feat: include e2e tests in CI

[rebEllieous]

What

Run e2e Tests in CI Pipelines
Closes #481

Why

Previously, the E2E test suite had to be triggered manually. To ensure continuous integration and prevent regressions, these tests are now automated within the main pipeline.
Additionally, the configuration includes adjustments for local execution runners (act)

Testing

• Local Verification: Verified the entire E2E suite locally using act with privileged container options and host networking configurations.

Notes for reviewers

• Local Dev Note: Running the suite locally via act now requires an .actrc containing --container-options "--privileged -v /var/run/docker.sock:/var/run/docker.sock" and --network host.

Checklist

• Tests added/updated
• No breaking changes (or upgrade path documented above)
• Readable commit history (squashed and cleaned up as desired)
• AI code review considered and comments resolved

Summary by CodeRabbit

• New Features

  • CI now exposes a reusable image-tag output and a dedicated end-to-end test workflow; Makefile supports configurable registry/tag.

• Tests

  • E2E runs consume produced image tags, create image-pull secrets when needed, and include a new values fixture; CI vs local behavior is handled.

• Bug Fixes

  • Improved checks to avoid noisy grep output and ensure shellcheck is available before linting.

• Chores

  • Local/act runs skip signing, SBOM/provenance, QEMU and GHCR login for faster iteration.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Exposes Docker-built image tag via workflow_call, adapts docker workflow for local act, parameterizes registry/tag in Makefile, adds a reusable test-e2e workflow, and updates Go CI and e2e tests/fixtures to consume the produced image tag and optional GHCR token.

Changes

E2E Test Workflow Integration

Layer / File(s)	Summary
Docker workflow interface and act-specific support .github/workflows/docker.yaml	Adds workflow_call output image-tag, expands buildAndPush gating to accept workflow_call, switches metadata-action naming under act, and conditionally skips/adapts QEMU, buildx driver-opts, GHCR login, cosign, SBOM, and attestation steps when env.ACT is set; build platforms become conditional.
Makefile registry and tag parameterization Makefile	Introduces REGISTRY and TAG and rewrites component image variables and local Kind build/load targets to use $(REGISTRY)/...:$(TAG), forwarding these into build/load scripts and skipping local build/load in CI/ACT.
Reusable test-e2e workflow .github/workflows/test-e2e.yaml	Adds a workflow_call-compatible workflow that accepts image-tag, provisions a Kind cluster, installs kubectl/helm, computes REGISTRY, and runs make test-e2e with TAG/REGISTRY and GHCR_TOKEN.
Go workflow: trigger/filter and lint changes .github/workflows/golang.yaml	Expand pull_request types, add changes job using dorny/paths-filter to compute backend, conditionally run lint when backend == 'true', and install shellcheck when missing.
E2E test code: imageTag, pull secret, Helm values test/e2e/*, test/fixtures/solar-e2e.values.yaml	Add createPullSecret helper; read IMAGE_TAG and GHCR_TOKEN in tests, conditionally create ghcr-pull-secret, and update Helm install args to use the computed imageTag and inject imagePullSecrets in CI. Adds solar-e2e.values.yaml fixture.
Unpinned-action grep tweak .github/workflows/update-action-pins.yml	Add -h to the grep command used to find unpinned uses: entries to suppress filename prefixes in grep output.

Sequence Diagram

sequenceDiagram
  participant Caller as CI caller / workflow_call
  participant DockerWF as .github/workflows/docker.yaml
  participant Registry as Registry (ghcr.io or localhost:5001)
  participant ReusableE2E as .github/workflows/test-e2e.yaml
  participant Kind as Kind cluster

  Caller->>DockerWF: invoke buildAndPush (push/PR/workflow_call)
  DockerWF->>Registry: build & push image (sets steps.meta.outputs.version -> image-tag)
  DockerWF-->>Caller: outputs.image-tag
  Caller->>ReusableE2E: call test-e2e with image-tag
  ReusableE2E->>Kind: create cluster and run make test-e2e with REGISTRY/TAG

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• opendefensecloud/solution-arsenal#498: Overlaps on .github/workflows/golang.yaml trigger/filter changes and CI gating.
• opendefensecloud/solution-arsenal#451: Related changes to Makefile e2e/test invocation and env wiring; touches similar targets.

