feat(ci): group e2e tests into functional suites with opt-in extended PR runs

[jasonmadigan]

Summary

Organise e2e tests into named functional suites. The required PR gate narrows to a curated ~31-spec happy-path set (pr label), with the current broader coverage (~61 specs) available as pr-extended. Named suites can be triggered on demand via /test-e2e <suite> comments and e2e/<suite> labels.

What changed

• Security fix: shell injection in e2e-on-demand.yaml (comment body via env var, not inline interpolation)
• Ginkgo labels: all 79 e2e specs annotated with functional suite Label() across 13 suites
• Make targets: test-e2e-pr, test-e2e-pr-extended, test-e2e-suite SUITE=X in build/e2e.mk
• Suite router: build/suite-router.sh for CI suite selection and changed-file inference
• Workflow evolution: e2e-on-demand.yaml expanded from happy|full to all named suites
• PR workflow: suite router, label triggers, and idempotent bot comment added to e2e.yaml
• Pruned: deleted redundant e2e-auth.yaml and e2e-nightly.yaml, consolidated nightly schedule into e2e.yaml
• CI docs: new docs/ci.md with full suite reference

Labels

Apply these labels to a PR to trigger the corresponding e2e suite on top of the default pr gate:

Label	Suite	Infra
e2e/core	registration, tools/list, tools/call	standard
e2e/routing	HTTPRoute, Gateway listener, backendRef	standard
e2e/sessions	session rewrite, lazy init, Redis	standard
e2e/discovery	discover/select tools, categories	standard
e2e/prompts	prompts/list, prompts/get	standard
e2e/auth-policy	Authorino/Keycloak AuthPolicy	Keycloak
e2e/trusted-headers	x-mcp-authorized, JWT filtering	standard
e2e/elicitation	MCP elicitation request/response	standard
e2e/url-elicitation	URL token elicitation, cache	standard
e2e/user-specific-list	per-user tools/list	standard
e2e/tls	internal TLS, CA/DestinationRule	cert-manager
e2e/multi-gateway	multi-extension, listener isolation	extra resources
e2e/security	header stripping, negative tests	standard
e2e/pr-extended	broader PR coverage (~61 specs)	standard
e2e/full	all suites	all

Usage

# local
make test-e2e-pr                    # ~31 specs (PR gate)
make test-e2e-pr-extended           # ~61 specs
make test-e2e-suite SUITE=discovery # named suite

# CI (PR comment)
/test-e2e discovery
/test-e2e pr-extended
/test-e2e full

# CI (PR label)
# apply any e2e/* label listed above

See docs/ci.md for full reference.

Closes #1195

Summary by CodeRabbit

• New Features
  • E2E suite selection is now driven by Ginkgo suite labels, with PR checks automatically running labeled coverage.
  • On-demand and scheduled E2E runs support aggregate tiers and individual suites, with improved bot PR comments and suite suggestions.
• Bug Fixes
  • Unknown or invalid suite requests are rejected with guidance on valid options.
• Documentation
  • Updated E2E/CI guidance to reflect label-based suite routing, tier behavior, and available suites.
• Tests
  • Added/expanded Label() metadata across E2E specs to match the new suite model (e.g., core, discovery, auth-policy, elicitation, url-elicitation, tls, multi-gateway).
• Chores
  • Removed dedicated nightly and auth E2E workflows.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR adds functional Ginkgo suite labels across E2E specs, introduces curated PR/extended/full/named suite targets, and routes PR and on-demand E2E execution through label- and comment-based selection. It also updates documentation and workflow comments.

Changes

E2E suite routing and labelling

Layer / File(s)	Summary
Label rules and docs ".claude/rules/e2e-tests.md", docs/ci.md, tests/e2e/CLAUDE.md	States the suite-label requirement for new specs, the pr gate rule, the supported comment and label flow, and the infrastructure-specific suite notes.
Suite targets and catalogue build/e2e.mk, build/known-suites.txt	Defines the pr, pr-extended, full, and named-suite targets and records the recognised suite names.
Suite router and workflows .github/workflows/e2e.yaml, .github/workflows/e2e-on-demand.yaml	Routes PR and comment-driven runs through suite selection, resolves make targets, executes the selected targets, and posts result comments.
Suite router script build/suite-router.sh	Parses event context, validates suites, infers suggestions from changed files, and emits routed outputs for CI.
E2E spec labels tests/e2e/*_test.go	Adds Ginkgo suite labels across the E2E specs so they can be selected by functional suite and PR-gate membership.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related issues

• E2E test improvements: parallelism, maintainability, and faster PR validation #1158: Matches the suite-label migration and PR-routing goals, including curated PR coverage, opt-in suites, and workflow routing.

