LCORE-306: use proper commit for PRs and pushes

[radofuchs]

Description

modified e2e github action config file to use proper commit for PRs, pushes and safely use secrets

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement

Related Tickets & Documents

• Related Issue #
• Closes #

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• Please provide detailed steps to perform tests related to this code change.
• How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

• Chores
  • Improved the reliability and security of the end-to-end test workflow in GitHub Actions, ensuring correct handling of pull request and push events.

[coderabbitai]

Walkthrough

The GitHub Actions workflow for end-to-end (E2E) tests was updated to improve how the repository is checked out for different event types. The workflow now explicitly handles both pull request and push events, sets repository and ref parameters accordingly, fetches the full git history, and enhances security by adjusting credential persistence.

Changes

Cohort / File(s)	Change Summary
E2E Workflow Configuration .github/workflows/e2e_tests.yaml	Enhanced the checkout step to handle both pull_request_target and push events by conditionally setting repository, ref, fetch depth, and credential persistence for improved security and robustness.

Sequence Diagram(s)

sequenceDiagram
    participant GitHub Actions
    participant Repository
    participant PR Head Repository

    GitHub Actions->>GitHub Actions: Trigger on push or pull_request_target
    alt Event is pull_request_target
        GitHub Actions->>PR Head Repository: Checkout using PR head repo and commit SHA
        GitHub Actions->>GitHub Actions: Set persist-credentials: false
    else Event is push
        GitHub Actions->>Repository: Checkout using current repo and commit SHA
        GitHub Actions->>GitHub Actions: Set persist-credentials: true
    end
    GitHub Actions->>Repository: Fetch full git history (fetch-depth: 0)

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~6 minutes

Possibly related PRs

• LCORE-306: setup e2e test env #306: Both PRs modify the e2e_tests GitHub Actions workflow, with this PR refining checkout logic and the related PR introducing the workflow and Docker setup.

Suggested reviewers

• tisnik

Poem

A bunny hops through YAML fields,
Securing checks and history yields.
With clever paws, credentials hide,
On every branch and PR ride.
Now E2E runs safe and sound—
In workflows where improvements abound!
🐇✨

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/e2e_tests.yaml (1)

23-25: Credentials still live in GITHUB_TOKEN – consider dropping it entirely on untrusted code

persist-credentials: false prevents the token being written to the local git config, but the token is still exported as ACTIONS_RUNTIME_TOKEN & GITHUB_TOKEN, so malicious PR code could exfiltrate it.
If the repo is public and readonly checkout is acceptable, you can fully omit the token for pull_request_target:

           # Don’t keep credentials when running untrusted PR code under PR_TARGET.
           persist-credentials: ${{ github.event_name != 'pull_request_target' }}
+          # Strip write token when executing untrusted code
+          token: ${{ github.event_name == 'pull_request_target' && '' || github.token }}

This leaves the fork checkout unauthenticated (fine for public repos) and removes the last writable secret surface.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e698a95 and cff0e34.

📒 Files selected for processing (1)

• .github/workflows/e2e_tests.yaml (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: radofuchs
PR: lightspeed-core/lightspeed-stack#306
File: .github/workflows/e2e_tests.yaml:4-4
Timestamp: 2025-07-28T13:15:54.895Z
Learning: The user radofuchs prefers unrestricted pull_request_target workflows with secrets access for comprehensive PR testing, accepting the security trade-offs to ensure all problems are caught during the PR process.

📚 Learning: the user radofuchs prefers unrestricted pull_request_target workflows with secrets access for compre...

Learnt from: radofuchs
PR: lightspeed-core/lightspeed-stack#306
File: .github/workflows/e2e_tests.yaml:4-4
Timestamp: 2025-07-28T13:15:54.895Z
Learning: The user radofuchs prefers unrestricted pull_request_target workflows with secrets access for comprehensive PR testing, accepting the security trade-offs to ensure all problems are caught during the PR process.

Applied to files:

• .github/workflows/e2e_tests.yaml

🔇 Additional comments (2)

.github/workflows/e2e_tests.yaml (2)

15-18: Repository fallback logic looks correct; verify for non-PR events

The null-coalescing pattern will work for push & pull_request_target, but github.event.pull_request is undefined on a push, so the left operand evaluates to null. That is fine today, yet if this job is ever re-used under another event (e.g. workflow_dispatch) the expression will throw.
Recommend guarding with an if condition or an contains() check to make future extension safer.

---

19-22: 👍 Reproducible checkout via exact commit SHA

Using the head commit SHA ensures deterministic builds and solves the classic “force-push breaks the run” problem.

[tisnik]

LGTM

[umago]

It doesn't seem to have worked, looking at failures from PR#327, which deletes the setup_model_metrics from app:main.py [0]:

lightspeed-stack  |   File "/app-root/src/app/main.py", line 85, in startup_event
lightspeed-stack  |     await setup_model_metrics()
lightspeed-stack  |   File "/app-root/src/metrics/utils.py", line 17, in setup_model_metrics

[0] https://github.com/lightspeed-core/lightspeed-stack/actions/runs/16653262062/job/47131447304?pr=327