Add UI test workflow for Renovate dependency-update PRs

[Copilot]

This pull request introduces automated UI testing for Renovate PRs affecting the ui directory. It adds a GitHub Actions workflow that triggers on Renovate PRs, a shell script to run Robot Framework tests in a container, and the necessary test files and dependencies. The changes enable end-to-end testing of UI modules in a controlled environment.

Automated UI testing workflow:

• Added .github/workflows/test-renovate-ui.yml to run UI tests automatically on Renovate PRs targeting the ui directory. This workflow checks the PR author, builds/publishes images, gathers module info, and executes UI tests using DigitalOcean infrastructure.

Test execution and environment setup:

• Introduced ui/test-ui.sh script to run Robot Framework tests in a container, passing SSH credentials and module image information, and collecting test outputs.
• Added ui/tests/pythonreq.txt listing Python dependencies for Robot Framework and its libraries.

Test suite and outputs:

• Added ui/tests/test_ui.robot containing Robot Framework test cases for module installation, UI login, screenshot capture, and module removal.
• Updated .gitignore to exclude test output files (tests/outputs).

[Copilot]

Pull request overview

This PR adds an automated UI end-to-end testing pipeline intended to run on Renovate dependency-update PRs affecting the ui/ directory, using Robot Framework tests executed in a container and run on DigitalOcean-based CI infrastructure.

Changes:

• Added a GitHub Actions workflow to trigger UI tests for Renovate PRs that touch ui/**.
• Added a ui/test-ui.sh runner script plus Robot Framework test suite and Python dependencies.
• Updated ui/.gitignore to exclude Robot Framework output artifacts.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
.github/workflows/test-renovate-ui.yml	New workflow to gate execution to Renovate PRs and run UI tests via reusable DO-infra workflow.
ui/test-ui.sh	New containerized runner script to execute Robot Framework UI tests and collect outputs.
ui/tests/test_ui.robot	New Robot Framework suite to install a module, log into UI, take screenshots, and remove the module.
ui/tests/pythonreq.txt	Python dependencies for the Robot Framework test container.
ui/.gitignore	Ignore generated test output directory under ui/tests/outputs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This script installs Python deps on every run but does not use the site-packages volume cache that test-module.sh uses, which will slow down CI and increase external dependency flakiness. Consider adding the same cached volume mount (or another cache mechanism) for pip install artifacts.

Suggested change

	--volume=.:/home/pwuser/ns8-module:z \
	--volume=.:/home/pwuser/ns8-module:z \
	--volume=./.pip-cache:/home/pwuser/.cache/pip:z \

[Copilot]

${SSH_KEYFILE} defaults to %{HOME}/.ssh/id_ecdsa, but ui/test-ui.sh defaults to id_rsa and CI passes SSH_KEYFILE explicitly via -v. To avoid local/CI mismatches, consider removing the hard-coded default here (rely on the passed-in variable) or aligning it with the script default.

Suggested change

	${SSH_KEYFILE} %{HOME}/.ssh/id_ecdsa
	${SSH_KEYFILE} %{HOME}/.ssh/id_rsa

[Copilot]

The test container installs Python dependencies from pythonreq.txt without pinning versions, meaning each run may pull arbitrary new releases of robotframework, robotframework-sshlibrary, or robotframework-browser from PyPI into an environment that has access to SSH credentials and your cluster. If any of these packages (or their transitive dependencies) are compromised in the future, the attack code would automatically execute in CI with the ability to exfiltrate secrets or tamper with test results. Pin these packages to specific, vetted versions (or hashes) to ensure only known-good artifacts are used in the test pipeline.

[Copilot]

This script runs a third-party container image ghcr.io/marketsquare/robotframework-browser/rfbrowser-stable:19.11.0 with --network=host and passes in the private SSH key contents via ssh_key, giving that image direct access to secrets and your test infrastructure. Because the image is pinned only by a mutable tag and comes from an external organization, a compromised or hijacked image could exfiltrate the SSH key or tamper with tests without any integrity check. Pin this image to an immutable digest (and/or vendor it under your own namespace) and restrict secrets exposure so that only trusted, first-party images ever see private keys.

[DavidePrincipi]

Please check

• allowed branch name
• test output directory path

[DavidePrincipi]

Workflow must run on renovate branches. IIRC this is the branch prefix:

Suggested change

	- main
	- renovate-*

[andre8244]

Here we should put the name of the base branch, i.e. the branch we are merging into