Enable e2e mock test on release branches

[aneeshkp]

The e2e mock test workflow only triggers on PRs to main.
Add release-* to the branch filter so PRs targeting release
branches (e.g., release-3.4-ea.2) also run the e2e test.

Summary by CodeRabbit

• Chores
  • Enhanced testing infrastructure configuration for broader branch coverage during development and release cycles.

[coderabbitai]

📝 Walkthrough

Walkthrough

The e2e-mock-test workflow configuration was updated to expand the pull_request_target trigger's branch filter. Previously restricted to the main branch, the trigger now executes on pull requests targeting both main and any branches matching the release-* pattern. The modification affects only the branch filter; no changes were made to job logic, conditions, environment variables, steps, or permissions.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Security concerns

pull_request_target with expanded branch scope — potential supply chain risk

Using pull_request_target grants workflows write access to the repository and access to secrets. Expanding this trigger to release-* branches increases the surface area for exploitation. If release branches can receive pull requests from contributors with fewer restrictions than main, attackers could inject code into the e2e test pipeline.

Actionable: Verify that all release-* branches enforce the same branch protection rules as main, including required reviews and status checks. Review the workflow's use of secrets context and any actions/checkout@* steps—ensure they don't check out untrusted PR code without explicit protections (e.g., ref: github.base_ref). Related: CWE-829 (Inclusion of Functionality from Untrusted Control Sphere).

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and clearly describes the main change: expanding the e2e mock test workflow to run on release branches in addition to main.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/e2e-mock-test.yml:
- Around line 4-6: The workflow currently uses pull_request_target with branches
['main','release-*'] and later checks out github.event.pull_request.head.sha
(and runs repo code with secrets), allowing untrusted PR code to access secrets;
either restrict execution to same-repo PRs by gating the job with a trust check
(e.g., guard using github.event.pull_request.head.repo.full_name ==
github.repository) before the checkout/run steps that use secrets, or change the
trigger from pull_request_target to pull_request so the PR head is checked out
without exposing secrets; update the job that invokes actions/checkout (ref:
github.event.pull_request.head.sha) and any steps using secrets to only run
after the same-repo guard or after switching to a safe trigger.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 3c9e8b1e-9366-4788-852b-2e914f5b6737

📥 Commits

Reviewing files that changed from the base of the PR and between 22ddc2c and 8c1b939.

📒 Files selected for processing (1)

• .github/workflows/e2e-mock-test.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Block untrusted PR code execution in pull_request_target before widening to release-*.

Line 6 expands a privileged pull_request_target workflow to more branches, while Line 50 checks out github.event.pull_request.head.sha and later runs repo code with secrets (Lines 88 and 99). This is a direct untrusted-code + secret exposure path (CWE-829, CWE-200). Add a trust gate (same-repo only) or move this job to a safer trigger pattern.

Suggested hardening patch

 e2e-test:
   name: E2E Mock vLLM Test
   permissions:
     contents: read
   # Only runs when a maintainer adds the run-e2e-test label specifically.
   # Does not trigger on other labels or on synchronize (new pushes).
-  if: github.event.action == 'labeled' && github.event.label.name == 'run-e2e-test'
+  if: >-
+    github.event.action == 'labeled' &&
+    github.event.label.name == 'run-e2e-test' &&
+    github.event.pull_request.head.repo.full_name == github.repository
   runs-on: ubuntu-latest

As per coding guidelines, "Avoid pull_request_target with checkout of PR head (token exfiltration)".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/e2e-mock-test.yml around lines 4 - 6, The workflow
currently uses pull_request_target with branches ['main','release-*'] and later
checks out github.event.pull_request.head.sha (and runs repo code with secrets),
allowing untrusted PR code to access secrets; either restrict execution to
same-repo PRs by gating the job with a trust check (e.g., guard using
github.event.pull_request.head.repo.full_name == github.repository) before the
checkout/run steps that use secrets, or change the trigger from
pull_request_target to pull_request so the PR head is checked out without
exposing secrets; update the job that invokes actions/checkout (ref:
github.event.pull_request.head.sha) and any steps using secrets to only run
after the same-repo guard or after switching to a safe trigger.

[aneeshkp]

run-e2e-test label gate is used

[coderabbitai]

@aneeshkp, the label gate is acknowledged — and the remove-label-on-push job that strips the label on every new push (forcing re-review before re-labeling) makes this a well-layered mitigation. That pattern is widely used and accepted for pull_request_target workflows that need to run on fork PRs.

The residual risk I flagged is that a maintainer could be socially engineered into adding the label to a PR containing malicious code, which would then run with RAHII_ON_XKS_PULL_SECRET. Adding the same-repo guard would eliminate that vector entirely but would also prevent external contributors from ever getting the e2e test run — so there's a real trade-off to weigh.

If you're comfortable with the current label-gate approach (maintainer reviews code before labeling), that's a reasonable decision for this repo. I'll leave the choice to you.

[aneeshkp]

/aprrove

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aneeshkp, zdtsw

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [aneeshkp,zdtsw]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment