fix: run E2E only when review is approved (secure for forks)

[Kavirubc]

Problem

Forked PRs trigger pull_request, which has no access to secrets. This causes E2E failure. Using pull_request_target grants secret access but is risky if run automatically.

Solution

Switch trigger to pull_request_review (submitted).

• The workflow runs only when a review is submitted AND the state is 'approved'.
• This ensures a maintainer has reviewed the code before it runs with secret access.
• Explicitly checks out the PR code (ref: head.sha) to test the changes.

How to Test

1. Approve this PR (simulating a maintainer approval).
2. The workflow should trigger automatically.
3. Or use the manual trigger (workflow_dispatch) for debugging.

Fixes #77

Summary by CodeRabbit

• Chores
  • Modified E2E test workflow to trigger on approved pull request reviews instead of all pull requests
  • Added manual workflow dispatch capability with custom input parameters
  • Enhanced pull request and commit tracking in CI/CD pipelines

[coderabbitai]

📝 Walkthrough

Walkthrough

Changed the E2E workflow triggers from pull_request to pull_request_review (types: submitted) and added workflow_dispatch; added conditional/manual dispatch handling, explicit checkout using PR head SHA or manual input, and propagated PR/commit SHA inputs for reporting and PR comments.

Changes

Cohort / File(s)	Summary
E2E workflow .github/workflows/e2e-test.yml	Replaced pull_request trigger with pull_request_review (submitted) and added workflow_dispatch inputs; added conditional runs for approved reviews or manual dispatch; checkout uses PR head SHA or inputs.sha; disabled credential persistence; compute/fallback SHA and propagate PR_NUM/CO_SHA inputs; updated PR comment and README generation to use provided inputs and BOT_PAT where required.

Sequence Diagram(s)

sequenceDiagram
    participant Contributor as Contributor (PR)
    participant Reviewer as Reviewer (submits review)
    participant GitHub as GitHub Events
    participant Actions as Actions Runner
    participant Checkout as Checkout Step
    participant TestRepo as External Test Repo (reporting / comments)

    Contributor->>GitHub: Open PR (head SHA)
    Reviewer->>GitHub: Submit review (approved)
    GitHub->>Actions: Trigger workflow (pull_request_review) OR manual workflow_dispatch
    Actions->>Checkout: Checkout repo using PR head SHA or `inputs.sha`
    Checkout-->>Actions: PR code available (credential persistence disabled)
    Actions->>TestRepo: Run tests, send PR_NUM/CO_SHA inputs for README/comment updates (use BOT_PAT when available)
    TestRepo-->>Actions: Acknowledge comments/report updates

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• [0.2.0][CI] Add E2E integration test pipeline #72 — Modifies the same .github/workflows/e2e-test.yml pipeline (triggers, SHA/PR handling, triage/comment steps), matching this PR's changes.

Possibly related PRs

• ci: add E2E integration test pipeline #71 — Edits the same E2E workflow and PR SHA/triage handling; closely related code-level changes.

Suggested labels

ci

Poem

🐇
I nudged the CI with a careful paw,
Swapped triggers, routed SHA by law,
A reviewer taps—then tests take flight,
Reports and comments shine at night.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: switching E2E workflow triggers from pull_request to pull_request_review (approved) for secure fork support.
Linked Issues check	✅ Passed	The PR addresses issue #77 by using pull_request_review (submitted) trigger with approved-state checks instead of the proposed pull_request_target approach, providing equivalent security with safer fork handling.
Out of Scope Changes check	✅ Passed	All changes are directly related to E2E workflow trigger configuration and security hardening. No unrelated modifications detected beyond PR objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/e2e-fork-support

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gh-simili-bot]

Simili Triage Report

Note

Quality Score: 9.5/10 (Excellent)
The issue could be improved. See suggestions below.

Classification

Category	Value
Labels

Quality Improvements

• Missing specific error log snippet
• Add a snippet of the exact error message or log output from the failing E2E workflow

Similar Threads

Similarity	Thread	Status
85%	#77 Bug: E2E fails on forked PRs due to missing sec...	Open
78%	#74 fix: prevent bot loop & enable E2E for forks	Closed
75%	#39 Similar Issue	—

Warning

Possible Duplicate (Confidence: 95%)
This pull request might be a duplicate of #77.
Reason: The current issue explicitly states 'Fixes #77' in its body. Issue #77's title, 'Bug: E2E fails on forked PRs due to missing secrets', perfectly aligns with the problem described in the current issue: 'Forked PRs trigger the pull_request event, which runs with read-only permissions and NO access to repository secrets... This causes the E2E workflow to fail'. Both issues describe the exact same root cause (insufficient permissions/missing secrets for E2E workflows on forked PRs) and the same desired outcome (E2E workflows successfully running on forked PRs). The current issue provides the solution to the problem outlined in #77.