Possibly related PRs

• Kuadrant/mcp-gateway#690: Shares the AuthPolicy E2E target and label-filter wiring changes.
• Kuadrant/mcp-gateway#961: Also changes E2E CI target selection and filtering between PR and full coverage.

Suggested labels

review-effort/large

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Linked Issues check	❓ Inconclusive	Most issue requirements appear covered, but the summaries do not confirm the shell-injection fix and recent-run links in the PR comment.	Please share the relevant diff or implementation details for the on-demand workflow safety fix and PR bot comment so those requirements can be verified.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: organizing e2e tests into functional suites with a broader optional PR run.
Out of Scope Changes check	✅ Passed	The changes stay focused on e2e suite routing, labels, workflows, docs, and test tagging.
Docstring Coverage	✅ Passed	Docstring coverage is 85.71% which is sufficient. The required threshold is 80.00%.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 markdownlint-cli2 (0.22.1)

.claude/rules/e2e-tests.md

markdownlint-cli2 wrapper config was not available before execution

docs/ci.md

markdownlint-cli2 wrapper config was not available before execution

tests/e2e/CLAUDE.md

markdownlint-cli2 wrapper config was not available before execution

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

.github/workflows/e2e-on-demand.yaml (1)

49-81: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Resolve comment-triggered suites through the shared router.

This step re-implements the aggregate-suite mapping that build/suite-router.sh already owns. That duplication will drift the next time a suite or alias changes, and then /test-e2e comments will stop matching PR routing behaviour.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/e2e-on-demand.yaml around lines 49 - 81, The
suite-to-make-target mapping in the Resolve make target step is duplicated logic
that should be routed through the shared suite router instead. Update the
workflow to use build/suite-router.sh for resolving comment-triggered suites so
aliases and suite names stay consistent with the existing routing logic, and
keep the e2e-on-demand resolve step focused on consuming that shared output
rather than reimplementing the mapping.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/e2e.yaml:
- Around line 278-299: The sticky comment lookup in the github-script block only
calls issues.listComments once, so it can miss the existing `<!-- e2e-suite-bot
-->` comment when there are more than 30 comments. Update the comment retrieval
logic to use `github.paginate` with `github.rest.issues.listComments`, then run
the existing `comments.find(...)` check against the full result set so
`issues.updateComment` is used instead of creating duplicates. Keep the rest of
the marker-based update/create flow unchanged.

In `@build/e2e.mk`:
- Around line 8-10: The PR-suite size description is stale and no longer matches
the updated curated gate. Update the inline documentation around E2E_SUITE_PR in
build/e2e.mk so the `pr` suite is described as ~31 specs, and make sure the
neighboring `pr-extended`/suite help text stays consistent with the new count.
Use the existing suite labels and comments in this section as the source of
truth so `make help` and the inline docs agree.

In `@build/suite-router.sh`:
- Around line 76-106: The pattern order in suite selection is too general in two
places, causing first-match Bash semantics to skip the intended specific cases.
In the main case block in suite-router.sh, move the TLS-specific
internal/broker/upstream/tls* rule ahead of the broader
internal/broker/upstream/* rule so TLS files map correctly; in the tests/e2e/*
nested case, place *url_elicitation* before *elicitation* so URL-elicitation
tests are not captured by the generic match. Keep the rest of the suggestions
logic unchanged.

In `@docs/ci.md`:
- Around line 79-88: Update the “How the Suite Router Works” section to point
readers to the shared routing logic in suite-router.sh instead of the workflow
YAML, and make clear that the PR workflow invokes that script. Use the existing
suite-router flow description and the known symbols like E2E_KNOWN_SUITES and
the PR workflow entrypoint to keep the docs aligned with the actual
implementation.

---

Nitpick comments:
In @.github/workflows/e2e-on-demand.yaml:
- Around line 49-81: The suite-to-make-target mapping in the Resolve make target
step is duplicated logic that should be routed through the shared suite router
instead. Update the workflow to use build/suite-router.sh for resolving
comment-triggered suites so aliases and suite names stay consistent with the
existing routing logic, and keep the e2e-on-demand resolve step focused on
consuming that shared output rather than reimplementing the mapping.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 407ae73c-23da-45a6-aa34-9700fa889266

📥 Commits

Reviewing files that changed from the base of the PR and between 02333ed and 9a092f8.