Suggested reviewers

• trevex
• yocaba

Poem

🐰 I hopped through CI with a tiny cheer,
Built an image, tagged it bold and clear.
Kind stirred awake, pulled from local or ghcr,
Tests ran their dance, skipping where things were far.
A rabbit's grin — the pipeline hums near.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: include e2e tests in CI' accurately and concisely describes the primary change—adding e2e tests to the CI pipeline as outlined in the changeset.
Description check	✅ Passed	The description covers all required template sections: What (automation of e2e tests in CI), Why (prevent regressions), Testing (local verification with act), and Notes for reviewers (configuration requirements). Checklist is complete.
Linked Issues check	✅ Passed	The changes successfully implement all requirements from issue #481: e2e tests now run in CI via a reusable workflow, kind dependency is handled through GitHub Actions setup, and the solution aligns with the Solar project's approach used for ARC.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to automating e2e tests in CI. Modifications to GitHub workflows, Makefile, e2e test files, and test fixtures are all essential to enable CI integration of e2e tests without unrelated additions.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/481-include-e2e-in-ci

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (3)

.github/workflows/golang.yaml (2)

106-116: 💤 Low value

Optional: Remove redundant tool installations.

Both kubectl and helm are pre-installed on ubuntu-24.04 GitHub runners, making these installation steps unnecessary. The helm/kind-action also handles Kind installation.

♻️ Simplification

       - name: Install Tools
         if: needs.buildAndPush.outputs.image-tag != ''
         run: |
-          # Install kubectl
-          curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
-          chmod +x ./kubectl
-          sudo mv ./kubectl /usr/local/bin/kubectl
           kubectl version --client
-
-          # Install helm
-          curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
+          helm version

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/golang.yaml around lines 106 - 116, Remove the redundant
"Install Tools" step that manually installs kubectl and helm (the block named
"Install Tools" containing the curl/chmod/mv kubectl and the curl | bash helm
commands) since ubuntu-24.04 runners already include kubectl and helm and the
existing helm/kind-action manages Kind; delete that step or replace it with a
noop/comment explaining it's skipped, ensuring no other steps reference the
removed commands.

---

95-96: 💤 Low value

Consider setting persist-credentials: false for defense-in-depth.

Same rationale as docker.yaml - explicitly disabling credential persistence reduces attack surface.

       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         if: needs.buildAndPush.outputs.image-tag != ''
+        with:
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/golang.yaml around lines 95 - 96, Modify the
actions/checkout step that currently uses
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd (the checkout step
guarded by if: needs.buildAndPush.outputs.image-tag != '') to explicitly set
persist-credentials: false so credentials are not left in the runner; update
that step's inputs to include persist-credentials: false while keeping the
existing if condition and version of actions/checkout.

.github/workflows/docker.yaml (1)

55-55: 💤 Low value

Consider setting persist-credentials: false for defense-in-depth.

While not exploitable in this workflow's context, explicitly disabling credential persistence reduces the attack surface if the checkout is later reused in steps that export artifacts.

       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docker.yaml at line 55, Update the GitHub Actions checkout
step that uses actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd to add
the persist-credentials: false option; specifically modify the checkout step
(the actions/checkout invocation) to include persist-credentials: false so
credentials are not left in the workspace after checkout.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/docker.yaml:
- Around line 46-50: Remove the unintended "|| true" from the if condition so
the job is no longer unconditional, and guard access to
github.event.pull_request.labels when github.event_name == 'workflow_call' by
treating workflow_call separately: either (Option A) allow workflow_call
invocations unconditionally by adding a separate clause that checks
github.event_name == 'workflow_call' OR the existing PR/push/release checks
(reference the existing if conditional using github.event_name and
github.event.pull_request.labels), or (Option B) add a workflow_call input
(e.g., an "ok_to_image" boolean input) and update the if to check that input for
workflow_call events instead of accessing pull_request.labels; implement one of
these options and remove the "|| true".

In @.github/workflows/golang.yaml:
- Around line 51-54: Remove the conditional installation block that checks for
shellcheck (the if ! command -v shellcheck &> /dev/null; then ... fi block)
since shellcheck is preinstalled on ubuntu-24.04 runners; delete those lines
entirely, or if you prefer to keep a guard, replace the German echo with an
English message and prepend sudo to the apt-get commands (sudo apt-get update &&
sudo apt-get install -y shellcheck) so the install would succeed on GitHub
runners.
- Around line 83-123: The E2E CI assumes localhost/local images
(test/fixtures/solar.values.yaml) but the workflow runs make e2e-cluster in CI
without building or loading local images; fix by either making the images
available in CI or changing Helm values: Option A — before "Run E2E Test Suite",
invoke the same targets used locally (docker-build-local-images and
kind-load-local-images or call setup-local-cluster) so the localhost/local/*:e2e
images exist in the Kind cluster (ensure steps run even when CI=true), or Option
B — parameterize test/fixtures/solar.values.yaml to use the REGISTRY/IMAGE_TAG
passed to make test-e2e (use the workflow env REGISTRY and IMAGE_TAG) and, if
switching to ghcr.io, create and mount image pull secrets in the cluster (add
registry auth steps) so pods can pull ghcr.io/... images; update the workflow
step that runs make test-e2e to pass the chosen REGISTRY/IMAGE_TAG consistently.

