[seclift] ephemeral Infisical OIDC validation

[giusepperrr]

SecLift creates this PR temporarily to validate Infisical OIDC identities.
SecLift injects validation steps into an existing pull_request workflow on a temporary branch.

Closing + deleting seclift-validate-1778597595722731000 afterwards.

Summary by CodeRabbit

• Chores
  • Enhanced CI/CD pipeline with new automated validation and diagnostic reporting capabilities.
  • Validation reports are generated and uploaded as artifacts for each workflow run.
  • Improved workflow permission controls and timeout configuration.
  • Workflow now runs on dev and master branches with enhanced validation checks.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

This PR integrates SecLift secret validation into the E2E CI workflow. The workflow now triggers on the same branches, fetches Infisical secret exports via OIDC, validates that all GitHub-visible secrets exist in Infisical, reports diagnostics to an artifact, and then runs the existing E2E test suite.

Changes

SecLift validation integration in CI E2E workflow

Layer / File(s)	Summary
Workflow trigger configuration .github/workflows/ci-e2e.yml	Workflow trigger branches are updated and normalized for push and pull_request events on dev and master.
Job permissions and environment configuration .github/workflows/ci-e2e.yml	Job-level permissions are defined for OIDC and artifact uploads; environment variables are set for Infisical domain, root, and expected/excluded GitHub secret key inventories (as JSON), plus repository binding and timeout.
SecLift validation steps and artifact upload .github/workflows/ci-e2e.yml	Validation directory and initial report JSON are created; Infisical secrets (repo and org scopes) are fetched via OIDC using Infisical/secrets-action@v1.0.9; inline Python script loads GitHub secret inventories, parses Infisical dotenv exports, compares sets, updates validation report JSON with diagnostics, and fails the job if GitHub-visible secrets are missing from Infisical; validation artifact is uploaded unconditionally; existing checkout/Poetry/Python/Node/build/E2E setup and test execution then proceeds.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

---

A workflow guard, standing tall and true,
Checks that secrets are exactly where they're due,
Infisical meets GitHub in cryptographic dance,
No hidden key shall slip past this vigilant branch! 🔐✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title '[seclift] ephemeral Infisical OIDC validation' directly and clearly describes the main change: adding ephemeral SecLift validation steps for Infisical OIDC in the CI workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch seclift-validate-1778597595722731000

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}