---

_{Generated by Simili Bot}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/e2e-test.yml (2)

128-134: ⚠️ Potential issue | 🟡 Minor

secrets.BOT_USERNAME vs env.BOT_NAME inconsistency creates a latent correctness risk

Step 4 constructs the repo path using ${{ secrets.BOT_USERNAME }}, while every other step (steps 1, 3, 5, 7–15) uses ${{ env.BOT_NAME }} (hardcoded "gh-simili-bot"). If BOT_USERNAME secret ever diverges from BOT_NAME, step 4 will target a non-existent repo and silently fail or create issues in the wrong place.

🐛 Proposed fix

-          REPO="${{ secrets.BOT_USERNAME }}/${{ env.TEST_REPO_NAME }}"
+          REPO="${{ env.BOT_NAME }}/${{ env.TEST_REPO_NAME }}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/e2e-test.yml around lines 128 - 134, The REPO variable in
the "Create seed issues" step uses `${{ secrets.BOT_USERNAME }}` which is
inconsistent with other steps that use `${{ env.BOT_NAME }}` and may point at
the wrong repository; change the REPO assignment to use `${{ env.BOT_NAME }}`
(i.e., set REPO to `${{ env.BOT_NAME }}/${{ env.TEST_REPO_NAME }}`) and verify
there are no other occurrences of `secrets.BOT_USERNAME` in this workflow so all
steps consistently reference `env.BOT_NAME` and `TEST_REPO_NAME`.

---

373-373: ⚠️ Potential issue | 🟡 Minor

GITHUB_SHA refers to the base branch HEAD in pull_request_target, not the PR commit

With pull_request_target, GITHUB_SHA is the HEAD of the base branch, not the PR's head SHA. The README written to the test repo will show a commit completely unrelated to the PR being tested. Use github.event.pull_request.head.sha (already referenced at line 160 and 255) for consistency.

🐛 Proposed fix

-          | **Commit** | \`${GITHUB_SHA:0:7}\` |
+          | **Commit** | \`${{ github.event.pull_request.head.sha }}\` |

Note: since this is inside an unquoted heredoc, ${{ ... }} will be treated as a shell variable expansion and will fail. You need to either pass the SHA as a shell env var or escape it for the shell:

          BOT_OK="${{ steps.poll.outputs.bot_commented }}"
+         PR_SHA="${{ github.event.pull_request.head.sha }}"
          cat > README.md << RMEOF
          ...
-          | **Commit** | \`${GITHUB_SHA:0:7}\` |
+          | **Commit** | \`${PR_SHA:0:7}\` |

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/e2e-test.yml at line 373, The workflow uses GITHUB_SHA
which in a pull_request_target context points to the base branch HEAD; replace
that usage with the PR commit SHA via github.event.pull_request.head.sha where
the commit is injected into the test README (replace `${GITHUB_SHA:0:7}` with
the PR SHA). Because this value is being written inside an unquoted heredoc,
either pass github.event.pull_request.head.sha into the shell as an env var
(e.g., export PR_SHA=${{ github.event.pull_request.head.sha }}) and reference
the shell var in the heredoc, or escape the GitHub expression so it isn’t
expanded by the shell (e.g., use \${{ github.event.pull_request.head.sha }}),
and ensure you still substring to 7 chars when writing the README.

🧹 Nitpick comments (1)

.github/workflows/e2e-test.yml (1)

346-354: Test repository created in step 1 is never deleted during cleanup

The Qdrant collection is cleaned up (if: always()), but the test repository ${{ env.BOT_NAME }}/${{ env.TEST_REPO_NAME }} created in step 1 is never removed. Every run leaves behind a permanent private repo under the bot account, which will accumulate over time and consume private repo quota.