📒 Files selected for processing (20)

• .claude/rules/e2e-tests.md
• .github/workflows/e2e-auth.yaml
• .github/workflows/e2e-nightly.yaml
• .github/workflows/e2e-on-demand.yaml
• .github/workflows/e2e.yaml
• build/e2e.mk
• build/known-suites.txt
• build/suite-router.sh
• docs/ci.md
• tests/e2e/CLAUDE.md
• tests/e2e/auth_policy_test.go
• tests/e2e/custom_tls_test.go
• tests/e2e/elicitation_test.go
• tests/e2e/happy_path_test.go
• tests/e2e/multi_gateway_test.go
• tests/e2e/oauth_protected_resource_test.go
• tests/e2e/tool_discovery_test.go
• tests/e2e/tool_validation_test.go
• tests/e2e/url_elicitation_test.go
• tests/e2e/user_specific_list_test.go

💤 Files with no reviewable changes (2)

• .github/workflows/e2e-auth.yaml
• .github/workflows/e2e-nightly.yaml

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/e2e.yaml:
- Around line 242-246: The Read known suites step in the e2e workflow is joining
only spaces, so the newline-separated output from known-suites.txt can still
leak into suites and break the $GITHUB_OUTPUT entry. Update the shell logic in
the known suite processing block to normalize newline-separated values before
wrapping them in backticks and comma-joining, using the existing Read known
suites step and the known id as the place to fix it.

In `@docs/ci.md`:
- Around line 54-58: The fenced command block in the CI docs is missing a
language hint, triggering MD040. Update the markdown fence around the /test-e2e
examples to use an explicit text/plain code language, keeping the existing
command content unchanged. Locate the block in the docs CI section that shows
/test-e2e discovery, /test-e2e pr-extended, and /test-e2e full.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7db8025b-4d7c-46d8-b799-22cab2df5d83

📥 Commits

Reviewing files that changed from the base of the PR and between 9a092f8 and dc310af.

📒 Files selected for processing (20)

• .claude/rules/e2e-tests.md
• .github/workflows/e2e-auth.yaml
• .github/workflows/e2e-nightly.yaml
• .github/workflows/e2e-on-demand.yaml
• .github/workflows/e2e.yaml
• build/e2e.mk
• build/known-suites.txt
• build/suite-router.sh
• docs/ci.md
• tests/e2e/CLAUDE.md
• tests/e2e/auth_policy_test.go
• tests/e2e/custom_tls_test.go
• tests/e2e/elicitation_test.go
• tests/e2e/happy_path_test.go
• tests/e2e/multi_gateway_test.go
• tests/e2e/oauth_protected_resource_test.go
• tests/e2e/tool_discovery_test.go
• tests/e2e/tool_validation_test.go
• tests/e2e/url_elicitation_test.go
• tests/e2e/user_specific_list_test.go

💤 Files with no reviewable changes (2)

• .github/workflows/e2e-auth.yaml
• .github/workflows/e2e-nightly.yaml

✅ Files skipped from review due to trivial changes (12)

• tests/e2e/elicitation_test.go
• tests/e2e/tool_validation_test.go
• tests/e2e/oauth_protected_resource_test.go
• build/known-suites.txt
• tests/e2e/custom_tls_test.go
• .claude/rules/e2e-tests.md
• tests/e2e/url_elicitation_test.go
• tests/e2e/auth_policy_test.go
• tests/e2e/multi_gateway_test.go
• tests/e2e/user_specific_list_test.go
• tests/e2e/tool_discovery_test.go
• tests/e2e/happy_path_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• build/e2e.mk

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/e2e-on-demand.yaml:
- Around line 43-47: The shared-suite checkout in the e2e-on-demand workflow is
reading build/known-suites.txt from the default branch instead of the PR ref, so
suite validation can be out of sync with the later e2e-tests checkout. Update
the checkout step in the workflow to resolve and use the pull request head ref
before validating against known-suites.txt, and apply the same ref handling
anywhere else in the workflow that reads the suite catalog.

In @.github/workflows/e2e.yaml:
- Around line 221-225: The failure log collection step only runs the first debug
target because the shell exits on a non-zero return from ci-debug-logs, so
update the run block in the “Collect logs on failure” step to allow both make
ci-debug-logs and make ci-debug-test-servers-logs to execute even if one fails.
Use the existing step name and the two make targets as the key symbols when
adjusting the failure handling.

