Use dev-container image

[Matts966]

Summary by CodeRabbit

• Chores
  • Updated the CI end-to-end testing container image and extended action inputs for a specific client, affecting E2E CI runs.
• Tests
  • Adjusted gRPC keepalive settings in E2E tests to use much longer intervals and added an option to permit keepalives without active calls, affecting test connectivity behavior.

[coderabbitai]

Warning

Rate limit exceeded

@Matts966 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 58 minutes and 55 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 58 minutes and 55 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 528fc2c7-7964-4f9c-b689-c2be8c27bd35

📥 Commits

Reviewing files that changed from the base of the PR and between fe93834 and d193ee9.

📒 Files selected for processing (1)

• .github/workflows/e2e.yaml

📝 Walkthrough

Walkthrough

E2E CI workflow container image changed to ghcr.io/vdaas/vald/vald-dev-container:nightly. Test gRPC channel keepalive options updated in TestValdE2E.setUp(): grpc.keepalive_time_ms increased, grpc.keepalive_timeout_ms adjusted, and grpc.keepalive_permit_without_calls added. No other logic changes.

Changes

Cohort / File(s)	Summary
CI Workflow Image ​.github/workflows/e2e.yaml	Switched E2E job container image from ghcr.io/vdaas/vald/vald-ci-container:nightly to ghcr.io/vdaas/vald/vald-dev-container:nightly. Also added image_tag: pr-3448 input to the vdaas/vald-client-ci/.github/actions/e2e@main invocation for client_type: python.
gRPC Channel Configuration (tests) src/tests/test_e2e.py	Updated gRPC channel keepalive options: grpc.keepalive_time_ms increased (from 10000 to 1200000), grpc.keepalive_timeout_ms changed (from 5000 to 20000), and added grpc.keepalive_permit_without_calls=0.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Use ci-container #32: Modifies the E2E workflow container configuration—closely related to the CI image changes here.

Suggested labels

type/ci, type/refactoring

Suggested reviewers

• kpango

Poem

🐳 A nightly image sails into the stream,
keepalives stretched to stabilize the beam.
CI and tests aligned in quiet tune,
small shifts that keep the pipeline in bloom. ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Use dev-container image' directly corresponds to the primary change in the workflow file, which updates the container image from the CI variant to the dev variant.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch hotfix/use-dev-image

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/e2e.yaml (2)

18-34: ⚠️ Potential issue | 🟠 Major

Declare explicit least-privilege permissions for this workflow.

There is no permissions block (Lines 18-34). Add explicit minimal scopes to avoid relying on defaults.

Suggested minimal permissions baseline

 on:
   push:
     branches:
       - main
   pull_request:
+
+permissions:
+  contents: read

As per coding guidelines, ".github/workflows/**/*.yaml: Permissions: Ensure permissions are set to least privilege required for the workflow."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/e2e.yaml around lines 18 - 34, Add an explicit top-level
permissions block to the workflow (affecting the e2e job) granting
least-privilege scopes required by the used actions: at minimum set contents:
read for actions/checkout@v3 and any action that needs repo contents, and add
only the specific extras your composite action requires (for example
pull-requests: write if the vdaas/vald-client-ci action needs PR write access
and id-token: write if it uses OIDC). Insert a top-level permissions: section
above jobs with only those minimal scopes (e.g., permissions: { contents: read,
pull-requests: write, id-token: write } adjusted to actual needs) instead of
relying on defaults so the e2e workflow and the referenced uses:
actions/checkout@v3 and uses: vdaas/vald-client-ci/.github/actions/e2e@main have
explicit least-privilege access.

---

28-32: ⚠️ Potential issue | 🟠 Major

Pin container image and action references to immutable digests and commit SHAs.

Line 28 uses :nightly and line 32 uses @main—both mutable references that can change behavior and security posture without code changes. Per GitHub Actions security best practices, pin the container image to its digest (sha256:...) and the action to a full commit SHA to prevent supply chain attacks from upstream changes.