Consider adding a gh repo delete step in the cleanup phase:

♻️ Proposed addition (after step 12)

      # ----- 12b. Delete test repository -----
      - name: Delete test repository
        if: always()
        env:
          GH_TOKEN: ${{ secrets.BOT_PAT }}
        run: |
          gh repo delete "${{ env.BOT_NAME }}/${{ env.TEST_REPO_NAME }}" --yes || true

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/e2e-test.yml around lines 346 - 354, Add a cleanup step to
delete the test GitHub repository created in step 1 by invoking the GitHub CLI;
specifically, add a new job step after the "Cleanup Qdrant collection" step that
runs `gh repo delete "${{ env.BOT_NAME }}/${{ env.TEST_REPO_NAME }}" --yes ||
true`, set if: always(), and provide GH_TOKEN from secrets.BOT_PAT via env to
authenticate (so the test repo named by env.BOT_NAME and env.TEST_REPO_NAME is
removed on every run).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/e2e-test.yml:
- Around line 19-21: The workflow uses pull_request_target with a later
actions/checkout that leaves credentials accessible; update the checkout step
(the actions/checkout invocation used when handling pull_request_target) to
include persist-credentials: false so the checked-out PR code cannot access
GITHUB_TOKEN, QDRANT_API_KEY, QDRANT_URL or GEMINI_API_KEY, and keep the
environment: e2e-test gate; also replace usages of GITHUB_SHA (the variable used
to log the tested commit) with the PR head commit reference
github.event.pull_request.head.sha to ensure the logged SHA corresponds to the
PR head rather than the base branch.
- Around line 40-41: The workflow sets environment: e2e-test for the job to
mitigate pull_request_target risks, but that only works if the GitHub
Environment "e2e-test" exists and has required reviewers configured; verify (and
if missing, create) the "e2e-test" environment in repository Settings →
Environments and enable Required reviewers so the job cannot run automatically
with secrets like BOT_PAT, QDRANT_API_KEY, GEMINI_API_KEY unless a reviewer
approves.

---

Outside diff comments:
In @.github/workflows/e2e-test.yml:
- Around line 128-134: The REPO variable in the "Create seed issues" step uses
`${{ secrets.BOT_USERNAME }}` which is inconsistent with other steps that use
`${{ env.BOT_NAME }}` and may point at the wrong repository; change the REPO
assignment to use `${{ env.BOT_NAME }}` (i.e., set REPO to `${{ env.BOT_NAME
}}/${{ env.TEST_REPO_NAME }}`) and verify there are no other occurrences of
`secrets.BOT_USERNAME` in this workflow so all steps consistently reference
`env.BOT_NAME` and `TEST_REPO_NAME`.
- Line 373: The workflow uses GITHUB_SHA which in a pull_request_target context
points to the base branch HEAD; replace that usage with the PR commit SHA via
github.event.pull_request.head.sha where the commit is injected into the test
README (replace `${GITHUB_SHA:0:7}` with the PR SHA). Because this value is
being written inside an unquoted heredoc, either pass
github.event.pull_request.head.sha into the shell as an env var (e.g., export
PR_SHA=${{ github.event.pull_request.head.sha }}) and reference the shell var in
the heredoc, or escape the GitHub expression so it isn’t expanded by the shell
(e.g., use \${{ github.event.pull_request.head.sha }}), and ensure you still
substring to 7 chars when writing the README.

---

Nitpick comments:
In @.github/workflows/e2e-test.yml:
- Around line 346-354: Add a cleanup step to delete the test GitHub repository
created in step 1 by invoking the GitHub CLI; specifically, add a new job step
after the "Cleanup Qdrant collection" step that runs `gh repo delete "${{
env.BOT_NAME }}/${{ env.TEST_REPO_NAME }}" --yes || true`, set if: always(), and
provide GH_TOKEN from secrets.BOT_PAT via env to authenticate (so the test repo
named by env.BOT_NAME and env.TEST_REPO_NAME is removed on every run).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if the e2e-test environment exists and what protection rules it has
# First, let's check the workflow file itself to confirm context
cat .github/workflows/e2e-test.yml | head -50

Repository: similigh/simili-bot

Length of output: 1825

---

🏁 Script executed:

#!/bin/bash
# Check repository environments and their protection rules
# Using simpler approach first - check if environment exists
gh api repos/similigh/simili-bot/environments \
  --jq '.environments[] | select(.name == "e2e-test") | {name: .name, protection_rules: .protection_rules}'

