Skip to content

LCORE- Update checkout action to v7#2129

Merged
tisnik merged 2 commits into
lightspeed-core:mainfrom
samdoran:checkout-action-update
Jul 14, 2026
Merged

LCORE- Update checkout action to v7#2129
tisnik merged 2 commits into
lightspeed-core:mainfrom
samdoran:checkout-action-update

Conversation

@samdoran

@samdoran samdoran commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Description

Update actions/checkout to v7 in all cases. This addresses a bug where a job triggered by a tag would fail, which is what caused the 0.6.0 job run to fail.

This brings to light a risky configuration that exists currently. Jobs that are triggered by pull_request_target are running code from PRs from forks because access to secrets is needed for the tests to run. This is a common scenario but carries risk. It is possible to do this securely. That will require refactoring how the tests run to separate the parts that need access to secrets from code submitted in PRs from forks.

Once this is merged to main, it will need to be back port to all release branches. Then we need to do two things:

  1. Open a PR against this repo from a branch from a fork to make jobs using pull_request_target run as expected.
  2. Push a new tag and verify that an image is successfully published to quay.io.

Unfortunately there is no way to re-run the job to publish 0.6.0 since it contains the old version of the action with the bug. We will have to manually build and publish that image if we want it to exist in https://quay.io/repository/lightspeed-core/lightspeed-stack, or publish a new tag. Fix it forward, as they say.

Type of change

  • Refactor
  • New feature
  • Bug fix
  • CVE fix
  • Optimization
  • Documentation Update
  • Configuration Update
  • Bump-up service version
  • Bump-up dependent library
  • Bump-up library or tool used for development (does not change the final image)
  • CI configuration change
  • Konflux configuration change
  • Unit tests improvement
  • Integration tests improvement
  • End to end tests improvement
  • Benchmarks improvement

Tools used to create PR

  • My brain
  • A whole lot of documentation

Related Tickets & Documents

None

Checklist before requesting a review

  • I have performed a self-review of my code.
  • PR has passed all pre-merge test jobs.
  • If it is a core feature, I have added thorough tests.

Testing

  • Submit a PR from a fork after this change is merged to main. I simulated this by creating a fork of my fork, duplicating the failure, then running again with the changes in this PR merged to main in my fork.
  • Observer that the code is checkout out and jobs runs as expected.

Summary by CodeRabbit

  • Chores
    • Updated repository checkout actions across release, build, and end-to-end testing workflows.
    • Improved pull-request test checkout configuration for workflows requiring secure access to secrets.
    • Maintained multi-architecture release image builds and existing code-quality checks.

This addresses a bug where a test run triggered by a tag would fail.
@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@samdoran, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 43 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 41ada49f-9190-4718-aa6c-10ce25e17786

📥 Commits

Reviewing files that changed from the base of the PR and between aa0a855 and 18bb240.

📒 Files selected for processing (4)
  • .github/workflows/e2e_tests.yaml
  • .github/workflows/e2e_tests_lightspeed_evaluation.yaml
  • .github/workflows/e2e_tests_providers.yaml
  • .github/workflows/e2e_tests_rhaiis.yaml

Walkthrough

Six GitHub Actions workflows upgrade checkout steps to actions/checkout@v7. Four E2E workflows also enable allow-unsafe-pr-checkout: true with comments describing secret access and pull_request_target security considerations.

Changes

GitHub Actions checkout configuration

Layer / File(s) Summary
Checkout action version upgrades
.github/workflows/build_and_push_release.yaml, .github/workflows/e2e_tests*.yaml, .github/workflows/radon.yaml
Checkout steps are updated to use actions/checkout@v7.
Unsafe PR checkout settings
.github/workflows/e2e_tests*.yaml
Selected E2E checkout steps enable unsafe PR checkout and document the associated secret-access configuration.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

Suggested reviewers: anik120, tisnik

🚥 Pre-merge checks | ✅ 7
✅ Passed checks (7 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: updating actions/checkout to v7 across the workflows.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Performance And Algorithmic Complexity ✅ Passed PASS: only workflow checkout settings changed; no new loops, N+1 patterns, unbounded buffers, or pagination-sensitive list ops.
Security And Secret Handling ✅ Passed Reviewed all six workflow diffs; changes only bump checkout and add allow-unsafe-pr-checkout comments, with no hardcoded/logged secrets, auth gaps, injection, or secret leaks.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
✨ Simplify code
  • Create PR with simplified code

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

This is not ideal but is equivalent to what is happening with the v4 version of
the action today. Explicit opt-it is required in v7.

Actions using pull_request_target that are running code from PRs from forks
should be reevaluated so that tests can run without the risk of compromising
the repository.
@samdoran samdoran force-pushed the checkout-action-update branch from aa0a855 to 18bb240 Compare July 14, 2026 03:04

@tisnik tisnik left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tisnik tisnik left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tisnik tisnik merged commit 21866ff into lightspeed-core:main Jul 14, 2026
41 of 46 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants