Extract run-lighthouse-ci into a separate reusable workflow by ahmedxgouda · Pull Request #4807 · OWASP/Nest

ahmedxgouda · 2026-06-01T14:41:41Z

Proposed change

Resolves #4707

Extracted run-lighthouse-ci into a separate reusable workflow

Checklist

Required: I followed the contributing workflow
Required: I verified that my code works as intended and resolves the issue as described
Required: I ran make check-test locally: all warnings addressed, tests passed
I used AI for code, documentation, tests, or communication related to this PR

coderabbitai · 2026-06-01T14:41:58Z

Summary by CodeRabbit

Chores
- Improved CI/CD pipeline efficiency by consolidating Lighthouse performance testing into a centralized, reusable workflow configuration, eliminating redundant setup steps across staging and production environments while ensuring consistent test execution.

Walkthrough

Refactors CI by extracting inline Lighthouse CI steps into a reusable workflow (.github/workflows/run-lighthouse-ci.yaml) and updates run-staging-lighthouse-ci and run-production-lighthouse-ci in .github/workflows/run-ci-cd.yaml to call it with base_url set to the appropriate environment.

Changes

Lighthouse CI Workflow Refactoring

Layer / File(s)	Summary
Reusable Lighthouse CI workflow `.github/workflows/run-lighthouse-ci.yaml`	New reusable workflow (`workflow_call`) requiring `base_url`; checks out repo, runs `./.github/actions/setup-frontend-environment`, and executes `pnpm run lighthouse-ci` in `frontend/` with `LHCI_BASE_URL` set; job has minimal permissions and a 5-minute timeout.
CI/CD job integration `.github/workflows/run-ci-cd.yaml`	Replaced inline staging and production Lighthouse job steps with calls to `./.github/workflows/run-lighthouse-ci.yaml` and configured `with.base_url: https://nest.owasp.dev` (staging) and `https://nest.owasp.org` (production).

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly Related PRs

OWASP/Nest#2079: Previously added inline run-lighthouse-ci jobs that this PR refactors into a reusable workflow.
OWASP/Nest#4635: Also refactors CI/CD workflow jobs to delegate to extracted reusable workflows.
Related issue: #4707 — Extract run-lighthouse-ci into a separate workflow (proposal for this extraction).

Suggested Labels

frontend, gsoc2026:ahmedxgouda

Suggested Reviewers

kasya
arkid15r
rudransh-shrivastava

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and clearly describes the main change: extracting the run-lighthouse-ci job into a separate reusable workflow, which aligns with the primary objective of the PR.
Description check	✅ Passed	The description is related to the changeset and references the linked issue `#4707`, confirming the extraction of run-lighthouse-ci into a reusable workflow.
Linked Issues check	✅ Passed	The code changes fully satisfy the objective from issue `#4707`: a new reusable workflow file was created, and the main CI/CD workflow was updated to use it for both staging and production Lighthouse CI jobs.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to extracting and implementing the reusable workflow; no unrelated modifications are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/run-lighthouse-ci.yaml:
- Around line 23-24: The checkout step using
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd should disable
persisting the GITHUB_TOKEN to .git/config; update the checkout step (the step
with "uses: actions/checkout@...") to include the input persist-credentials:
false so credentials are not written into the workspace during the Lighthouse
job.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 285200f1-4a1a-4d37-9a66-73ae181453cf

📥 Commits

Reviewing files that changed from the base of the PR and between 8aadddf and f0455d4.

📒 Files selected for processing (2)

.github/workflows/run-ci-cd.yaml
.github/workflows/run-lighthouse-ci.yaml

codecov · 2026-06-01T14:45:44Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.77%. Comparing base (8aadddf) to head (3db3c33).

Additional details and impacted files

@@                     Coverage Diff                     @@
##           feature/ci-cd-optimization    #4807   +/-   ##
===========================================================
  Coverage                       98.77%   98.77%           
===========================================================
  Files                             538      538           
  Lines                           16987    16987           
  Branches                         2406     2406           
===========================================================
  Hits                            16779    16779           
  Misses                            119      119           
  Partials                           89       89

Flag	Coverage Δ
backend	`99.47% <ø> (ø)`
frontend	`96.80% <ø> (ø)`

Flags with carried forward coverage won't be shown. Click here to find out more.