In `@Makefile`:
- Around line 94-98: The Makefile hardcodes TAG=e2e in the e2e cluster target
causing CI image-tag mismatch; update the recipe lines that call the targets
docker-build-local-images and kind-load-local-images and the invocation of
$(HACK_DIR)/dev-cluster.sh to use TAG=$(TAG) (and REGISTRY=$(REGISTRY)) instead
of TAG=e2e, and export TAG and REGISTRY so subprocesses (e.g., go tests invoking
make e2e-cluster or dev-cluster.sh) inherit the values; locate the lines
referencing docker-build-local-images, kind-load-local-images and the
dev-cluster.sh invocation to apply these changes.

---

Nitpick comments:
In @.github/workflows/docker.yaml:
- Line 55: Update the GitHub Actions checkout step that uses
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd to add the
persist-credentials: false option; specifically modify the checkout step (the
actions/checkout invocation) to include persist-credentials: false so
credentials are not left in the workspace after checkout.

In @.github/workflows/golang.yaml:
- Around line 106-116: Remove the redundant "Install Tools" step that manually
installs kubectl and helm (the block named "Install Tools" containing the
curl/chmod/mv kubectl and the curl | bash helm commands) since ubuntu-24.04
runners already include kubectl and helm and the existing helm/kind-action
manages Kind; delete that step or replace it with a noop/comment explaining it's
skipped, ensuring no other steps reference the removed commands.
- Around line 95-96: Modify the actions/checkout step that currently uses
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd (the checkout step
guarded by if: needs.buildAndPush.outputs.image-tag != '') to explicitly set
persist-credentials: false so credentials are not left in the runner; update
that step's inputs to include persist-credentials: false while keeping the
existing if condition and version of actions/checkout.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7e638080-a68e-49e7-9d43-c36c57530311

📥 Commits

Reviewing files that changed from the base of the PR and between 6383ec4 and 237f980.

📒 Files selected for processing (3)

• .github/workflows/docker.yaml
• .github/workflows/golang.yaml
• Makefile

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/golang.yaml (1)

117-123: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Align e2e registry config: REGISTRY/TAG passed but unused

• .github/workflows/golang.yaml passes TAG=$IMAGE_TAG and REGISTRY=$REGISTRY into make test-e2e, but the Makefile test-e2e target does not export REGISTRY/TAG to the go test process (it only exports HELM, KIND, KIND_CLUSTER, KUBECTL, MAKE, OCM).
• test/e2e/ has no os.Getenv/LookupEnv usage for REGISTRY/TAG, and test/fixtures/*.values.yaml hardcode localhost/local/... image repositories.
  Either remove the unused TAG/REGISTRY parameters from the workflow or wire them into the e2e manifests/fixtures (e.g., via runtime YAML patching) if pulling from GHCR is intended.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/golang.yaml around lines 117 - 123, The workflow sets
REGISTRY and IMAGE_TAG and passes them to make test-e2e, but the Makefile target
test-e2e and the e2e suite (test/e2e and test/fixtures/*.values.yaml) never
consume them; either remove those args from the workflow or wire them through:
update the Makefile target test-e2e to export REGISTRY and TAG into the go test
environment (so the go test subprocess can read os.Getenv/LookupEnv), and update
the e2e code (test/e2e) and fixtures to accept those env vars (or perform
runtime YAML patching of test/fixtures/*.values.yaml to replace hardcoded
localhost repos with "${REGISTRY}/${TAG}" values) so tests pull images from GHCR
when IMAGE_TAG/REGISTRY are provided; reference symbols: REGISTRY, IMAGE_TAG,
make target test-e2e, test/e2e, test/fixtures/*.values.yaml.

♻️ Duplicate comments (1)

.github/workflows/docker.yaml (1)

46-50: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

workflow_call events lack PR context, so this condition always evaluates to false for reusable workflow calls.