Consider also pinning actions/checkout@v3 on line 31 to its full commit SHA rather than a version tag for consistency.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/e2e.yaml around lines 28 - 32, Replace mutable refs with
immutable pins: update the container image string
"ghcr.io/vdaas/vald/vald-dev-container:nightly" to use its immutable sha256
digest, change the action reference
"vdaas/vald-client-ci/.github/actions/e2e@main" to the action's full commit SHA,
and likewise pin "actions/checkout@v3" to a specific commit SHA; ensure you
fetch the correct digest and commit SHAs for the exact versions you intend to
run and substitute those values in the image and action references.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/e2e.yaml:
- Around line 18-34: Add an explicit top-level permissions block to the workflow
(affecting the e2e job) granting least-privilege scopes required by the used
actions: at minimum set contents: read for actions/checkout@v3 and any action
that needs repo contents, and add only the specific extras your composite action
requires (for example pull-requests: write if the vdaas/vald-client-ci action
needs PR write access and id-token: write if it uses OIDC). Insert a top-level
permissions: section above jobs with only those minimal scopes (e.g.,
permissions: { contents: read, pull-requests: write, id-token: write } adjusted
to actual needs) instead of relying on defaults so the e2e workflow and the
referenced uses: actions/checkout@v3 and uses:
vdaas/vald-client-ci/.github/actions/e2e@main have explicit least-privilege
access.
- Around line 28-32: Replace mutable refs with immutable pins: update the
container image string "ghcr.io/vdaas/vald/vald-dev-container:nightly" to use
its immutable sha256 digest, change the action reference
"vdaas/vald-client-ci/.github/actions/e2e@main" to the action's full commit SHA,
and likewise pin "actions/checkout@v3" to a specific commit SHA; ensure you
fetch the correct digest and commit SHAs for the exact versions you intend to
run and substitute those values in the image and action references.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: c20278d6-26d0-4bca-ba9d-d985b7ba85ca

📥 Commits

Reviewing files that changed from the base of the PR and between 7f76a90 and 4c23af9.

📒 Files selected for processing (2)

• .github/workflows/e2e.yaml
• src/tests/test_e2e.py

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/e2e.yaml (1)

18-24: ⚠️ Potential issue | 🟠 Major

Declare least-privilege permissions explicitly in the workflow.

No explicit token permissions are set, so privilege scope is implicit and harder to audit.

Proposed fix

 on:
   push:
     branches:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   e2e:

As per coding guidelines, "Permissions: Ensure permissions are set to least privilege required for the workflow."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/e2e.yaml around lines 18 - 24, The workflow currently
omits an explicit top-level permissions block, leaving token scopes implicit;
add a top-level "permissions" mapping to declare least-privilege access required
by this workflow (adjacent to the existing "on:" block) and list only the
specific GitHub token scopes the jobs need (for example, read-only for repo
contents, and any additional scopes like workflows, packages, id-token, or
checks set to write/read only where the jobs actually require them). Ensure you
update the workflow header (the "on:", "push", "pull_request" section) to
include this new "permissions" mapping and remove any unnecessary privileges so
the token grants are minimal.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/e2e.yaml:
- Line 32: The workflow is pinning the reusable action to a mutable ref
"vdaas/vald-client-ci/.github/actions/e2e@main"; replace that with an immutable
commit SHA (e.g., "vdaas/vald-client-ci/.github/actions/e2e@<commit-sha>") so
the action is fixed to a specific commit; update the reference string in the
workflow line that currently contains
vdaas/vald-client-ci/.github/actions/e2e@main to use the exact commit SHA from
the upstream repo and commit the change.
- Line 31: Update the checkout action version used in the workflow: replace the
reference to actions/checkout@v3 with a supported release (e.g.,
actions/checkout@v4 or the latest v6) to avoid Node 16 deprecation issues; edit
the workflow step that currently lists "uses: actions/checkout@v3", update the
tag to v4 or v6, run the workflow locally or in a branch to confirm no breaking
changes, and pin to the chosen major version (not a full SHA) for continued
compatibility.
- Line 28: The workflow currently references a mutable image tag
"ghcr.io/vdaas/vald/vald-dev-container:nightly" in .github/workflows/e2e.yaml
which is auto-synced and should not be edited locally; coordinate with the
vdaas/vald-client-ci maintainers to publish and expose an immutable digest (or a
stable digest-tag pair) for vald-dev-container and update the source pipeline to
emit that digest so the synced file can reference
"ghcr.io/vdaas/vald/vald-dev-container@sha256:..." instead of :nightly;
alternatively adjust the nightly build process in vdaas/vald-client-ci to also
publish a pinned digest reference that the sync can consume.
- Line 35: The workflow uses a hardcoded image tag value (image_tag: pr-3448)
which is brittle; update the e2e workflow/template in the source repo
(vdaas/vald-client-ci) so image_tag is configurable and has a sensible default
(for example use a variable like VALD_IMAGE_TAG with fallback to 'nightly' or
another stable tag), and propagate that change into the e2e action or workflow
template so the generated .github/workflows/e2e.yaml receives image_tag from the
variable rather than a fixed literal.

---

Outside diff comments:
In @.github/workflows/e2e.yaml:
- Around line 18-24: The workflow currently omits an explicit top-level
permissions block, leaving token scopes implicit; add a top-level "permissions"
mapping to declare least-privilege access required by this workflow (adjacent to
the existing "on:" block) and list only the specific GitHub token scopes the
jobs need (for example, read-only for repo contents, and any additional scopes
like workflows, packages, id-token, or checks set to write/read only where the
jobs actually require them). Ensure you update the workflow header (the "on:",
"push", "pull_request" section) to include this new "permissions" mapping and
remove any unnecessary privileges so the token grants are minimal.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: df39ff53-a0bb-4edc-8ad8-cd3c680b66e9

📥 Commits

Reviewing files that changed from the base of the PR and between 73e5bb6 and fe93834.

📒 Files selected for processing (1)

• .github/workflows/e2e.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/e2e.yaml | head -40

Repository: vdaas/vald-client-python

Length of output: 1370

---

🏁 Script executed:

# Check for files that might generate this workflow
find . -type f -name "*.py" -o -name "*.sh" -o -name "*.ts" | xargs grep -l "e2e.yaml" 2>/dev/null | head -10

Repository: vdaas/vald-client-python

Length of output: 50

---

🏁 Script executed:

# Check for any Makefile or script that mentions this workflow
find . -type f \( -name "Makefile" -o -name "*.sh" \) | xargs grep -l "e2e" 2>/dev/null

Repository: vdaas/vald-client-python

Length of output: 52

---

🏁 Script executed:

# Check git history to see if this file is modified manually
git log --oneline .github/workflows/e2e.yaml 2>/dev/null | head -20

Repository: vdaas/vald-client-python

Length of output: 93

---

🏁 Script executed:

# Search for documentation about image management
find . -type f \( -name "README*" -o -name "*.md" \) | xargs grep -l "nightly\|container.*image\|digest" 2>/dev/null | head -5

Repository: vdaas/vald-client-python

Length of output: 50

---

🏁 Script executed:

# Check the full git history with more details
git log -p .github/workflows/e2e.yaml 2>/dev/null | head -100

Repository: vdaas/vald-client-python

Length of output: 50

---

🏁 Script executed:

# Look for template files or generation logic
find . -type f -name "*template*" -o -name "*generate*" 2>/dev/null | grep -i workflow

Repository: vdaas/vald-client-python

Length of output: 50

---

🏁 Script executed:

# Check if there's a .github directory structure
ls -la .github/workflows/

Repository: vdaas/vald-client-python

Length of output: 559

---

🏁 Script executed:

# Search for references to vald-dev-container in the repo
rg "vald-dev-container" --type yaml

Repository: vdaas/vald-client-python

Length of output: 50

---

🏁 Script executed:

# Check all commits touching the workflows directory
git log --oneline .github/workflows/ 2>/dev/null | head -20

Repository: vdaas/vald-client-python

Length of output: 93

---

🏁 Script executed:

# Look at the actual content of the e2e.yaml more carefully
cat .github/workflows/e2e.yaml

Repository: vdaas/vald-client-python

Length of output: 1125

---

🏁 Script executed:

# Check if there are any scripts in the repo root or scripts directory
find . -maxdepth 2 -name "*.py" -o -name "*.sh" | head -20

Repository: vdaas/vald-client-python

Length of output: 92

---

🏁 Script executed:

# Search for any mentions of digest or sha256 in workflows
rg "sha256|@sha256|digest" .github/

Repository: vdaas/vald-client-python

Length of output: 50

---

🏁 Script executed:

# Check the other workflow files for image usage patterns
for f in .github/workflows/*.yaml .github/workflows/*.yml; do
  echo "=== $(basename $f) ==="
  grep -E "image:|uses:" "$f" | head -10
done

Repository: vdaas/vald-client-python

Length of output: 705

---

🏁 Script executed:

# Check if there's documentation about why "DO NOT EDIT" is there
find . -type f -name "*.md" | xargs grep -l "DO NOT EDIT\|auto.*generat\|workflow.*generat" 2>/dev/null

Repository: vdaas/vald-client-python

Length of output: 52

---

🏁 Script executed:

# Look at the external action that handles e2e tests
rg "vdaas/vald-client-ci" --type yaml -A 3 -B 3

Repository: vdaas/vald-client-python

Length of output: 50

---

🏁 Script executed:

# Check if there's a reference to vdaas/vald-client-ci in docs or comments
find . -type f \( -name "*.md" -o -name "*.txt" \) | xargs grep -l "vdaas/vald-client-ci" 2>/dev/null

Repository: vdaas/vald-client-python

Length of output: 52

---

🏁 Script executed:

# Look at the git log more detail to understand workflow changes
git log --all --oneline --decorate 2>/dev/null | head -30

Repository: vdaas/vald-client-python

Length of output: 2114

---

🏁 Script executed:

# Check if there's any reference to code generation or templating
find . -type f -name "*.py" -o -name "Makefile" | xargs grep -l "workflow\|template" 2>/dev/null

Repository: vdaas/vald-client-python

Length of output: 52

---

🏁 Script executed:

# Check the README for information about workflow management
head -100 README.md 2>/dev/null || head -100 README.rst 2>/dev/null || echo "No README found"

Repository: vdaas/vald-client-python

Length of output: 2191

---

🏁 Script executed:

# Check if there's a parent repository reference or sync configuration
find . -type f \( -name ".gitmodules" -o -name "*.json" \) | xargs grep -l "client-ci\|sync" 2>/dev/null

Repository: vdaas/vald-client-python

Length of output: 52

---

🏁 Script executed:

# Look for any CI configuration that might explain the "DO NOT EDIT" comment
cat .github/workflows/sync.yaml 2>/dev/null || echo "No sync.yaml or cannot read"

Repository: vdaas/vald-client-python

Length of output: 1034

---

🏁 Script executed:

# Check if actions/checkout is pinned properly (good practice indicator)
rg "actions/checkout" .github/workflows/

Repository: vdaas/vald-client-python

Length of output: 128

---

🏁 Script executed:

# Search web for information about vald-dev-container nightly tag
web_search
ghcr.io vdaas vald-dev-container nightly digest pinning

Repository: vdaas/vald-client-python

Length of output: 164

---

🌐 Web query:

vdaas vald-dev-container nightly image digest pinning GitHub Actions

💡 Result:

The vdaas/vald-dev-container is a nightly-built Docker image used for development containers (devcontainers) in the Vald project (github.com/vdaas/vald). It is built via GitHub Actions workflow .github/workflows/dockers-dev-container-image.yaml on pushes to main (nightly tag) and PRs (pr-XXXX tags). Images are published to Docker Hub (hub.docker.com/r/vdaas/vald-dev-container) and GHCR. No evidence of digest pinning (e.g., image:tag@sha256:digest) in workflows or devcontainer.json for this image or its base images. Workflows use tag references like :nightly or :pr-XXXX. Docker Hub lists digests (e.g., sha256:8d544902cc0a for pr-3493), but they are not pinned in configs. General pinning best practices apply (e.g., result 2 recommends digest pinning for security), but Vald workflows do not implement it for vald-dev-container. Devcontainer.json likely references "vdaas/vald-dev-container:nightly" by tag.

Citations:

• 1: https://hub.docker.com/r/vdaas/vald-dev-container/tags
• 2: https://hub.docker.com/r/vdaas/vald-dev-container
• 3: Revert dev Dockerfile to use official devcontainer image vald#2335
• 4: https://github.com/vdaas/vald/blob/main/.devcontainer/devcontainer.json
• 5: https://github.com/vdaas/vald/blob/main/.gitfiles
• 6: Add devcontainer vald#620
• 7: Install additional tools for docker image for devcontainer vald#2101
• 8: https://hub.docker.com/r/vdaas/vald-ci-container

---

Coordinate with vdaas/vald-client-ci to pin container image by digest.

Line 28 uses :nightly, a mutable tag that rebuilds daily and can cause non-deterministic E2E results. However, this file is marked "DO NOT EDIT" and auto-synced from vdaas/vald-client-ci. The fix should be coordinated at the source (vdaas/vald-client-ci level) or the nightly build process should support stable digest references. Pinning locally may be overwritten on next sync.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/e2e.yaml at line 28, The workflow currently references a
mutable image tag "ghcr.io/vdaas/vald/vald-dev-container:nightly" in
.github/workflows/e2e.yaml which is auto-synced and should not be edited
locally; coordinate with the vdaas/vald-client-ci maintainers to publish and
expose an immutable digest (or a stable digest-tag pair) for vald-dev-container
and update the source pipeline to emit that digest so the synced file can
reference "ghcr.io/vdaas/vald/vald-dev-container@sha256:..." instead of
:nightly; alternatively adjust the nightly build process in vdaas/vald-client-ci
to also publish a pinned digest reference that the sync can consume.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify no deprecated checkout major versions remain in workflows.
rg -nP 'uses:\s*actions/checkout@v[123]\b' .github/workflows

Repository: vdaas/vald-client-python

Length of output: 131

---

🌐 Web query:

GitHub Actions checkout v3 deprecated support 2025

💡 Result:

actions/checkout@v3 is not formally deprecated or scheduled for support end in 2025. It uses Node 16 runtime, which reached end-of-life in GitHub Actions runners on November 12, 2024. Using v3 now produces deprecation warnings due to Node 16, and workflows may fail if runners no longer support it post-EOL. Official docs and changelog recommend upgrading to v4 (Node 20), v5 (Node 24), or latest v6 for continued support and security updates. No specific 2025 cutoff for v3 is announced; older major versions receive security fixes indefinitely per GitHub policy. Upgrade to actions/checkout@v6 (latest as of 2026-01-09) to avoid issues.

Citations:

• 1: https://github.com/actions/checkout?tab=readme-ov-file
• 2: https://github.com/actions/checkout
• 3: https://github.com/actions/checkout/blob/main/CHANGELOG.md
• 4: https://github.blog/changelog/2024-09-25-end-of-life-for-actions-node16/
• 5: https://github.blog/changelog/2024-03-06-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default
• 6: Node.js 16 actions are deprecated actions/checkout#1596

---

🏁 Script executed:

#!/bin/bash
# Examine the full e2e.yaml workflow to verify claims in scratchpad
head -50 .github/workflows/e2e.yaml | cat -n

Repository: vdaas/vald-client-python

Length of output: 1370

---

🏁 Script executed:

#!/bin/bash
# Check all GitHub workflow files for action versions and permissions
echo "=== Checking for permissions block in e2e.yaml ==="
grep -n "permissions:" .github/workflows/e2e.yaml || echo "No permissions block found"

echo -e "\n=== Full workflow structure (first 40 lines) ==="
cat -n .github/workflows/e2e.yaml | head -40

Repository: vdaas/vald-client-python

Length of output: 1498

---

Upgrade actions/checkout to a supported version.

Line 31 uses actions/checkout@v3, which relies on Node 16. GitHub Actions sunset Node 16 support on November 12, 2024, and official guidance recommends upgrading to v4 or later. Using v3 may produce deprecation warnings and eventually fail on current runners. Upgrade to v4 or the latest v6 for ongoing compatibility and security patches.

Proposed fix

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4

🧰 Tools

🪛 actionlint (1.7.12)

[error] 31-31: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/e2e.yaml at line 31, Update the checkout action version
used in the workflow: replace the reference to actions/checkout@v3 with a
supported release (e.g., actions/checkout@v4 or the latest v6) to avoid Node 16
deprecation issues; edit the workflow step that currently lists "uses:
actions/checkout@v3", update the tag to v4 or v6, run the workflow locally or in
a branch to confirm no breaking changes, and pin to the chosen major version
(not a full SHA) for continued compatibility.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, locate and examine the e2e.yaml workflow file
find . -path "./.github/workflows/e2e.yaml" -type f | head -1

Repository: vdaas/vald-client-python

Length of output: 96

---

🏁 Script executed:

# Read the file content around line 32 to verify the issue
cat -n .github/workflows/e2e.yaml | sed -n '20,45p'

Repository: vdaas/vald-client-python

Length of output: 577

---

🏁 Script executed:

# Check all action usages in the file to see the overall pattern
rg 'uses:' .github/workflows/e2e.yaml -n

Repository: vdaas/vald-client-python

Length of output: 167

---

Pin the reusable action to an immutable commit SHA, not @main.

The reference to vdaas/vald-client-ci/.github/actions/e2e@main at line 32 tracks a mutable branch, compromising reproducibility and CI/CD supply-chain integrity. Pin to a specific commit SHA to ensure deterministic behavior across runs and maintain the security posture aligned with Vald's coding standards.

Compare with line 31 (actions/checkout@v3), which correctly uses a pinned version.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/e2e.yaml at line 32, The workflow is pinning the reusable
action to a mutable ref "vdaas/vald-client-ci/.github/actions/e2e@main"; replace
that with an immutable commit SHA (e.g.,
"vdaas/vald-client-ci/.github/actions/e2e@<commit-sha>") so the action is fixed
to a specific commit; update the reference string in the workflow line that
currently contains vdaas/vald-client-ci/.github/actions/e2e@main to use the
exact commit SHA from the upstream repo and commit the change.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# First, let's examine the e2e.yaml workflow file
cat -n .github/workflows/e2e.yaml | head -50

Repository: vdaas/vald-client-python

Length of output: 1370

---

🏁 Script executed:

# Also check if there are other workflows that manage image tags
fd -t f '\.yaml$' .github/workflows/ | head -20

Repository: vdaas/vald-client-python

Length of output: 231

---

🏁 Script executed:

# Search for how image tags are typically managed in workflows
rg "image_tag" .github/workflows/ -A 2 -B 2

Repository: vdaas/vald-client-python

Length of output: 221

---

🏁 Script executed:

# Check for any documentation or comments about image tags
rg "VALD_IMAGE_TAG|pr-3448" --type yaml --type md

Repository: vdaas/vald-client-python

Length of output: 50

---

🏁 Script executed:

# Look at other workflows to see how they reference images
rg "image:" .github/workflows/ -B 1 -A 1

Repository: vdaas/vald-client-python

Length of output: 284

---

🏁 Script executed:

# Check if there's any GitHub vars definition or similar patterns
find .github -name "*.yml" -o -name "*.yaml" | xargs grep -l "vars\." 2>/dev/null | head -10

Repository: vdaas/vald-client-python

Length of output: 50

---

🏁 Script executed:

# Check git history or comments around this file
git log -p --all -S "pr-3448" -- ".github/workflows/e2e.yaml" 2>/dev/null | head -100 || echo "No git history available"

Repository: vdaas/vald-client-python

Length of output: 50

---

🏁 Script executed:

# Check if there are any GitHub Actions secrets or variables referenced elsewhere
rg "secrets\.|vars\." .github/workflows/ -o

Repository: vdaas/vald-client-python

Length of output: 448

---

🏁 Script executed:

# Look at the reusable action being called to understand image_tag parameter
# First, find if there's documentation about this action
rg "vald-client-ci|e2e" .github -B 2 -A 2

Repository: vdaas/vald-client-python

Length of output: 2054

---

🏁 Script executed:

# Check if there's any README or documentation about image tags
cat README.md 2>/dev/null | head -100 || echo "No README in root"

Repository: vdaas/vald-client-python

Length of output: 2191

---

🏁 Script executed:

# Look for any configuration or environment-related files
ls -la .github/ | grep -v "^d"

Repository: vdaas/vald-client-python

Length of output: 143

---

🏁 Script executed:

# Check if this file is auto-generated or synced (the "DO NOT EDIT" comment)
head -20 .github/workflows/e2e.yaml

Repository: vdaas/vald-client-python

Length of output: 741

---

🏁 Script executed:

# Look for any sync configuration or references to vald-client-ci
cat .github/dependabot-cli.yaml

Repository: vdaas/vald-client-python

Length of output: 316

---

🏁 Script executed:

# Check if there's any documentation about workflow management
find . -name "*.md" -type f | xargs grep -l "workflow\|e2e" 2>/dev/null | head -5

Repository: vdaas/vald-client-python

Length of output: 50

---

🏁 Script executed:

# Verify the actual hardcoded value and understand the context better
grep -n "pr-3448" .github/workflows/e2e.yaml

Repository: vdaas/vald-client-python

Length of output: 99

---

🏁 Script executed:

# Check the full context of the e2e.yaml workflow to understand intent
cat -n .github/workflows/e2e.yaml

Repository: vdaas/vald-client-python

Length of output: 1370

---

🏁 Script executed:

# Look for any recent changes or comments about pr-3448
git log --all --oneline -- ".github/workflows/e2e.yaml" 2>/dev/null | head -20 || echo "No git log"

Repository: vdaas/vald-client-python

Length of output: 212

---

🏁 Script executed:

# Check if there's a .syncpackage or similar file indicating syncing
find .github -type f -name "*sync*" -o -name "*template*" 2>/dev/null

Repository: vdaas/vald-client-python

Length of output: 95

---

🏁 Script executed:

# Check the sync.yaml to understand how workflows are synced
cat .github/workflows/sync.yaml

Repository: vdaas/vald-client-python

Length of output: 1034

---

🏁 Script executed:

# Look at the git commit that introduced pr-3448 to understand context
git show fe93834 --stat 2>/dev/null | head -30 || echo "No commit details"

Repository: vdaas/vald-client-python

Length of output: 1669

---

🏁 Script executed:

# Check if vars are used anywhere in GitHub Actions contexts
rg "\$\{\{" .github/workflows/ | head -20

Repository: vdaas/vald-client-python

Length of output: 50

---

🏁 Script executed:

# Check the vald-client-ci repository or documentation about how image_tag is managed
# First, let's see if there's any issue tracker or documentation
find . -name "*.md" -type f -exec grep -l "image_tag\|pr-3448" {} \; 2>/dev/null

Repository: vdaas/vald-client-python

Length of output: 50

---

🏁 Script executed:

# Check what the e2e action expects and if it supports variable interpolation
# Since we can't access the external repo, let's check if there are any env vars or workflow_call inputs
grep -r "workflow_call\|inputs:" .github/workflows/ 2>/dev/null || echo "No workflow_call found"

Repository: vdaas/vald-client-python

Length of output: 90

---

🏁 Script executed:

# Verify the current status: is pr-3448 a stable, maintained tag or a temporary one?
# Check container registries info if available in docs
rg "ghcr.io|vald.*image" --type md -A 2 -B 2

Repository: vdaas/vald-client-python

Length of output: 50

---

Hardcoded PR-scoped image tags should be replaced with configurable values.

Line 35 uses image_tag: pr-3448, which creates brittle E2E testing if that tag is rotated or removed. Note that this file is auto-synced from vdaas/vald-client-ci (indicated by the "DO NOT EDIT" header and the sync.yaml workflow), so the fix should be applied at the source repository level to ensure it survives the next sync. Consider updating the e2e action or workflow template to use a configurable variable (e.g., ${{ vars.VALD_IMAGE_TAG || 'nightly' }}) or default to a stable tag like nightly instead.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/e2e.yaml at line 35, The workflow uses a hardcoded image
tag value (image_tag: pr-3448) which is brittle; update the e2e
workflow/template in the source repo (vdaas/vald-client-ci) so image_tag is
configurable and has a sensible default (for example use a variable like
VALD_IMAGE_TAG with fallback to 'nightly' or another stable tag), and propagate
that change into the e2e action or workflow template so the generated
.github/workflows/e2e.yaml receives image_tag from the variable rather than a
fixed literal.