Extract run-lighthouse-ci into a separate reusable workflow

[ahmedxgouda]

Proposed change

Resolves #4707

Extracted run-lighthouse-ci into a separate reusable workflow

Checklist

• Required: I followed the contributing workflow
• Required: I verified that my code works as intended and resolves the issue as described
• Required: I ran make check-test locally: all warnings addressed, tests passed
• I used AI for code, documentation, tests, or communication related to this PR

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Improved CI/CD pipeline efficiency by consolidating Lighthouse performance testing into a centralized, reusable workflow configuration, eliminating redundant setup steps across staging and production environments while ensuring consistent test execution.

Walkthrough

Refactors CI by extracting inline Lighthouse CI steps into a reusable workflow (.github/workflows/run-lighthouse-ci.yaml) and updates run-staging-lighthouse-ci and run-production-lighthouse-ci in .github/workflows/run-ci-cd.yaml to call it with base_url set to the appropriate environment.

Changes

Lighthouse CI Workflow Refactoring

Layer / File(s)	Summary
Reusable Lighthouse CI workflow .github/workflows/run-lighthouse-ci.yaml	New reusable workflow (workflow_call) requiring base_url; checks out repo, runs ./.github/actions/setup-frontend-environment, and executes pnpm run lighthouse-ci in frontend/ with LHCI_BASE_URL set; job has minimal permissions and a 5-minute timeout.
CI/CD job integration .github/workflows/run-ci-cd.yaml	Replaced inline staging and production Lighthouse job steps with calls to ./.github/workflows/run-lighthouse-ci.yaml and configured with.base_url: https://nest.owasp.dev (staging) and https://nest.owasp.org (production).

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly Related PRs

• OWASP/Nest#2079: Previously added inline run-lighthouse-ci jobs that this PR refactors into a reusable workflow.
• OWASP/Nest#4635: Also refactors CI/CD workflow jobs to delegate to extracted reusable workflows.
• Related issue: #4707 — Extract run-lighthouse-ci into a separate workflow (proposal for this extraction).

Suggested Labels

frontend, gsoc2026:ahmedxgouda

Suggested Reviewers

• kasya
• arkid15r
• rudransh-shrivastava

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and clearly describes the main change: extracting the run-lighthouse-ci job into a separate reusable workflow, which aligns with the primary objective of the PR.
Description check	✅ Passed	The description is related to the changeset and references the linked issue #4707, confirming the extraction of run-lighthouse-ci into a reusable workflow.
Linked Issues check	✅ Passed	The code changes fully satisfy the objective from issue #4707: a new reusable workflow file was created, and the main CI/CD workflow was updated to use it for both staging and production Lighthouse CI jobs.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to extracting and implementing the reusable workflow; no unrelated modifications are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/run-lighthouse-ci.yaml:
- Around line 23-24: The checkout step using
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd should disable
persisting the GITHUB_TOKEN to .git/config; update the checkout step (the step
with "uses: actions/checkout@...") to include the input persist-credentials:
false so credentials are not written into the workspace during the Lighthouse
job.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 285200f1-4a1a-4d37-9a66-73ae181453cf

📥 Commits

Reviewing files that changed from the base of the PR and between 8aadddf and f0455d4.

📒 Files selected for processing (2)

• .github/workflows/run-ci-cd.yaml
• .github/workflows/run-lighthouse-ci.yaml

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.77%. Comparing base (8aadddf) to head (3db3c33).

Additional details and impacted files

@@                     Coverage Diff                     @@
##           feature/ci-cd-optimization    #4807   +/-   ##
===========================================================
  Coverage                       98.77%   98.77%           
===========================================================
  Files                             538      538           
  Lines                           16987    16987           
  Branches                         2406     2406           
===========================================================
  Hits                            16779    16779           
  Misses                            119      119           
  Partials                           89       89           

Flag	Coverage Δ
backend	99.47% <ø> (ø)
frontend	96.80% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8aadddf...3db3c33. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[cubic-dev-ai]

2 issues found across 2 files

Confidence score: 3/5

• There is a concrete regression risk in .github/workflows/run-lighthouse-ci.yaml: timeout-minutes: 5 is likely insufficient for auditing 8 URLs, which can cause Lighthouse CI jobs to fail or time out intermittently.
• Because the top issue is high severity/high confidence (8/10, 8/10) and directly affects CI reliability, this lands in moderate merge risk rather than a low-risk merge.
• A smaller hardening improvement is to set persist-credentials: false in .github/workflows/run-lighthouse-ci.yaml; low severity, but it reduces unnecessary token persistence.
• Pay close attention to .github/workflows/run-lighthouse-ci.yaml - increase timeout for multi-URL Lighthouse runs and tighten checkout credential handling.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/run-lighthouse-ci.yaml">

<violation number="1" location=".github/workflows/run-lighthouse-ci.yaml:24">
P3: Set `persist-credentials: false` on this checkout step. This workflow only runs Lighthouse against an already-deployed URL and never pushes back to the repo, so persisting the `GITHUB_TOKEN` in `.git/config` is unnecessary credential exposure to subsequent steps.</violation>
</file>

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/run-lighthouse-ci.yaml (1)

31-36: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Optional: Consider uploading Lighthouse reports as artifacts.

For debugging assertion failures, consider uploading the Lighthouse CI output directory (typically .lighthouseci/) as workflow artifacts. This would provide detailed performance metrics when the job fails thresholds.

📊 Proposed enhancement to upload artifacts

       - name: Run lighthouse-ci
         env:
           LHCI_BASE_URL: ${{ inputs.base_url }}
         run: pnpm run lighthouse-ci
         working-directory: frontend
+
+      - name: Upload Lighthouse reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: lighthouse-reports
+          path: frontend/.lighthouseci/
+          retention-days: 7

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/run-lighthouse-ci.yaml around lines 31 - 36, Add an
artifacts upload step after the "Run lighthouse-ci" job step: after the step
that uses run: pnpm run lighthouse-ci (working-directory: frontend, env
LHCI_BASE_URL) add a step that uses actions/upload-artifact@v3 to upload the
frontend/.lighthouseci directory (or .lighthouseci/**) and set the step
conditional to always() so reports are uploaded even on failures; name the step
clearly like "Upload Lighthouse reports" so it’s easy to find in the workflow.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/run-lighthouse-ci.yaml:
- Around line 31-36: Add an artifacts upload step after the "Run lighthouse-ci"
job step: after the step that uses run: pnpm run lighthouse-ci
(working-directory: frontend, env LHCI_BASE_URL) add a step that uses
actions/upload-artifact@v3 to upload the frontend/.lighthouseci directory (or
.lighthouseci/**) and set the step conditional to always() so reports are
uploaded even on failures; name the step clearly like "Upload Lighthouse
reports" so it’s easy to find in the workflow.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: be0647a9-4d9e-4dc1-9ec0-4a911083bcea

📥 Commits

Reviewing files that changed from the base of the PR and between f0455d4 and 3db3c33.

📒 Files selected for processing (1)

• .github/workflows/run-lighthouse-ci.yaml

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).

_{Re-trigger cubic}

[arkid15r]

👍