Repository: similigh/simili-bot

Length of output: 223

---

🏁 Script executed:

#!/bin/bash
# Search for references to e2e-test environment in the repo
echo "=== Searching for e2e-test references ==="
rg "e2e-test" --type yaml --type md --type txt

echo -e "\n=== Looking for environment documentation ==="
find . -type f \( -name "*environment*" -o -name "*ENVIRONMENT*" -o -name "*setup*" -o -name "*README*" \) ! -path "./.*" | head -20

echo -e "\n=== Checking for .github/workflows directory contents ==="
ls -la .github/workflows/ 2>/dev/null || echo "No workflows directory"

Repository: similigh/simili-bot

Length of output: 689

---

🏁 Script executed:

#!/bin/bash
# Check the complete environment setup in the workflow
echo "=== Lines around environment: e2e-test ==="
sed -n '35,50p' .github/workflows/e2e-test.yml

echo -e "\n=== Search for all environment usages in workflows ==="
rg "environment:" .github/workflows/ -A 2

echo -e "\n=== Search for workflow_call or environment setup ==="
rg "(environment|environments|GITHUB_ENVIRONMENT)" . --type yaml --type md

echo -e "\n=== Check if there's a .github/environments directory ==="
ls -la .github/ 2>/dev/null

Repository: similigh/simili-bot

Length of output: 1942

---

🏁 Script executed:

#!/bin/bash
# Verify the security concern by checking the secrets accessed in the workflow
echo "=== Secrets used in e2e-test workflow ==="
rg "secrets\." .github/workflows/e2e-test.yml | head -10

echo -e "\n=== Check pull_request_target permissions ==="
sed -n '26,31p' .github/workflows/e2e-test.yml

Repository: similigh/simili-bot

Length of output: 990

---

Ensure the e2e-test environment exists in repository settings with required reviewers enabled.

environment: e2e-test at line 40 is the correct mitigation for pull_request_target, which allows untrusted PR code to run with access to sensitive secrets (BOT_PAT, QDRANT_API_KEY, GEMINI_API_KEY). However, this gate only works if properly configured:

• If the e2e-test environment does not exist in repository settings, the job runs immediately without approval.
• If the environment exists but has no required reviewers configured, it provides no protection.

The entire security guarantee depends on external repository configuration that cannot be verified from this workflow file. Before merging, confirm in Settings → Environments → e2e-test that required reviewers are enforced.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/e2e-test.yml around lines 40 - 41, The workflow sets
environment: e2e-test for the job to mitigate pull_request_target risks, but
that only works if the GitHub Environment "e2e-test" exists and has required
reviewers configured; verify (and if missing, create) the "e2e-test" environment
in repository Settings → Environments and enable Required reviewers so the job
cannot run automatically with secrets like BOT_PAT, QDRANT_API_KEY,
GEMINI_API_KEY unless a reviewer approves.

[gh-simili-bot]

Simili Triage Report

Note

Quality Score: 9.5/10 (Excellent)
The issue is well-described.

Classification

Category	Value
Labels

Quality Improvements

• Consider explicitly mentioning the specific workflow file path (e.g., .github/workflows/e2e.yml) for absolute clarity, though it is likely implied.

Similar Threads

Similarity	Thread	Status
82%	#77 Bug: E2E fails on forked PRs due to missing sec...	Open
77%	#74 fix: prevent bot loop & enable E2E for forks	Closed

Warning

Possible Duplicate (Confidence: 98%)
This pull request might be a duplicate of #77.
Reason: The current issue explicitly states 'Fixes #77'. The 'Problem' section of the current issue describes the exact same bug as Issue #77: E2E tests failing on forked PRs due to missing secrets. Both issues share the same root cause (lack of secret access for forked PRs) and the same expected outcome (E2E tests running securely on forked PRs). The solution proposed in the current issue fully resolves Issue #77. Issue #74, while related to E2E for forks, also mentions 'prevent bot loop' which suggests a potentially different or additional root cause, making it related but not a duplicate.

---

_{Generated by Simili Bot}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/e2e-test.yml:
- Around line 19-22: The workflow_dispatch trigger lacks inputs for PR SHA and
PR number causing github.event.pull_request.* to be empty; add inputs (e.g.,
pr_sha and pr_number) to the workflow_dispatch section and update all places
that currently reference github.event.pull_request.head.sha and
github.event.pull_request.number to use fallback expressions such as
github.event.pull_request.head.sha || github.event.inputs.pr_sha and
github.event.pull_request.number || github.event.inputs.pr_number; also update
the sed replacement that substitutes __PR_SHA__ and any gh pr comment invocation
to use the same fallback inputs so checkout (ref), action references, and gh
commands work when manually dispatched.

