[seclift] ephemeral Infisical OIDC validation

[giusepperrr]

SecLift creates this PR temporarily to validate Infisical OIDC identities.
SecLift injects validation steps into an existing pull_request workflow on a temporary branch.

Closing + deleting seclift-validate-1778677273382516000 afterwards.

Summary by CodeRabbit

• CI/CD Improvements
  • E2E tests now run across development and main branches with enhanced scope
  • Added comprehensive multi-browser testing with Chromium, Firefox, and WebKit for broader coverage
  • New validation checks integrated into the testing pipeline, executing automatically before standard tests
  • Detailed validation reports generated and available as downloadable artifacts after each workflow run

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

The ci-e2e GitHub Actions workflow now validates secrets before building and testing. It runs on dev and master branches with a browser matrix, adds job permissions and environment variables, and introduces a new SecLift validation phase that fetches Infisical secrets via OIDC, compares them against expected GitHub inventory using an inline Python script, and uploads a validation report before proceeding to the build and test pipeline.

Changes

E2E Workflow with Secret Validation

Layer / File(s)	Summary
Workflow triggers and job configuration .github/workflows/ci-e2e.yml	Trigger branch filters set to [dev, master]; browser matrix defined for chromium, firefox, webkit. Job-level permissions configured with id-token: write and contents/actions: read. Environment variables defined for Infisical domain, environment slug, secret root, expected GitHub key inventory JSON, excluded keys, and repository reference.
SecLift secret validation phase .github/workflows/ci-e2e.yml	Validation pre-check creates .seclift/validation/ directory and initializes result tracking files. Fetches Infisical repo and org exports via OIDC using Infisical/secrets-action. Inline Python script loads exported dotenv keys, constructs sanitized expected GitHub secret inventory from environment variables, compares expected vs. Infisical secrets, emits warnings for surplus keys, fails when missing keys are detected, captures exceptions, and writes structured validation result. Validation directory uploaded as seclift-validation-report artifact.
Build and test pipeline .github/workflows/ci-e2e.yml	Repository checkout, Poetry and Node setup (Python 3.11.8, Node 22), dependency installation, code generation, UI build, E2E browser installation, and browser-specific test execution via alfred command.

🎯 3 (Moderate) | ⏱️ ~25 minutes

🐰 A workflow so secure, with secrets held tight,
Infisical and GitHub dance in the night,
Validation runs first, before tests take flight,
E2E checks glow with cryptographic light! ✨🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding ephemeral Infisical OIDC validation via SecLift to the CI/E2E workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch seclift-validate-1778677273382516000

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}