ci(e2e): CMT scheduling + macOS E2E stabilization + CI/security hardening

[yasserfaraazkhan]

Summary

Enables matterwick-driven scheduled/CMT E2E provisioning for Desktop and lands a broad round of E2E reliability and CI/security hardening. (Companion to mattermost/matterwick#90.)

CMT / scheduled provisioning (matterwick-driven)

• cmt-provisioner.yml → lightweight monthly scheduled trigger (no inputs/curl); matterwick hears the workflow_run and dispatches compatibility-matrix-testing.yml.
• compatibility-matrix-testing.yml → dropped the in-workflow /cleanup_e2e call (matterwick now destroys provisioned servers on workflow_run completion, keyed by commit SHA); corrected the stale cmt_run_id input description.
• e2e-nightly-trigger.yml → schedule-only (pushes to main/release-* are handled by matterwick's native push handler).

macOS E2E stabilization (the previously-red macOS suite)

• intercom.ts: fixed the __e2eAppReady race (the window show event firing before the listener attaches, or MainWindow.get() returning undefined, on slower macOS runners) — the single error behind nearly all macOS failures. Added unit tests.
• Suppressed the macOS Resume / crash-reporter / Gatekeeper dialogs, stopped sending SIGKILL in global teardown, and bumped app-ready / minimize timeouts (global-setup.ts, global-teardown.ts, appReadiness.ts).
• Per-OS reporting: each platform uploads its own HTML report; removed the cross-OS merge that produced misleading aggregate counts. Flaky-test accounting fixed so a retried-then-passed test isn't counted as a failure (analyze-flaky-test.js, github-actions.js).
• Targeted spec fixes: popout (was capturing the child URLView instead of the popout window), copy-link role="menuitem" selector, window-menu/minimize timeout, deeplink WebContentsView traversal (Windows), bad-servers cert reload, remove-server-modal partial-config parse, badge, full-screen, tray-restore, startup window.

CI & security hardening

• e2e-functional.yml least-privilege permissions (top-level contents: read, per-job grants) so untrusted PR code (npm ci / Playwright) no longer runs with pull-requests: write.
• Flaky-CI fix: mocked electron in the two unit suites (UserActivityMonitor, diagnostics) that imported the real module — they only passed when the electron binary happened to be installed.
• popoutManager: registerMainWindowCloseHandler / closeAllPopouts + unit tests.

Cursor-automation removal

Removed the "Server for Cursor Automation" PR-body read/write feature (resolveMmTestServerUrlFromPr, the PR-body sync job, and the helper fns). MM_TEST_SERVER_URL is supplied only via inputs/env.

Companion PRs

mattermost/matterwick#90, mattermost/mattermost-mobile#9800, mattermost/gitops-platform#72.

🤖 Generated with Claude Code

[mm-cloud-bot]

@yasserfaraazkhan: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

I understand the commands that are listed here

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR comprehensively hardens E2E test infrastructure, reporting, and main-window lifecycle management across 77 ranges. It extends per-OS test-count outputs, refactors flaky-test analysis to collapse retries into authoritative outcomes, implements macOS dialog suppression across global setup/teardown/fixtures/workflows, hardens 13 specific tests with polling/event-driven patterns, adds PopoutManager cleanup on main-window close, and refactors intercom readiness with combined show-event and polling-fallback logic.

Changes

E2E Infrastructure, Test Reliability, and Main-Window Lifecycle

Layer / File(s)	Summary
CMT provisioner and compatibility-matrix workflow updates .github/workflows/cmt-provisioner.yml, .github/workflows/compatibility-matrix-testing.yml	Converts cmt-provisioner to scheduled/dispatchable trigger without manual inputs, documents Matterwick event-driven dispatch, and delegates instance cleanup to external Matterwick handler keyed by commit SHA.
E2E functional workflow permissions and job dependencies .github/workflows/e2e-functional.yml	Reduces workflow permissions to least-privilege contents: read, removes merged-report dependency, adds Windows runner pinning with Node-gyp comment, updates pr_number input description, and adds macOS suppress-dialogs step to main workflow.
E2E functional template outputs and reporting wiring .github/workflows/e2e-functional-template.yml	Extends workflow-call and job outputs to include per-OS PASSED/TOTAL/SKIPPED test counts, adds HTML report generation from blob-report, uploads to S3 with per-OS report URLs, and updates analyze-flaky-tests step to emit expanded per-OS outputs.
Flaky test analysis improvements e2e/utils/analyze-flaky-test.js	Rewrites failure counting to collapse testcase retries into base-name outcomes via regex matching, introduces getOutcomeCounts helper with pass/fail/skip dominance rules, and reconciles pass/total/skip counts against authoritative failure count for per-OS outputs.
Status description and PR reporting utilities e2e/utils/github-actions.js	Adds formatStatusDescription helper to compute commit-status text from passed/failed counts, refactors updateFinalStatus to use per-OS outputs and REPORT_LINK_* fallback without merged-report URL, and exports new utility.
macOS dialog suppression infrastructure e2e/fixtures/index.ts, e2e/global-setup.ts, e2e/global-teardown.ts, .github/workflows/e2e-functional-template.yml, .github/workflows/e2e-functional.yml	Electron fixture args disable first-run/default-apps/crash-reporter, global-setup snapshots/applies macOS defaults across bundleIDs (NSQuitAlwaysKeepsWindows, LSQuarantine, crash DialogType), global-teardown restores snapshot and adjusts graceful timeouts/SIGKILL behavior, and workflow template adds suppress-dialogs step.
E2E test timeout and app readiness configuration e2e/playwright.config.ts, e2e/helpers/appReadiness.ts	Increases Playwright timeout to 90_000 with Windows launch comments, computes platform-specific app readiness timeout (60s darwin/win32, 30s others), and expands timeout failure message with troubleshooting guidance.
Deep linking and copy-link test fixes e2e/specs/deep_linking/deeplink.test.ts, e2e/specs/mattermost/copy_link.test.ts	Deep-link test uses mattermost-dev:// protocol, polls server map per iteration, and checks window URL; copy-link test dispatches explicit contextmenu event and broadens selector to match both text variants and role-based containers.
Fullscreen and minimize window tests e2e/specs/menu_bar/full_screen.test.ts, e2e/specs/menu_bar/window_menu.test.ts	Fullscreen test applies demoMattermostConfig, targets specific BrowserWindow via focus/testRefs/first-available, clicks native menu item, and waits on enter/leave-full-screen events; minimize test calls BrowserWindow.minimize() and polls isMinimized().
Notification badge and server management tests e2e/specs/notification_trigger/notification_badge_windows_linux.test.ts, e2e/specs/server_management/bad_servers.test.ts, e2e/specs/server_management/popout_windows.test.ts	Badge trigger adds 15s polling loop with transient-error retry for global.__testTriggerBadge registration, beforeEach adds 10s retry loop for unread-badge-setting registration; bad_servers reloads all server views; popout_windows snapshots windows and polls for popout.html, uses native menu to open popouts, and sets willAppQuit before main-window close.
Window bounds, tray restore, and defensive file operations e2e/specs/startup/window.test.ts, e2e/specs/system/tray_restore.test.ts, e2e/specs/server_management/remove_server_modal.test.ts	Startup window tests replace non-negative bounds assertions with center-point-in-workArea checks to handle negative display origins; tray restore uses expect.poll for visibility; remove-server-modal wraps config.json reads in try/catch within polling callback.
PopoutManager main-window close cleanup src/app/windows/popoutManager.ts, src/app/windows/popoutManager.test.js	Adds MAIN_WINDOW_CREATED listener registration, attaches one-time closed handler on main window, and implements closeAllPopouts to invoke cleanup listeners, destroy browser windows, and clear tracking maps; includes comprehensive test coverage for registration, destruction, and integration via event trigger.
Intercom app readiness refactor and tests src/main/app/intercom.ts, src/main/app/intercom.test.js	Replaces isVisible/show branching with attachWindowListeners helper that marks readiness immediately if visible, otherwise waits for show event and polls isVisible every 250ms; ensures single markReady execution via done guard; defers to MAIN_WINDOW_CREATED if window not yet available; comprehensive test coverage with makeWindow mock helper and scenarios for visible-state, show-event, polling-fallback, and late-main-window construction.
Test infrastructure electron mocking src/main/UserActivityMonitor.test.js, src/main/diagnostics/index.test.js	Adds jest.mock('electron') blocks to UserActivityMonitor.test.js and diagnostics/index.test.js to prevent real Electron loading in CI and provide deterministic mock implementations of app.isReady, powerMonitor.getSystemIdleTime, shell, session, systemPreferences, and Notification.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• mattermost/desktop#3834: Implements overlapping E2E reporting and status-description refactors in e2e/utils/github-actions.js and matching workflow changes removing merged-report handling.

