Extract checks and security scan from run-ci-cd.yaml

[ahmedxgouda]

Proposed change

Resolves #4620

• Extracted checks and security scan into a separate workflow
• Removed docker layer from cspel

Checklist

• Required: I followed the contributing workflow
• Required: I verified that my code works as intended and resolves the issue as described
• Required: I ran make check-test locally: all warnings addressed, tests passed
• I used AI for code, documentation, tests, or communication related to this PR

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Streamlined CI/CD pipeline by consolidating code quality checks (formatting, linting, security scanning, and spell checking) into a single reusable workflow for improved process efficiency.

Walkthrough

This PR extracts code quality checks from the main CI/CD workflow into a new reusable workflow. Four check jobs (pre-commit, frontend formatting/linting, security scanning, and spellcheck) are consolidated into run-code-quality-checks.yaml. The main workflow is simplified by invoking this reusable workflow and updating seven downstream test jobs to depend on the consolidated checks instead of individual check jobs.

Changes

Workflow Refactoring: Extract Checks

Layer / File(s)	Summary
Reusable Workflow Definition .github/workflows/run-code-quality-checks.yaml	New workflow file created with metadata, environment variables, and four jobs: run-pre-commit-checks (Python/Poetry/Terraform setup), run-frontend-checks (pnpm/Node formatting and linting), run-security-checks (Semgrep and Trivy scanning with 15-minute timeout), and run-spelling-checks (cspell configuration and execution).
CI/CD Workflow Refactoring .github/workflows/run-ci-cd.yaml	Inline check jobs (pre-commit, check-frontend, spellcheck, run-security-scan-code) are removed and replaced with a single run-code-quality-checks job that invokes the reusable workflow. Seven downstream test/fuzz/infrastructure jobs have their needs dependencies updated to depend only on run-code-quality-checks instead of multiple individual check jobs.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• OWASP/Nest#1215: Both PRs modify the CI workflow's code and security scanning; the retrieved PR adds Trivy scan jobs while this PR consolidates security scans (Trivy/Semgrep) into a new reusable workflow.

Suggested reviewers

• arkid15r

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: extracting checks and security scan from run-ci-cd.yaml into a separate workflow.
Description check	✅ Passed	The description directly relates to the changeset, outlining the extraction of checks/security scan and removal of the Docker layer for cspell.
Linked Issues check	✅ Passed	The PR successfully implements the requirements from issue #4620: extracted the checks workflow into a separate file and removed the Docker layer from cspell configuration.
Out of Scope Changes check	✅ Passed	All changes are directly related to extracting the checks/security scan workflow and removing the Docker layer for cspell, with no unrelated modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

3 issues found across 2 files

Confidence score: 2/5

• High-confidence CI regressions are likely: run-checks in .github/workflows/run-ci-cd.yaml lacks job-level permissions, which can deny required contents: read in called jobs under restrictive inherited permissions.
• .github/workflows/run-checks.yaml appears to run run_install: true from repo root despite no root package.json, creating a concrete risk that frontend checks fail during install/setup.
• The Trivy hardcoding note in .github/workflows/run-checks.yaml is lower severity and mostly maintainability/policy consistency, but it adds configuration drift risk over time.
• Pay close attention to .github/workflows/run-ci-cd.yaml and .github/workflows/run-checks.yaml - permission inheritance and install working-directory behavior may break CI execution.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/run-ci-cd.yaml">

<violation number="1" location=".github/workflows/run-ci-cd.yaml:30">
P1: The reusable `run-checks` caller job is missing a job-level `permissions` block, so called jobs that require `contents: read` can be denied when inherited from this workflow’s restrictive permissions.</violation>
</file>

<file name=".github/workflows/run-checks.yaml">

<violation number="1" location=".github/workflows/run-checks.yaml:72">
P1: `run_install: true` is executed from the default repo root, but this repo has no root `package.json`; this can break the frontend check job. Set `run_install.cwd` to `frontend` (or disable auto-install and install explicitly in `frontend`).</violation>

<violation number="2" location=".github/workflows/run-checks.yaml:144">
P2: Avoid hardcoding Trivy scanner selection in the workflow; use centralized Make/Trivy configuration so scanner policy is managed in one place.

(Based on your team's feedback about keeping CI/security scanner behavior configuration-driven and centralized.) [FEEDBACK_USED]</violation>
</file>

_{Tip: cubic used a learning from your PR history. Let your coding agent read cubic learnings directly with the cubic MCP.}

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).

_{Requires human review: Auto-approval blocked by 3 unresolved issues from previous reviews.}

[ahmedxgouda]

The security check is failing because of vulnerable packages @arkid15r

[coderabbitai]

Warning

CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.

Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.

👉 Steps to fix this

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/run-ci-cd.yaml:
- Around line 28-32: The job "run-code-quality-checks" declares a redundant
permissions block that doesn't apply when invoking a reusable workflow via the
uses: key; remove the permissions: contents: read lines from the
run-code-quality-checks job so the call only contains name and uses (i.e., keep
run-code-quality-checks and uses:
./.github/workflows/run-code-quality-checks.yaml but delete the permissions
section).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4244989f-df93-4252-bd8a-0d3a607eaf33

📥 Commits

Reviewing files that changed from the base of the PR and between 3673f02 and b35a485.

📒 Files selected for processing (2)

• .github/workflows/run-ci-cd.yaml
• .github/workflows/run-code-quality-checks.yaml

[cubic-dev-ai]

0 issues found across 2 files (changes from recent commits).

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.92%. Comparing base (7072a4c) to head (4dfe6ef).

Additional details and impacted files

@@                     Coverage Diff                     @@
##           feature/ci-cd-optimization    #4623   +/-   ##
===========================================================
  Coverage                       98.92%   98.92%           
===========================================================
  Files                             527      527           
  Lines                           16956    16956           
  Branches                         2360     2360           
===========================================================
  Hits                            16774    16774           
  Misses                             97       97           
  Partials                           85       85           

Flag	Coverage Δ
backend	99.50% <ø> (ø)
frontend	97.30% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7072a4c...4dfe6ef. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[arkid15r]

LGTM