Using reusable workflow for BDD

[joselsegura]

Additional Context

Use the reusable workflow to unify the BDD execution approach

Fixes #CCXDEV-16052

Type of change

• Behavioral tests (no changes in the code)
• Configuration update

Testing steps

Tested locally and repository forks

Checklist

• pre-commit run --all passes
• updated documentation wherever necessary
• added or modified tests if necessary
• updated schemas and validators in insights-data-schemas in case of input/output change

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow configuration for continuous integration and automated testing processes.

Walkthrough

The BDD test workflow file is being migrated from a standalone workflow (.github/workflows/bdd.yml) to a new reusable workflow reference (.github/workflows/bdd.yaml) that calls an external workflow from RedHatInsights/processing-tools with specific configuration parameters.

Changes

Cohort / File(s)	Summary
BDD Workflow Migration \.github/workflows/bdd.yaml, \.github/workflows/bdd.yml	Replaced standalone BDD test workflow with reusable workflow reference from external repository. New workflow provides service identifier and mock OAuth2 server configuration as inputs.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: replacing the existing BDD workflow with a reusable workflow.
Description check	✅ Passed	The description covers required sections with adequate detail: context explaining the purpose, linked issue, change type classification, testing approach, and checklist items.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/bdd.yaml (1)

8-14: Set explicit permissions on the caller job.

Right now this job inherits the repository's default GITHUB_TOKEN permissions. The called reusable workflow has no explicit permissions declaration and therefore inherits from the caller. Declaring the minimum required permissions here improves security and ensures predictable behavior if repository defaults change.

🛡️ Suggested hardening

 jobs:
   bdd:
     name: BDD tests
+    permissions:
+      contents: read
     uses: RedHatInsights/processing-tools/.github/workflows/bdd.yaml@master
     with:
       service: data-engineering-service
       use_mock-oauth2-server: true

The called workflow uses actions/checkout (which requires contents: read) and actions/upload-artifact (which handles its own authentication). The suggested contents: read permission covers the minimum needed.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/bdd.yaml around lines 8 - 14, Add an explicit minimal
permissions block to the caller job "bdd" so it doesn't inherit broad repository
defaults; update the job definition that uses
RedHatInsights/processing-tools/.github/workflows/bdd.yaml@master (job name bdd)
to declare permissions: set contents: read (the reusable workflow uses
actions/checkout) to lock down GITHUB_TOKEN to the minimum required for checkout
and artifact handling.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/bdd.yaml:
- Line 11: Replace the mutable ref in the workflow "uses" declaration so the
reusable workflow call currently written as uses:
RedHatInsights/processing-tools/.github/workflows/bdd.yaml@master is pinned to
an immutable ref; update that string to reference a full commit SHA (preferred)
or a version tag instead of `@master` to prevent silent upstream changes.

---

Nitpick comments:
In @.github/workflows/bdd.yaml:
- Around line 8-14: Add an explicit minimal permissions block to the caller job
"bdd" so it doesn't inherit broad repository defaults; update the job definition
that uses RedHatInsights/processing-tools/.github/workflows/bdd.yaml@master (job
name bdd) to declare permissions: set contents: read (the reusable workflow uses
actions/checkout) to lock down GITHUB_TOKEN to the minimum required for checkout
and artifact handling.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bad00dc9-174c-4170-8f7a-f7d671e6cfba

📥 Commits

Reviewing files that changed from the base of the PR and between d5e953c and 48b77ea.

📒 Files selected for processing (2)

• .github/workflows/bdd.yaml
• .github/workflows/bdd.yml

💤 Files with no reviewable changes (1)

• .github/workflows/bdd.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

repo="RedHatInsights/processing-tools"

echo "Current master SHA:"
gh api "repos/${repo}/git/ref/heads/master" --jq '.object.sha'

echo
echo "Recent tags:"
gh api "repos/${repo}/tags?per_page=10" --jq '.[] | [.name, .commit.sha] | `@tsv`'

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 260

---

🏁 Script executed:

cat -n .github/workflows/bdd.yaml | head -20

Repository: RedHatInsights/ccx-upgrades-data-eng

Length of output: 446

---

🌐 Web query:

GitHub Actions reusable workflows pinning security best practices

💡 Result:

Best practices for pinning reusable workflows (GitHub Actions) securely

1. Pin reusable workflows to an immutable ref (prefer a full commit SHA).
   Use @<full-length-SHA> in jobs.<job_id>.uses (same guidance as for actions) to avoid silently picking up malicious/accidental changes from moved tags or updated branches; also verify the SHA is from the intended upstream repo (not a fork). [1]

2. If you must use tags, only do so for highly trusted publishers—and understand tags are mutable.
   GitHub notes SHA pinning is the most secure; tags are convenient but can be moved if a repo is compromised. [1]

3. Enforce pinning (and allow/deny lists) with policy.
   GitHub’s “allowed actions and reusable workflows” policy can now enforce full-SHA pinning (workflows fail if not pinned) and can also explicitly block specific actions/versions (including reusable workflows) via a deny entry. [2]

4. Keep pins updated with automation (while staying immutable).
   GitHub recommends using Dependabot version updates to keep actions and reusable workflows references current (while still pinning). [1] The Well-Architected guidance also recommends pinning to SHAs from tagged releases and optionally leaving a comment with the tag for readability. [3]

5. Reduce blast radius around reusable workflows (defense-in-depth).
   Even with pinning, also apply: least-privilege GITHUB_TOKEN permissions, prefer OIDC over long-lived secrets, and protect workflow-file changes (e.g., rulesets/CODEOWNERS). [1] The Well-Architected guide explicitly calls out least privilege + OIDC + pinning as key strategies. [3]

Example (reusable workflow pinned to SHA)

jobs:
  build:
    uses: org/ci/.github/workflows/build.yml@3b2e0f5c6c2b0c8b6d4d0a9b2f3e1c4d5a6b7c8d
    permissions: {}   # then grant only what this job needs

Sources: GitHub “Secure use” (security hardening) docs [1], GitHub Changelog policy update [2], GitHub Well-Architected Actions security recommendations [3].

[1] (docs.github.com)
[2] (github.blog)
[3] (wellarchitected.github.com)

Citations:

• 1: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
• 2: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/
• 3: https://wellarchitected.github.com/library/application-security/recommendations/actions-security/

---

Pin the reusable workflow to an immutable ref.

Line 11 uses @master, which is a mutable branch reference. Upstream changes can silently alter or break this repo's BDD pipeline. Pin this to a full commit SHA (preferred for security) or at minimum a version tag, per GitHub's security hardening guidance.

🔒 Suggested change

-    uses: RedHatInsights/processing-tools/.github/workflows/bdd.yaml@master
+    uses: RedHatInsights/processing-tools/.github/workflows/bdd.yaml@<full-commit-sha>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/bdd.yaml at line 11, Replace the mutable ref in the
workflow "uses" declaration so the reusable workflow call currently written as
uses: RedHatInsights/processing-tools/.github/workflows/bdd.yaml@master is
pinned to an immutable ref; update that string to reference a full commit SHA
(preferred) or a version tag instead of `@master` to prevent silent upstream
changes.

[joselsegura]

/retest