' })


  91 |
  92 |       await userBPages.conversationList().openConversation(conversationName);
> 93 |       await expect(userBPages.conversation().getMessage({content: `@${userB.fullName} ${messageText}`})).toBeVisible();
     |                                                                                                          ^
  94 |     });
  95 |
  96 |     await test.step('User A sends image', async () => {
    at /home/runner/actions-runner/_work/wire-webapp/wire-webapp/test/e2e_tests/specs/CriticalFlow/messagesInGroups-TC-8751.spec.ts:93:106
    at /home/runner/actions-runner/_work/wire-webapp/wire-webapp/test/e2e_tests/specs/CriticalFlow/messagesInGroups-TC-8751.spec.ts:86:5

Attempt 2
Result: ✅ Passed
Duration: 54518ms

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 Security Hotspot

See analysis details on SonarQube Cloud