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8aadddf...3db3c33. Read the comment docs.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

sonarqubecloud · 2026-06-01T14:47:39Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

cubic-dev-ai

2 issues found across 2 files

Confidence score: 3/5

There is a concrete regression risk in .github/workflows/run-lighthouse-ci.yaml: timeout-minutes: 5 is likely insufficient for auditing 8 URLs, which can cause Lighthouse CI jobs to fail or time out intermittently.
Because the top issue is high severity/high confidence (8/10, 8/10) and directly affects CI reliability, this lands in moderate merge risk rather than a low-risk merge.
A smaller hardening improvement is to set persist-credentials: false in .github/workflows/run-lighthouse-ci.yaml; low severity, but it reduces unnecessary token persistence.
Pay close attention to .github/workflows/run-lighthouse-ci.yaml - increase timeout for multi-URL Lighthouse runs and tighten checkout credential handling.

Prompt for AI agents (unresolved issues)


Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/run-lighthouse-ci.yaml">

<violation number="1" location=".github/workflows/run-lighthouse-ci.yaml:24">
P3: Set `persist-credentials: false` on this checkout step. This workflow only runs Lighthouse against an already-deployed URL and never pushes back to the repo, so persisting the `GITHUB_TOKEN` in `.git/config` is unnecessary credential exposure to subsequent steps.</violation>
</file>

_{Reply with feedback, questions, or to request a fix.

Re-trigger cubic}

coderabbitai

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/run-lighthouse-ci.yaml (1)

31-36: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Optional: Consider uploading Lighthouse reports as artifacts.

For debugging assertion failures, consider uploading the Lighthouse CI output directory (typically .lighthouseci/) as workflow artifacts. This would provide detailed performance metrics when the job fails thresholds.

📊 Proposed enhancement to upload artifacts

       - name: Run lighthouse-ci
         env:
           LHCI_BASE_URL: ${{ inputs.base_url }}
         run: pnpm run lighthouse-ci
         working-directory: frontend
+
+      - name: Upload Lighthouse reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: lighthouse-reports
+          path: frontend/.lighthouseci/
+          retention-days: 7

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/run-lighthouse-ci.yaml around lines 31 - 36, Add an
artifacts upload step after the "Run lighthouse-ci" job step: after the step
that uses run: pnpm run lighthouse-ci (working-directory: frontend, env
LHCI_BASE_URL) add a step that uses actions/upload-artifact@v3 to upload the
frontend/.lighthouseci directory (or .lighthouseci/**) and set the step
conditional to always() so reports are uploaded even on failures; name the step
clearly like "Upload Lighthouse reports" so it’s easy to find in the workflow.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/run-lighthouse-ci.yaml:
- Around line 31-36: Add an artifacts upload step after the "Run lighthouse-ci"
job step: after the step that uses run: pnpm run lighthouse-ci
(working-directory: frontend, env LHCI_BASE_URL) add a step that uses
actions/upload-artifact@v3 to upload the frontend/.lighthouseci directory (or
.lighthouseci/**) and set the step conditional to always() so reports are
uploaded even on failures; name the step clearly like "Upload Lighthouse
reports" so it’s easy to find in the workflow.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: be0647a9-4d9e-4dc1-9ec0-4a911083bcea

📥 Commits

Reviewing files that changed from the base of the PR and between f0455d4 and 3db3c33.

📒 Files selected for processing (1)

.github/workflows/run-lighthouse-ci.yaml

cubic-dev-ai

0 issues found across 1 file (changes from recent commits).

_{Re-trigger cubic}

arkid15r · 2026-06-01T23:33:37Z

+      - name: Check out repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false