Suggested reviewers

• devinbinnie

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.81% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: CMT scheduling shift, macOS E2E stabilization, and CI/security hardening are all substantive themes across the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/cmt-direct-dispatch-and-cleanup-endpoint

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/cmt-provisioner.yml (1)

21-31: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Set explicit least-privilege permissions for this workflow.

No permissions block is defined, so this workflow inherits repository defaults for GITHUB_TOKEN, which is broader than needed here.

🔐 Proposed fix

 name: CMT Provisioner
+permissions: {}
 
 on:
   workflow_dispatch:

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/cmt-provisioner.yml around lines 21 - 31, Add an explicit
top-level permissions block to this workflow to avoid inheriting broad
repository defaults; update the workflow YAML (where the on:, workflow_dispatch
and job trigger-matterwick are defined) to include a minimal permissions map
such as setting permissions: contents: read and workflows: write (adjust further
only if the trigger-matterwick job needs additional scopes), so the GITHUB_TOKEN
only has the least-privilege required.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/cmt-provisioner.yml:
- Around line 21-31: Add an explicit top-level permissions block to this
workflow to avoid inheriting broad repository defaults; update the workflow YAML
(where the on:, workflow_dispatch and job trigger-matterwick are defined) to
include a minimal permissions map such as setting permissions: contents: read
and workflows: write (adjust further only if the trigger-matterwick job needs
additional scopes), so the GITHUB_TOKEN only has the least-privilege required.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 33b71075-cd7f-4654-978e-a49a6b70c36d

📥 Commits

Reviewing files that changed from the base of the PR and between e699409 and fe9514e.

📒 Files selected for processing (1)

• .github/workflows/cmt-provisioner.yml

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/cmt-provisioner.yml (1)

61-68: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Quote ${RUN_ID} in the jq command.

Line 66 uses --argjson run_id ${RUN_ID} without quoting ${RUN_ID}. While github.run_id should always be numeric, unquoted shell expansions can cause issues if the value is empty, contains whitespace, or has special characters. Quote it for safety.

🛡️ Proposed fix

-            --argjson run_id ${RUN_ID} \
+            --argjson run_id "${RUN_ID}" \

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/cmt-provisioner.yml around lines 61 - 68, The jq payload
construction is vulnerable to unquoted shell expansion for RUN_ID; update the
payload assignment so the jq invocation quotes the expansion for run id (the
line using --argjson run_id ${RUN_ID}) to --argjson run_id "${RUN_ID}" (i.e.,
modify the jq command in the payload assignment to quote ${RUN_ID}) to prevent
word-splitting or empty-value issues while keeping the --argjson usage.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/cmt-provisioner.yml:
- Around line 61-68: The jq payload construction is vulnerable to unquoted shell
expansion for RUN_ID; update the payload assignment so the jq invocation quotes
the expansion for run id (the line using --argjson run_id ${RUN_ID}) to
--argjson run_id "${RUN_ID}" (i.e., modify the jq command in the payload
assignment to quote ${RUN_ID}) to prevent word-splitting or empty-value issues
while keeping the --argjson usage.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 087195d9-68cf-4e38-852e-8395a205a823

📥 Commits

Reviewing files that changed from the base of the PR and between fe9514e and c41490b.

📒 Files selected for processing (1)

• .github/workflows/cmt-provisioner.yml

[coderabbitai]

🧹 Nitpick comments (2)

e2e/global-setup.ts (2)

48-49: ⚡ Quick win

Misleading comment.

The comment states "Verify at least one bundle ID got the settings applied" but no verification code follows. The subsequent lines (52-63) apply additional settings to system-level domains (LaunchServices, CrashReporter) rather than verifying the bundle-specific settings.

📝 Clarify the comment

-        // Verify at least one bundle ID got the settings applied.
-        // Also suppress the "verification of developer" dialog that can appear
+        // Suppress the "verification of developer" dialog that can appear

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@e2e/global-setup.ts` around lines 48 - 49, The comment claiming "Verify at
least one bundle ID got the settings applied" is misleading — update the comment
above the subsequent settings block to accurately describe what the code does
(apply additional system-level settings and suppress the "verification of
developer" dialog) and remove the mention of bundle-ID verification; reference
the system domains mentioned (LaunchServices, CrashReporter) in the new comment
so it correctly documents that the following lines adjust system-level domains
rather than performing any bundle-specific verification.

---

30-64: 💤 Low value

Consider using execFileSync for security.

The current implementation uses execSync with string interpolation of bundleID. While the current code uses a hard-coded array, using execFileSync with argument arrays would be more robust against potential future changes and aligns with security best practices.

🔒 Proposed refactor using execFileSync

-import {execSync} from 'child_process';
+import {execFileSync} from 'child_process';

         for (const bundleID of bundleIDs) {
             try {
-                execSync(`defaults write ${bundleID} NSQuitAlwaysKeepsWindows -bool false`, {stdio: 'pipe'});
+                execFileSync('defaults', ['write', bundleID, 'NSQuitAlwaysKeepsWindows', '-bool', 'false'], {stdio: 'pipe'});
             } catch {
                 // Non-fatal — tests still run, just potentially with the Resume dialog
             }
             try {
-                execSync(`defaults write ${bundleID} ApplePersistenceIgnoreState -bool YES`, {stdio: 'pipe'});
+                execFileSync('defaults', ['write', bundleID, 'ApplePersistenceIgnoreState', '-bool', 'YES'], {stdio: 'pipe'});
             } catch {
                 // Non-fatal
             }
         }
 
         try {
-            execSync('defaults write com.apple.LaunchServices LSQuarantine -bool false', {stdio: 'pipe'});
+            execFileSync('defaults', ['write', 'com.apple.LaunchServices', 'LSQuarantine', '-bool', 'false'], {stdio: 'pipe'});
         } catch {
             // Non-fatal
         }
 
         try {
-            execSync('defaults write com.apple.CrashReporter DialogType none', {stdio: 'pipe'});
+            execFileSync('defaults', ['write', 'com.apple.CrashReporter', 'DialogType', 'none'], {stdio: 'pipe'});
         } catch {
             // Non-fatal
         }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@e2e/global-setup.ts` around lines 30 - 64, Replace the execSync calls in the
macOS branch (process.platform === 'darwin') that interpolate bundleID into
command strings with execFileSync using argument arrays: locate the loop over
bundleIDs and the standalone execSync calls (symbols: bundleIDs, execSync) and
call execFileSync('defaults', ['write', bundleID, 'NSQuitAlwaysKeepsWindows',
'-bool', 'false'], {stdio:'pipe'}) and similarly for the other keys
(ApplePersistenceIgnoreState, LSQuarantine, DialogType) to avoid shell
interpolation; preserve the existing try/catch non-fatal behavior and same stdio
option.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@e2e/global-setup.ts`:
- Around line 48-49: The comment claiming "Verify at least one bundle ID got the
settings applied" is misleading — update the comment above the subsequent
settings block to accurately describe what the code does (apply additional
system-level settings and suppress the "verification of developer" dialog) and
remove the mention of bundle-ID verification; reference the system domains
mentioned (LaunchServices, CrashReporter) in the new comment so it correctly
documents that the following lines adjust system-level domains rather than
performing any bundle-specific verification.
- Around line 30-64: Replace the execSync calls in the macOS branch
(process.platform === 'darwin') that interpolate bundleID into command strings
with execFileSync using argument arrays: locate the loop over bundleIDs and the
standalone execSync calls (symbols: bundleIDs, execSync) and call
execFileSync('defaults', ['write', bundleID, 'NSQuitAlwaysKeepsWindows',
'-bool', 'false'], {stdio:'pipe'}) and similarly for the other keys
(ApplePersistenceIgnoreState, LSQuarantine, DialogType) to avoid shell
interpolation; preserve the existing try/catch non-fatal behavior and same stdio
option.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 70033d38-66b6-4678-a46a-f5d9fc89d10a

📥 Commits

Reviewing files that changed from the base of the PR and between e2e49b9 and cd36811.

📒 Files selected for processing (7)

• .github/workflows/e2e-functional-template.yml
• .github/workflows/e2e-functional.yml
• e2e/fixtures/index.ts
• e2e/global-setup.ts
• e2e/global-teardown.ts
• e2e/helpers/appReadiness.ts
• e2e/utils/analyze-flaky-test.js

[yasserfaraazkhan]

@CodeRabbit review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 4

♻️ Duplicate comments (1)

.github/workflows/e2e-functional-template.yml (1)

395-410: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use the standard release bucket and CDN URL for Playwright reports.

This still hardcodes the backing bucket and emits a direct S3 URL. The repo workflow convention is to upload via MM_DESKTOP_RELEASE_BUCKET and publish releases.mattermost.com/desktop/... links instead.

💡 Suggested adjustment

-          AWS_S3_BUCKET: mattermost-cypress-report
+          AWS_S3_BUCKET: ${{ secrets.MM_DESKTOP_RELEASE_BUCKET }}
...
-          REPORT_URL="https://${AWS_S3_BUCKET}.s3.amazonaws.com/${S3_PREFIX}/index.html"
+          REPORT_URL="https://releases.mattermost.com/desktop/${S3_PREFIX}/index.html"

Based on learnings: "Artifact uploads in Mattermost Desktop workflows should funnel to a backend S3 bucket defined by the MM_DESKTOP_RELEASE_BUCKET secret, but the public URL for accessing those artifacts must always be releases.mattermost.com/desktop via the CDN/mapping layer."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/e2e-functional-template.yml around lines 395 - 410,
Replace the hardcoded AWS_S3_BUCKET and direct S3 REPORT_URL with the
repo-standard secret and CDN URL: set AWS_S3_BUCKET to the secret
MM_DESKTOP_RELEASE_BUCKET (instead of
secrets.MM_DESKTOP_E2E_AWS_SECRET_ACCESS_KEY or the current literal), keep
S3_PREFIX as-is, use that bucket in the aws s3 sync target, and construct
REPORT_URL using the CDN mapping
"https://releases.mattermost.com/desktop/${S3_PREFIX}/index.html" so uploads go
to the canonical release bucket and public links use
releases.mattermost.com/desktop.

🧹 Nitpick comments (2)

src/main/UserActivityMonitor.test.js (1)

6-15: ⚡ Quick win

Use the repo-standard ESM singleton mock shape.

This electron mock omits __esModule: true and default, so it diverges from the required *.test.js singleton pattern and can cause import interop drift across the suite.