When this workflow is invoked via workflow_call (e.g., from golang.yaml line 81), github.event.pull_request is null—there is no PR context. The expression contains(github.event.pull_request.labels.*.name, 'ok-to-e2e') evaluates to false, causing the job to be skipped and no images to be built. This defeats the purpose of the e2e integration.

To allow workflow_call invocations unconditionally (the caller decides when to invoke), move workflow_call to a separate clause:

🔧 Proposed fix

     if: |
       github.event_name == 'push' ||
       (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'ok-to-image')) ||
-      (github.event_name == 'workflow_call' && contains(github.event.pull_request.labels.*.name, 'ok-to-e2e')) ||
+      github.event_name == 'workflow_call' ||
       (github.event_name == 'release' && github.event.action == 'published')

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docker.yaml around lines 46 - 50, The current job-level if
uses a combined expression that includes
contains(github.event.pull_request.labels.*.name, 'ok-to-e2e') which will be
false when github.event_name == 'workflow_call' because
github.event.pull_request is null; update the if so that workflow_call is its
own clause (e.g., (github.event_name == 'workflow_call') || ...), removing the
label check for that branch so reusable workflow calls run unconditionally,
while preserving the existing label checks for pull_request and other events.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/golang.yaml:
- Around line 117-123: The workflow sets REGISTRY and IMAGE_TAG and passes them
to make test-e2e, but the Makefile target test-e2e and the e2e suite (test/e2e
and test/fixtures/*.values.yaml) never consume them; either remove those args
from the workflow or wire them through: update the Makefile target test-e2e to
export REGISTRY and TAG into the go test environment (so the go test subprocess
can read os.Getenv/LookupEnv), and update the e2e code (test/e2e) and fixtures
to accept those env vars (or perform runtime YAML patching of
test/fixtures/*.values.yaml to replace hardcoded localhost repos with
"${REGISTRY}/${TAG}" values) so tests pull images from GHCR when
IMAGE_TAG/REGISTRY are provided; reference symbols: REGISTRY, IMAGE_TAG, make
target test-e2e, test/e2e, test/fixtures/*.values.yaml.

---

Duplicate comments:
In @.github/workflows/docker.yaml:
- Around line 46-50: The current job-level if uses a combined expression that
includes contains(github.event.pull_request.labels.*.name, 'ok-to-e2e') which
will be false when github.event_name == 'workflow_call' because
github.event.pull_request is null; update the if so that workflow_call is its
own clause (e.g., (github.event_name == 'workflow_call') || ...), removing the
label check for that branch so reusable workflow calls run unconditionally,
while preserving the existing label checks for pull_request and other events.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 96928845-5072-4d6e-8990-186126d83a69

📥 Commits

Reviewing files that changed from the base of the PR and between 237f980 and 01afa86.

📒 Files selected for processing (3)

• .github/workflows/docker.yaml
• .github/workflows/golang.yaml
• .github/workflows/update-action-pins.yml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/update-action-pins.yml

[coderabbitai]

🧹 Nitpick comments (2)

test/e2e/e2e_suite_test.go (1)

303-316: ⚡ Quick win

Add GinkgoHelper() to improve test failure reporting.

This helper function should call GinkgoHelper() at the start (like other helpers in this file do) to ensure that when test failures occur, the stack trace points to the calling test code rather than this helper function.

📍 Proposed fix

 func createPullSecret(namespace, token string) error {
+	GinkgoHelper()
+
 	if token == "" {
 		return nil
 	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/e2e_suite_test.go` around lines 303 - 316, Add a GinkgoHelper() call
at the start of the createPullSecret function so test failure stack traces point
to the caller: inside createPullSecret (before any logic or calls to
exec.Command/run), invoke GinkgoHelper() as other helper functions do, then
proceed with the existing token-check and kubectl invocation (references:
createPullSecret, kubectlBinary, run).

test/fixtures/solar-e2e.values.yaml (1)

19-21: Confirm discovery in solar-e2e.values.yaml is not consumed by the solar chart, so the image repo mismatch won’t affect e2e.

test/e2e/e2e_test.go installs the solar chart using test/fixtures/solar-e2e.values.yaml, but charts/solar/templates contains no references to discovery / .Values.discovery, so that discovery.image.repository: ghcr.io/opendefensecloud/solar-discovery-worker entry is ignored.

The e2e discovery components are deployed separately via solar-discovery / solar-discovery-scan charts using test/fixtures/solar-discovery-*.values.yaml, which use solar-discovery (not solar-discovery-worker). If you want to reduce confusion, consider removing/correcting the unused discovery block (and/or the related charts/solar/README.md entry).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/fixtures/solar-e2e.values.yaml` around lines 19 - 21, The
discovery.image.repository entry in test/fixtures/solar-e2e.values.yaml is
unused by the solar chart (charts/solar/templates contains no .Values.discovery)
and therefore misleading for e2e; either remove the entire discovery block from
solar-e2e.values.yaml or correct it to match the actual e2e deployment charts
(solar-discovery / solar-discovery-scan) and their expected key (compare
test/fixtures/solar-discovery-*.values.yaml), and update any mention in
charts/solar/README.md to avoid confusion; verify test/e2e/e2e_test.go still
installs the intended values after the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/e2e/e2e_suite_test.go`:
- Around line 303-316: Add a GinkgoHelper() call at the start of the
createPullSecret function so test failure stack traces point to the caller:
inside createPullSecret (before any logic or calls to exec.Command/run), invoke
GinkgoHelper() as other helper functions do, then proceed with the existing
token-check and kubectl invocation (references: createPullSecret, kubectlBinary,
run).

In `@test/fixtures/solar-e2e.values.yaml`:
- Around line 19-21: The discovery.image.repository entry in
test/fixtures/solar-e2e.values.yaml is unused by the solar chart
(charts/solar/templates contains no .Values.discovery) and therefore misleading
for e2e; either remove the entire discovery block from solar-e2e.values.yaml or
correct it to match the actual e2e deployment charts (solar-discovery /
solar-discovery-scan) and their expected key (compare
test/fixtures/solar-discovery-*.values.yaml), and update any mention in
charts/solar/README.md to avoid confusion; verify test/e2e/e2e_test.go still
installs the intended values after the change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bc94937c-3232-4d2e-850f-93942ac8a351

📥 Commits

Reviewing files that changed from the base of the PR and between 01afa86 and a330982.

📒 Files selected for processing (6)

• .github/workflows/docker.yaml
• .github/workflows/golang.yaml
• Makefile
• test/e2e/e2e_suite_test.go
• test/e2e/e2e_test.go
• test/fixtures/solar-e2e.values.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/golang.yaml
• Makefile

[coveralls]

Coverage Report for CI Build 27170612612

Warning

No base build found for commit 3e32ef4 on main.
Coverage changes can't be calculated without a base build.
If a base build is processing, this comment will update automatically when it completes.

Coverage: 73.209%

Details

• Patch coverage: No coverable lines changed in this PR.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

Requires a base build to compare against. How to fix this →

---

Coverage Stats

Relevant Lines:	3531
Covered Lines:	2585
Line Coverage:	73.21%
Coverage Strength:	37.14 hits per line

---

💛 - Coveralls

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/golang.yaml (1)

21-22: ⚡ Quick win

Disable persisted credentials in both checkout steps.

actions/checkout persists the workflow token in git config by default. Setting persist-credentials: false in both checkout steps reduces token exposure risk in later steps that execute repository code.

🔧 Proposed patch

       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
@@
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         if: needs.buildAndPush.result == 'success'
+        with:
+          persist-credentials: false

Also applies to: 111-112

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/golang.yaml around lines 21 - 22, Two checkout steps
currently use actions/checkout without disabling credential persistence; update
both occurrences of the actions/checkout step (the lines referencing "uses:
actions/checkout@...") to include the step option persist-credentials: false so
the workflow token is not automatically written to git config for later steps.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/golang.yaml:
- Around line 105-110: The current GitHub Action step uses if:
needs.buildAndPush.result != 'success', which also fires on failure/cancelled
and produces a misleading "E2E Tests Skipped" summary; change the condition to
only trigger for the skipped case (e.g., if: needs.buildAndPush.result ==
'skipped') and update the step text accordingly, and optionally add separate
conditional steps/messages for needs.buildAndPush.result == 'failure' and
'cancelled' to provide accurate summaries for those outcomes; update references
to needs.buildAndPush.result and the existing step that writes to
$GITHUB_STEP_SUMMARY (the block containing the echo lines) to reflect these new
conditions.

---

Nitpick comments:
In @.github/workflows/golang.yaml:
- Around line 21-22: Two checkout steps currently use actions/checkout without
disabling credential persistence; update both occurrences of the
actions/checkout step (the lines referencing "uses: actions/checkout@...") to
include the step option persist-credentials: false so the workflow token is not
automatically written to git config for later steps.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f236d81c-d997-48a6-9ae0-3a22b42fc728

📥 Commits

Reviewing files that changed from the base of the PR and between a330982 and ac098ff.