* Extract checks and security scan from `run-ci-cd.yaml` (#4623) * Extract checks * Remove docker layer from cspell * Give read permission to the checks * Update code --------- Co-authored-by: Arkadii Yakovets <arkadii.yakovets@owasp.org> Co-authored-by: Arkadii Yakovets <2201626+arkid15r@users.noreply.github.com> * Update pnpm * Extract backend tests workflow and remove docker layer (#4635) * Extract backend tests workflow and remove docker layer * Add permissions * Add FORCE_COLOR env * Fix ordering * Optimize dependecies installation * Update cache path and comments identation * Remove dead code * Update code * Update permissions --------- Co-authored-by: Arkadii Yakovets <arkadii.yakovets@owasp.org> * Extract codecov upload into a separate workflow (#4668) * Extract codecov upload to a separate workflow * Add permissions * Add checkout * Update code * Add back the checkout step --------- Co-authored-by: Arkadii Yakovets <arkadii.yakovets@owasp.org> * Remove docker layer from fuzz tests workflow (#4663) * Remove docker layer from fuzz tests and setup-backend-environment workflow * Update code * Update code * Add poetry run in entrypoint.fuzz.sh * Update code * Update code * Refactor * Update code * Apply rabbit's suggestions * Remove redundant BACKEND_PORT from migartion step * Update caching * Disable collecting coverage for fuzz tests * Reorder steps in setup-backend-environment action * Apply suggestions * Remove code-quality-checks dependency temporarily * Update code * Update code * Add run-code-quality-checks dependency * Update code * Update code --------- Co-authored-by: Arkadii Yakovets <arkadii.yakovets@owasp.org> * Remove update_nest_test_images.yaml (#4691) * Extract infrastructure tests into a separate workflow (#4679) * Extract infrastructure tests * Remove the code-quality-checks dependency temporarily * Apply rabbit suggestions and fix terraform error * Add caching * Reorder * Update path * Add code-quality-checks as dependency * Update code * Update code --------- Co-authored-by: Arkadii Yakovets <arkadii.yakovets@owasp.org> * Extract frontend tests into a separate workflow (#4681) * Extract tests and remove docker layer * Update code * Update code * Update permissions * Remove code-quality-checks dependency temporarily * Update permissions * Update code * Add caching * Add run-code-quality-checks dependency * Update code * Reorder * Update code * Update code * Update code * Update code * Update caching * Update caching * Refactor * Add checkout * Update setup-frontend-environment action description * Update code * Remove redundant manual caching step * Update code --------- Co-authored-by: Arkadii Yakovets <arkadii.yakovets@owasp.org> * Extract e2e tests into a separate workflow (#4687) * Extract e2e tests into a separate workflow * Remove docker layer from frontend * Use custom action * Update code * Add next.js caching * Remove docker layer from e2e tests * Update code * Add e2e dependencies installation step * Add playwright installation and caching * Update code * Update code * Update envs * Update code * Update playwright config and add upload artifact step * Pin service container images by digest * Update e2e tests name * Apply rabbit suggestions * Fix syntax * Update code * Add playwright apt caching * Try playwright container * Fix pipx * Drop set up Python cache * Bump playwright version * Update code * Update install poetry action * Update code * Update code * Update browsers * Update code * Revert some changes * Clean up some steps * Try chromium only * Update code * Add logs * Update smoke test * Update code * Update code * Clean up code * Bump workers count * Revert workers number change * Rebalance CPUs * More CPUs to playwright * Update code * Update code * Update code * Remove apt caching --------- Co-authored-by: Arkadii Yakovets <arkadii.yakovets@owasp.org> * Extract set-release-version into a separate workflow (#4693) * Extract set-release-version * Update code --------- Co-authored-by: Arkadii Yakovets <arkadii.yakovets@owasp.org> Co-authored-by: Arkadii Yakovets <2201626+arkid15r@users.noreply.github.com> * Extract build-images into a separate reusable worflow (#4709) * Extract build-images * Update build-production-images * Update code * Remove unused docker hub * Update code * Update code * Update code --------- Co-authored-by: Arkadii Yakovets <arkadii.yakovets@owasp.org> * Fix e2e and fuzz errors * Extract run-lighthouse-ci into a separate reusable workflow (#4807) * Extract run-lighthouse-ci into a separate reusable workflow * Update .github/workflows/run-lighthouse-ci.yaml Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> --------- Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Extract run-zap-baseline-scan into a reusable workflow (#4808) * Extract run-zap-baseline-scan into a reusable workflow * Update code * Extract bootstrap-nest-infrastructure into a separate workflow (#4711) * Extract bootstrap-infrastructure * Update CI/CD * Update CI/CD * Add terraform caching * Refactor terraform bootstraping * Update code * Update code * Update code --------- Co-authored-by: Arkadii Yakovets <arkadii.yakovets@owasp.org> * Extract scan-images into a separate workflow (#4710) * Extract scan-images * Update scan-production-images * Update code * Update Trivy caching * Apply cubic suggestion * Update code * Update code * Refactor trivy * Update code * Update code * Update code * Update code * Update code * Update code * Update code * Update code * Revert "Upload SBOM action creation" This reverts commit 51132e4. * Update code --------- Co-authored-by: Arkadii Yakovets <arkadii.yakovets@owasp.org> * Extract deploy-nest into a separate reusable workflow (#4818) * Extract deploy-nest into a separate reusable workflow * Update code * Update code --------- Co-authored-by: Arkadii Yakovets <arkadii.yakovets@owasp.org> * Extract staging (#4701) * Extract production jobs into a separate workflow (#4826) * Extract production jobs into a separate workflow * Reorder Update pnpm * Generalize production and staging workflows (#4835) * Generalize production and staging workflows * Reorder * Extract checks and tests into a reusable workflow and update run-ci-cd * Update run-fuzz-tests.yaml * Update code * Update code * Update naming * Update code * Update code * Update e2e/playwright.config.ts * Update code * Update code * Update code --------- Co-authored-by: Arkadii Yakovets <arkadii.yakovets@owasp.org> * Finalize feature/ci-cd-optimization merge * Address review comments * Update secrets handling * Fix coverage uploading, add docker image tag validation --------- Co-authored-by: Ahmed Gouda <ahmed.gouda@owasp.org>