♻️ Suggested adjustment

+const electronMock = {
+    app: {
+        isReady: jest.fn(() => true),
+    },
+    powerMonitor: {
+        getSystemIdleTime: jest.fn(() => 0),
+    },
+};
+
-jest.mock('electron', () => ({
-    app: {
-        isReady: jest.fn(() => true),
-    },
-    powerMonitor: {
-        getSystemIdleTime: jest.fn(() => 0),
-    },
-}));
+jest.mock('electron', () => ({
+    __esModule: true,
+    default: electronMock,
+    ...electronMock,
+}));

As per coding guidelines: "**/*.test.{js,ts}: Mock singletons with jest.mock() using __esModule: true + default property, and use jest.mocked() for type-safe access to mock functions`."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/main/UserActivityMonitor.test.js` around lines 6 - 15, The electron mock
is missing the repo-standard ESM singleton shape; update the
jest.mock('electron', ...) to return { __esModule: true, default: { app: {
isReady: jest.fn(() => true) }, powerMonitor: { getSystemIdleTime: jest.fn(() =>
0) } } } so imports get the default ESM singleton and the mocked functions
(app.isReady and powerMonitor.getSystemIdleTime) behave correctly; after
changing the mock shape, use jest.mocked(...) when referencing these mocks
elsewhere in the test to keep type-safe access.

src/main/diagnostics/index.test.js (1)

6-30: ⚡ Quick win

Use the repo-standard ESM singleton mock shape here too.

This new electron mock has the same issue: it skips the required __esModule: true + default wrapper for singleton mocks, so it does not match the repo's Jest mock contract.

As per coding guidelines: "**/*.test.{js,ts}: Mock singletons with jest.mock() using __esModule: true + default property, and use jest.mocked() for type-safe access to mock functions`."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/main/diagnostics/index.test.js` around lines 6 - 30, The electron
jest.mock should use the repo-standard ESM singleton shape by returning an
object with __esModule: true and a default property containing the mocked API;
update the existing jest.mock('electron', ...) to wrap the current mock
(shell.showItemInFolder, app.isReady/getPath, powerMonitor.getSystemIdleTime,
session.defaultSession, systemPreferences.getMediaAccessStatus, Notification)
under a default key and add __esModule: true so the singleton mock contract is
satisfied; after changing the mock shape, use jest.mocked(...) where this mock
is referenced in tests to get type-safe access to the mocked functions.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/compatibility-matrix-testing.yml:
- Around line 144-146: The workflow's dispatch input docs for "cmt_run_id" are
stale and still claim instance cleanup is driven by cmt_run_id; update the
`workflow_dispatch` input description for cmt_run_id (and any nearby comment
block) to state that instance teardown is keyed by commit SHA and handled
externally by Matterwick when the workflow_run completes, or remove/rename the
input if it's no longer applicable; ensure the `cmt_run_id` text matches the new
cleanup flow described in the top comment about commit SHA-based cleanup.

In @.github/workflows/e2e-functional-template.yml:
- Around line 167-205: The sync-pr-server-url job currently checks out
inputs.DESKTOP_VERSION and then runs actions/github-script which requires
./e2e/utils/github-actions.js while the job has pull-requests: write — this lets
an untrusted PR ref modify that helper and execute code with write privileges.
Fix by removing the ability for checked-out PR-controlled code to run with write
permissions: either inline the script logic from github-actions.js into the
workflow step (so it does not require code from the checkout) or change the
checkout to a trusted immutable ref (pin to a commit/tag) and/or remove the
pull-requests: write permission from the job; update the
sync-cursor-automation-server-on-pr step to use the inlined script or the pinned
helper instead of require('./e2e/utils/github-actions.js').

