Extract backend tests workflow and remove docker layer

[ahmedxgouda]

Proposed change

Resolves #4634

Extracted backend tests workflow and removed docker layer

Checklist

• Required: I followed the contributing workflow
• Required: I verified that my code works as intended and resolves the issue as described
• Required: I ran make check-test locally: all warnings addressed, tests passed
• I used AI for code, documentation, tests, or communication related to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 42e251f6-11dc-4b65-859e-4c944ccf38f5

📥 Commits

Reviewing files that changed from the base of the PR and between a81f78c and 9863bfe.

📒 Files selected for processing (1)

• .github/workflows/run-backend-tests.yaml

---

Summary by CodeRabbit

• Chores
  • Restructured continuous integration pipeline configuration to improve maintainability and modularity of test execution workflows.

Walkthrough

Extracts backend test steps into a reusable run-backend-tests workflow that installs Poetry, caches deps, runs pytest with Django test settings, uploads coverage, and updates the main CI job to call this workflow.

Changes

Backend Tests Workflow Extraction

Layer / File(s)	Summary
Reusable Workflow Definition .github/workflows/run-backend-tests.yaml	New workflow_call workflow adding run-unit-tests (checkout, Poetry install, Python 3.13 setup with caching keyed to backend/poetry.lock, cache backend/.venv, poetry install --no-interaction, poetry run pytest tests/unit after sourcing .env.example with DJANGO_SETTINGS_MODULE=settings.test, upload backend/coverage.xml) and upload-coverage-to-codecov job (downloads artifact, uploads to Codecov with use_oidc: true, fail_ci_if_error: false). Both jobs have 5-minute timeouts.
Workflow Integration .github/workflows/run-ci-cd.yaml	run-backend-tests job refactored from inline Docker-based steps to uses: ./.github/workflows/run-backend-tests.yaml, delegating test and coverage upload logic to the reusable workflow.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• OWASP/Nest#4623: Modifies the same run-backend-tests job in .github/workflows/run-ci-cd.yaml to rewire dependencies to run-code-quality-checks.
• OWASP/Nest#1527: Modifies the backend test job caching and Buildx steps in .github/workflows/run-ci-cd.yaml.

Suggested labels

backend

Suggested reviewers

• kasya
• arkid15r

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main changes: extracting the backend tests workflow and removing the Docker layer.
Description check	✅ Passed	The description clearly relates to the changeset by explaining the proposed extraction of the backend tests workflow and removal of the Docker layer, with a reference to issue #4634.
Linked Issues check	✅ Passed	The PR successfully implements both requirements from issue #4634: extracts the backend tests workflow into a separate file and removes the Docker layer by running tests on ubuntu-latest with Poetry instead of containerization.
Out of Scope Changes check	✅ Passed	All changes are directly related to the linked issue objectives: the new workflow file and refactored CI/CD workflow changes serve only the extraction and Docker removal goals.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).

[cubic-dev-ai]

1 issue found across 2 files

Confidence score: 2/5

• There is a high-confidence, high-severity CI risk in .github/workflows/run-ci-cd.yaml: run-backend-tests is called without job-level permissions while top-level permissions: {} is set.
• This can block the reusable workflow from getting required contents: read and id-token: write scopes, making backend test execution and related pipeline steps likely to fail.
• Given the concrete misconfiguration and likely pipeline regression, this is higher merge risk until permissions are explicitly set on the job call.
• Pay close attention to .github/workflows/run-ci-cd.yaml - missing job-level permissions can prevent the called workflow from obtaining required scopes.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/run-ci-cd.yaml">

<violation number="1" location=".github/workflows/run-ci-cd.yaml:38">
P1: The reusable `run-backend-tests` call is missing job-level `permissions`, so with top-level `permissions: {}` the called workflow cannot obtain its required `contents: read` and `id-token: write` scopes.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.92%. Comparing base (5fb5e82) to head (1caef9a).

Additional details and impacted files

@@                     Coverage Diff                     @@
##           feature/ci-cd-optimization    #4635   +/-   ##
===========================================================
  Coverage                       98.92%   98.92%           
===========================================================
  Files                             527      527           
  Lines                           16956    16956           
  Branches                         2360     2360           
===========================================================
  Hits                            16774    16774           
  Misses                             97       97           
  Partials                           85       85           

Flag	Coverage Δ
backend	99.50% <ø> (ø)
frontend	97.30% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5fb5e82...1caef9a. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).

[cubic-dev-ai]

0 issues found across 2 files (changes from recent commits).

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/run-backend-tests.yaml">

<violation number="1" location=".github/workflows/run-backend-tests.yaml:36">
P2: The cache path points to the wrong directory. Poetry creates the venv in `backend/.venv`, so caching `./.venv` won’t cache the environment used by tests.</violation>
</file>

_{Tip: Review your code locally with the cubic CLI to iterate faster.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/run-backend-tests.yaml:
- Line 44: The workflow contains an unused command "touch
.venv/dependencies_installed" which creates a file never referenced later;
remove that line from the run-backend-tests.yaml job to clean up dead code
(search for the exact string "touch .venv/dependencies_installed" and delete the
command).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0835ca37-82c9-449c-b787-a3b1261d2190

📥 Commits

Reviewing files that changed from the base of the PR and between 5fb5e82 and a81f78c.

📒 Files selected for processing (2)

• .github/workflows/run-backend-tests.yaml
• .github/workflows/run-ci-cd.yaml

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).