Fix CI: pass npm tarball between jobs and pin download-artifact to patched version

[Copilot]

The test job was failing because the .builds/*.tgz tarball produced in build was never transferred to the separate test runner. Additionally, actions/download-artifact@v4 was pinned to an unpatched range (< 4.1.3) containing an Arbitrary File Write vulnerability (path traversal during extraction).

Changes

• build job — add actions/upload-artifact@v4 to persist .builds/*.tgz after the build step
• test job — add actions/download-artifact@v4.3.0 to restore the tarball into .builds/ before test-npm runs
• Security — pin download-artifact to v4.3.0 (patched; CVE affects >= 4.0.0, < 4.1.3)

- uses: actions/upload-artifact@v4
  with:
    name: npm-package
    path: .builds/*.tgz

# in test job:
- uses: actions/download-artifact@v4.3.0
  with:
    name: npm-package
    path: .builds

Original prompt

Fix the failing GitHub Actions job in repository DevExpress/testcafe-browser-provider-browserstack.

Context:

• Failing job URL: https://github.com/DevExpress/testcafe-browser-provider-browserstack/actions/runs/25737157584/job/75581209154
• Workflow file: .github/workflows/test.yml
• Failing commit/ref: 5f9417fe0bdb5616e2547961c15d86fc09b52533
• Error from job logs:
  • tar (child): .builds/testcafe-browser-provider-browserstack-1.15.2.tgz: Cannot open: No such file or directory
  • tar: Child returned status 2
  • tar: Error is not recoverable: exiting now
• package.json shows package name testcafe-browser-provider-browserstack and version 1.15.2, matching the missing tarball path .builds/testcafe-browser-provider-browserstack-1.15.2.tgz.

Observed workflow:

• build job runs:
  • DevExpress/testcafe-build-system/actions/prepare@main
  • DevExpress/testcafe-build-system/actions/build@main
• test job runs:
  • DevExpress/testcafe-build-system/actions/prepare@main
  • DevExpress/testcafe-build-system/actions/test-npm@main with task: test

Likely root cause:

• The test-npm action expects a built npm tarball in .builds/*.tgz.
• The tarball is not available in the test job, likely because it is not being created explicitly and/or not being transferred between jobs as an artifact.
• Since build and test are separate jobs on separate runners, files do not persist automatically between them.

Task:

• Create a pull request that fixes the workflow so the npm package tarball is available to the test job.
• Prefer the smallest reliable fix.
• Likely solution is to update .github/workflows/test.yml to upload .builds/*.tgz as an artifact in build and download it in test before running test-npm.
• If needed, also ensure the tarball is explicitly produced in build (for example using npm pack --pack-destination .builds) if the shared build action does not already create it.

Acceptance criteria:

• The workflow no longer fails due to missing .builds/testcafe-browser-provider-browserstack-1.15.2.tgz.
• The fix should preserve the existing test flow and BrowserStack secret usage.
• Keep changes minimal and targeted to the CI workflow unless an additional packaging step is necessary.
• Open a PR with a concise title and summary of the fix.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: Please find a solution for this failing job. Use the logs, job definition, and any referenced files where the failure occurred. Keep your response focused on the solution and include code suggestions when appropriate.

Assistant: The failure is caused by the test job trying to extract a package tarball that was never produced:

• Failing workflow: .github/workflows/test.yml
• Error from the job log:
  • tar (child): .builds/testcafe-browser-provider-browserstack-1.15.2.tgz: Cannot open: No such file or directory

Why this happens:

• The test job uses the shared test-npm action, which expects a built npm package tarball at .builds/<package-name>-<version>.tgz.
• From package.json, that expected file is:
  • .builds/testcafe-browser-provider-browserstack-1.15.2.tgz
• The workflow’s build job only runs the shared build action, but there is no visible step in this workflow ensuring that the tarball is created and made available to the test job. Since jobs run on separate runners, even a locally created file in build would not exist in test unless it is uploaded/downloaded as an artifact.

Solution

Update the workflow so the package tarball is explicitly created in build and then made available to test.

Recommended fix

Replace the current workflow with explicit packaging and artifact transfer:

name: Tests

on:
  push:
    branches:
      - master
  pull_request_target:
  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: DevExpress/testcafe-build-system/actions/prepare@main

      - run: npm ci

      - run: npm run build

      - run: |
          mkdir -p .builds
          npm pack --pack-destination .builds

      - uses: actions/upload-artifact@v4
        with:
          name: npm-package
          path: .builds/*.tgz

  test:
    runs-on: ubuntu-latest
    needs: [build]
    steps:
      - uses: DevExpress/testcafe-build-system/actions/prepare@main

      - uses: actions/download-artifact@v4
        with:
          name: npm-package
          path: .builds

      - uses: DevExpress/testcafe-build-system/actions/test-npm@main
        env:
          BROWSERSTACK_USERNAME: ${{ secrets.BROWSERSTACK_USERNAME }}
          BROWSERSTACK_ACCESS_KEY: ${{ secrets.BROWS...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

*This pull request was created from Copilot chat.*
>