📒 Files selected for processing (2)

• .github/workflows/docker.yaml
• .github/workflows/golang.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/docker.yaml

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

.github/workflows/test-e2e.yaml (2)

18-18: 💤 Low value

Consider adding persist-credentials: false for defense-in-depth.

The checkout action persists Git credentials by default. For a workflow that only needs to read the repository and run tests, disabling credential persistence reduces attack surface.

-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test-e2e.yaml at line 18, The workflow currently uses the
actions/checkout step (uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd) which persists Git
credentials by default; update that checkout step to include a with:
persist-credentials: false setting so credentials are not stored for downstream
steps—locate the actions/checkout usage and add the persist-credentials: false
key under its with block.

Source: Linters/SAST tools

---

29-37: 💤 Low value

Tool installation could be more robust.

The kubectl and Helm installation commands work but have minor robustness concerns:

1. kubectl: The nested $(curl ...) could fail silently if the version endpoint is unreachable.
2. Helm: Piping curl to bash without checksum verification follows common practice but provides no integrity guarantee.

For CI reliability, consider using pinned versions or official GitHub Actions for these tools. However, the current approach is functional and commonly used.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test-e2e.yaml around lines 29 - 37, The current inline
installs for kubectl (the nested $(curl ...) fetch) and Helm (curl | bash) are
brittle; replace them by using the official GitHub Actions
(actions/setup-kubectl and azure/setup-helm or helm's official action) or at
minimum pin a specific kubectl/helm version, check the curl exit codes, and
verify downloads with a checksum before moving/executing; update the steps that
run the kubectl download/chmod/mv and the curl | bash helm install to use the
actions or add explicit version variables, curl -f/--silent checks, and
checksum/verification logic so CI installation is robust and fails loudly on
network or integrity errors.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/docker.yaml:
- Around line 27-34: The temporary debug job "debug-context-docker" exposes a
template injection risk by interpolating "${{ github.event.action }}" directly
into a shell command and lacks an explicit permissions block; either remove the
job before merging or if keeping it, change the step to pass github.event.action
via an environment variable (e.g., set an env: ACTION: ${{ github.event.action
}} and echo "$ACTION" in the run) to avoid direct template expansion in the
shell, and add an explicit minimal permissions block (e.g., permissions: {} or
only the required scopes) at the job level to avoid inheriting broad defaults.

In @.github/workflows/test-e2e.yaml:
- Around line 38-44: The REGISTRY env expression relies on env.ACT which may not
exist in a called reusable workflow; add an explicit boolean input (e.g.,
inputs.is-act) to the workflow_call and use that input instead of env.ACT when
computing REGISTRY (update the REGISTRY env expression in the block that defines
REGISTRY and IMAGE_TAG), and update callers (like docker.yaml) to pass
is-act=true when running under act; alternatively set ACT at the workflow/job
env level so the expression can see it—ensure you reference the new input name
(is-act) where REGISTRY is computed and keep IMAGE_TAG usage unchanged.

---

Nitpick comments:
In @.github/workflows/test-e2e.yaml:
- Line 18: The workflow currently uses the actions/checkout step (uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd) which persists Git
credentials by default; update that checkout step to include a with:
persist-credentials: false setting so credentials are not stored for downstream
steps—locate the actions/checkout usage and add the persist-credentials: false
key under its with block.
- Around line 29-37: The current inline installs for kubectl (the nested $(curl
...) fetch) and Helm (curl | bash) are brittle; replace them by using the
official GitHub Actions (actions/setup-kubectl and azure/setup-helm or helm's
official action) or at minimum pin a specific kubectl/helm version, check the
curl exit codes, and verify downloads with a checksum before moving/executing;
update the steps that run the kubectl download/chmod/mv and the curl | bash helm
install to use the actions or add explicit version variables, curl -f/--silent
checks, and checksum/verification logic so CI installation is robust and fails
loudly on network or integrity errors.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0e68789b-233b-4df3-95f6-01bd9bd8c04e

📥 Commits

Reviewing files that changed from the base of the PR and between ac098ff and 5e05caf.

📒 Files selected for processing (3)

• .github/workflows/docker.yaml
• .github/workflows/golang.yaml
• .github/workflows/test-e2e.yaml