In @.github/workflows/e2e-functional.yml:
- Around line 188-192: The e2e-policy-tests job currently grants statuses: write
to all its steps; remove statuses: write from the e2e-policy-tests job's
permissions (keep contents: read) so test execution (npm ci, npm run build-test,
npm run run:policy) is read-only, then add a separate dependent job (e.g.,
e2e-policy-postprocess) that has needs: e2e-policy-tests and permissions
including statuses: write and move the e2e/check-for-failures step into that
post-processing job so only that job can update commit status. Ensure job names
referenced are e2e-policy-tests and e2e-policy-postprocess and the check step
identifier is e2e/check-for-failures.

In `@qa-report.md`:
- Around line 33-36: Update the "CMT provisioner dispatches Matterwick via HTTP"
bullet in qa-report.md to reflect that this PR changes CMT to dispatch
Matterwick using the workflow_run webhook inputs (i.e., driven by workflow_run
events) instead of HTTP; locate the "CMT provisioner" bullet and replace the
transport description to explicitly state "dispatches Matterwick via
workflow_run webhook inputs" or similar phrasing so rollout notes and risk
analysis are accurate.

---

Duplicate comments:
In @.github/workflows/e2e-functional-template.yml:
- Around line 395-410: Replace the hardcoded AWS_S3_BUCKET and direct S3
REPORT_URL with the repo-standard secret and CDN URL: set AWS_S3_BUCKET to the
secret MM_DESKTOP_RELEASE_BUCKET (instead of
secrets.MM_DESKTOP_E2E_AWS_SECRET_ACCESS_KEY or the current literal), keep
S3_PREFIX as-is, use that bucket in the aws s3 sync target, and construct
REPORT_URL using the CDN mapping
"https://releases.mattermost.com/desktop/${S3_PREFIX}/index.html" so uploads go
to the canonical release bucket and public links use
releases.mattermost.com/desktop.

---

Nitpick comments:
In `@src/main/diagnostics/index.test.js`:
- Around line 6-30: The electron jest.mock should use the repo-standard ESM
singleton shape by returning an object with __esModule: true and a default
property containing the mocked API; update the existing jest.mock('electron',
...) to wrap the current mock (shell.showItemInFolder, app.isReady/getPath,
powerMonitor.getSystemIdleTime, session.defaultSession,
systemPreferences.getMediaAccessStatus, Notification) under a default key and
add __esModule: true so the singleton mock contract is satisfied; after changing
the mock shape, use jest.mocked(...) where this mock is referenced in tests to
get type-safe access to the mocked functions.

In `@src/main/UserActivityMonitor.test.js`:
- Around line 6-15: The electron mock is missing the repo-standard ESM singleton
shape; update the jest.mock('electron', ...) to return { __esModule: true,
default: { app: { isReady: jest.fn(() => true) }, powerMonitor: {
getSystemIdleTime: jest.fn(() => 0) } } } so imports get the default ESM
singleton and the mocked functions (app.isReady and
powerMonitor.getSystemIdleTime) behave correctly; after changing the mock shape,
use jest.mocked(...) when referencing these mocks elsewhere in the test to keep
type-safe access.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 05a40bdd-e2a8-4d4d-a3a0-c3d798516dbb

📥 Commits

Reviewing files that changed from the base of the PR and between 9d891fb and 4b6764e.

📒 Files selected for processing (8)

• .github/workflows/cmt-provisioner.yml
• .github/workflows/compatibility-matrix-testing.yml
• .github/workflows/e2e-functional-template.yml
• .github/workflows/e2e-functional.yml
• qa-report.md
• src/main/UserActivityMonitor.test.js
• src/main/app/intercom.test.js
• src/main/diagnostics/index.test.js

🚧 Files skipped from review as they are similar to previous changes (1)

• src/main/app/intercom.test.js

[yasserfaraazkhan]

@CodeRabbit review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[devinbinnie]

Thanks for continuing to work to stabilize the Desktop E2E tests :)

I do have some concerns around changing we need to make to the code base to make this work - especially the polling addition, since that definitely can affect normal app usage.