---

Duplicate comments:
In @.github/workflows/e2e-test.yml:
- Around line 40-42: The workflow's environment: e2e-test setting is ineffective
unless that GitHub Environment has Required reviewers configured; update the
repository settings to create the "e2e-test" environment and enable Required
reviewers (so PRs from forks cannot access BOT_PAT, QDRANT_API_KEY,
GEMINI_API_KEY), or alternatively remove/change the environment line in the
workflow (.github/workflows/e2e-test.yml) and/or move secret usage to a
protected path (e.g., run tests only from branches or use repository_dispatch
from trusted actors) to ensure forked PRs cannot access those secrets.
- Around line 157-162: Add persist-credentials: false to the actions/checkout@v4
step that checks out the PR head (the step using ref: ${{
github.event.pull_request.head.sha }} and path: simili-src) so no workflow token
is written into .git/config; also replace uses of the runtime env variable
GITHUB_SHA (logged elsewhere) with the explicit expression ${{
github.event.pull_request.head.sha }} to ensure the logged/tested commit is the
PR head rather than the base branch HEAD.

[github-actions]

🧪 E2E Test

❌ Bot responded: no

Test repo → gh-simili-bot/simili-e2e-22146348741
Run → logs

_{Auto-generated by E2E pipeline}

[gh-simili-bot]

🧪 E2E Test

✅ Bot responded: yes

Test repo → gh-simili-bot/simili-e2e-22147187250
Run → logs

_{Auto-generated by E2E pipeline}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/e2e-test.yml (1)

73-76: ⚠️ Potential issue | 🟡 Minor

Missing inputs.pr_number fallback in test repo description.

When triggered via workflow_dispatch, github.event.pull_request.number is empty, producing the description "Simili E2E test – PR #". Consider using the same fallback pattern used elsewhere.

          gh repo create "${{ env.BOT_NAME }}/${{ env.TEST_REPO_NAME }}" \
            --private \
-           --description "Simili E2E test – PR #${{ github.event.pull_request.number }}" \
+           --description "Simili E2E test – PR #${{ github.event.pull_request.number || inputs.pr_number }}" \
            --clone

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/e2e-test.yml around lines 73 - 76, The repo creation
description uses github.event.pull_request.number which is empty for
workflow_dispatch; update the description string passed to the gh repo create
command to fallback to inputs.pr_number when github.event.pull_request.number is
unset (same pattern used elsewhere), so the description becomes something like
"Simili E2E test – PR #${{ github.event.pull_request.number ||
github.event.inputs.pr_number }}" while keeping the existing env.BOT_NAME and
env.TEST_REPO_NAME arguments.

🧹 Nitpick comments (1)

.github/workflows/e2e-test.yml (1)

162-163: Duplicate comment line.

Line 162 and line 163 are identical step-section comments. Remove one.

-      # ----- 5. Build CLI from PR & index seed issues -----
       # ----- 5. Build CLI from PR & index seed issues -----

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/e2e-test.yml around lines 162 - 163, Remove the duplicated
comment line "# ----- 5. Build CLI from PR & index seed issues -----" so only a
single instance remains; find the two identical comment lines near the
build/index step in the e2e-test workflow and delete one of them to avoid the
duplicate.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/e2e-test.yml:
- Around line 73-76: The repo creation description uses
github.event.pull_request.number which is empty for workflow_dispatch; update
the description string passed to the gh repo create command to fallback to
inputs.pr_number when github.event.pull_request.number is unset (same pattern
used elsewhere), so the description becomes something like "Simili E2E test – PR
#${{ github.event.pull_request.number || github.event.inputs.pr_number }}" while
keeping the existing env.BOT_NAME and env.TEST_REPO_NAME arguments.

---

Nitpick comments:
In @.github/workflows/e2e-test.yml:
- Around line 162-163: Remove the duplicated comment line "# ----- 5. Build CLI
from PR & index seed issues -----" so only a single instance remains; find the
two identical comment lines near the build/index step in the e2e-test workflow
and delete one of them to avoid the duplicate.