* Extract run-lighthouse-ci into a separate reusable workflow * Update .github/workflows/run-lighthouse-ci.yaml Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> --------- Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

Extract run-lighthouse-ci into a separate reusable workflow

f0455d4

github-actions Bot added the ci label Jun 1, 2026

coderabbitai Bot requested changes Jun 1, 2026

View reviewed changes

Comment thread .github/workflows/run-lighthouse-ci.yaml

Update .github/workflows/run-lighthouse-ci.yaml

3db3c33

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

coderabbitai Bot approved these changes Jun 1, 2026

View reviewed changes

cubic-dev-ai Bot reviewed Jun 1, 2026

View reviewed changes

Comment thread .github/workflows/run-lighthouse-ci.yaml

Comment thread .github/workflows/run-lighthouse-ci.yaml

coderabbitai Bot reviewed Jun 1, 2026

View reviewed changes

ahmedxgouda marked this pull request as ready for review June 1, 2026 14:49

ahmedxgouda requested review from arkid15r and kasya as code owners June 1, 2026 14:49

cubic-dev-ai Bot approved these changes Jun 1, 2026

View reviewed changes

ahmedxgouda added the gsoc2026:ahmedxgouda ahmedxgouda's GSoC 2026 related work label Jun 1, 2026

arkid15r approved these changes Jun 1, 2026

View reviewed changes

arkid15r enabled auto-merge (squash) June 1, 2026 23:34

arkid15r disabled auto-merge June 1, 2026 23:34

arkid15r merged commit 6bd69a5 into OWASP:feature/ci-cd-optimization Jun 1, 2026
40 checks passed

ahmedxgouda deleted the ci/lighthouse branch June 3, 2026 17:58

This was referenced Jun 4, 2026

Generalize production and staging workflows #4835

Merged

Merge feature/ci-cd-optimization improvements #4845

Merged

coderabbitai Bot mentioned this pull request Jun 6, 2026

Merge feature/ci-cd-optimization improvements #4846

Merged

4 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Extract run-lighthouse-ci into a separate reusable workflow#4807

Extract run-lighthouse-ci into a separate reusable workflow#4807
arkid15r merged 2 commits into
OWASP:feature/ci-cd-optimizationfrom
ahmedxgouda:ci/lighthouse

ahmedxgouda commented Jun 1, 2026 •

edited

Loading

Uh oh!

coderabbitai Bot commented Jun 1, 2026 •

edited

Loading

Uh oh!

coderabbitai Bot left a comment

Uh oh!

Uh oh!

codecov Bot commented Jun 1, 2026 •

edited

Loading

Uh oh!

sonarqubecloud Bot commented Jun 1, 2026

Uh oh!

cubic-dev-ai Bot left a comment •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

coderabbitai Bot left a comment

Uh oh!

cubic-dev-ai Bot left a comment

Uh oh!

arkid15r Jun 1, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Conversation

ahmedxgouda commented Jun 1, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Proposed change

Checklist

Uh oh!

coderabbitai Bot commented Jun 1, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Walkthrough

Changes

Estimated Code Review Effort

Possibly Related PRs

Suggested Labels

Suggested Reviewers

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

codecov Bot commented Jun 1, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

sonarqubecloud Bot commented Jun 1, 2026

Quality Gate passed

Uh oh!

cubic-dev-ai Bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

arkid15r Jun 1, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

ahmedxgouda commented Jun 1, 2026 •

edited

Loading

coderabbitai Bot commented Jun 1, 2026 •

edited

Loading

codecov Bot commented Jun 1, 2026 •

edited

Loading

cubic-dev-ai Bot left a comment •

edited

Loading