In `@build/suite-router.sh`:
- Line 20: The suite validation in suite-router.sh is using a word-match style
check against KNOWN_SUITES, which incorrectly accepts partial matches inside
hyphenated names. Update the membership logic in the suite lookup/validation
paths (including the checks around known-suites.txt, the suite dispatch, and the
label parsing branches) to require exact suite-name equality against the full
list of allowed suites. Use the existing suite-loading and validation symbols in
suite-router.sh so invalid inputs like auth, gateway, or specific are rejected
unless they exactly match a known suite name.
- Around line 76-93: The routing case in suite-router.sh is too broad in the
`case` statement and matches `internal/router/*` before the more specific router
branches. Reorder the `case` patterns so the specific
`internal/router/session*`, `internal/router/auth*`, and
`internal/router/elicit*` checks are evaluated before the generic
`internal/router/*|internal/ext_proc/*` catch-all, preserving the intended
`suggestions` handling in the `suggestions+=` blocks.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3110980d-b979-4dfb-8472-19f4ff62b619

📥 Commits

Reviewing files that changed from the base of the PR and between dc310af and af0075e.

📒 Files selected for processing (20)

• .claude/rules/e2e-tests.md
• .github/workflows/e2e-auth.yaml
• .github/workflows/e2e-nightly.yaml
• .github/workflows/e2e-on-demand.yaml
• .github/workflows/e2e.yaml
• build/e2e.mk
• build/known-suites.txt
• build/suite-router.sh
• docs/ci.md
• tests/e2e/CLAUDE.md
• tests/e2e/auth_policy_test.go
• tests/e2e/custom_tls_test.go
• tests/e2e/elicitation_test.go
• tests/e2e/happy_path_test.go
• tests/e2e/multi_gateway_test.go
• tests/e2e/oauth_protected_resource_test.go
• tests/e2e/tool_discovery_test.go
• tests/e2e/tool_validation_test.go
• tests/e2e/url_elicitation_test.go
• tests/e2e/user_specific_list_test.go

💤 Files with no reviewable changes (2)

• .github/workflows/e2e-nightly.yaml
• .github/workflows/e2e-auth.yaml

✅ Files skipped from review due to trivial changes (11)

• tests/e2e/oauth_protected_resource_test.go
• build/known-suites.txt
• tests/e2e/tool_validation_test.go
• tests/e2e/custom_tls_test.go
• tests/e2e/url_elicitation_test.go
• tests/e2e/auth_policy_test.go
• tests/e2e/user_specific_list_test.go
• tests/e2e/multi_gateway_test.go
• tests/e2e/tool_discovery_test.go
• .claude/rules/e2e-tests.md
• tests/e2e/elicitation_test.go

🚧 Files skipped from review as they are similar to previous changes (3)

• tests/e2e/happy_path_test.go
• build/e2e.mk
• docs/ci.md

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/e2e.yaml:
- Around line 70-76: Add a manual workflow input named suite under
on.workflow_dispatch so users can choose a suite when dispatching the workflow,
and make sure the Route suites step exports that value into DISPATCH_SUITE.
Update the e2e workflow around workflow_dispatch and the router step that runs
build/suite-router.sh so the suite selection is forwarded instead of always
falling back to the default.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 61eebca3-e8e9-4a98-a3d6-11eb13bdf161

📥 Commits

Reviewing files that changed from the base of the PR and between af0075e and e315cb0.

📒 Files selected for processing (20)

• .claude/rules/e2e-tests.md
• .github/workflows/e2e-auth.yaml
• .github/workflows/e2e-nightly.yaml
• .github/workflows/e2e-on-demand.yaml
• .github/workflows/e2e.yaml
• build/e2e.mk
• build/known-suites.txt
• build/suite-router.sh
• docs/ci.md
• tests/e2e/CLAUDE.md
• tests/e2e/auth_policy_test.go
• tests/e2e/custom_tls_test.go
• tests/e2e/elicitation_test.go
• tests/e2e/happy_path_test.go
• tests/e2e/multi_gateway_test.go
• tests/e2e/oauth_protected_resource_test.go
• tests/e2e/tool_discovery_test.go
• tests/e2e/tool_validation_test.go
• tests/e2e/url_elicitation_test.go
• tests/e2e/user_specific_list_test.go

💤 Files with no reviewable changes (2)

• .github/workflows/e2e-auth.yaml
• .github/workflows/e2e-nightly.yaml

✅ Files skipped from review due to trivial changes (11)

• tests/e2e/oauth_protected_resource_test.go
• build/known-suites.txt
• tests/e2e/tool_validation_test.go
• tests/e2e/user_specific_list_test.go
• tests/e2e/custom_tls_test.go
• tests/e2e/auth_policy_test.go
• tests/e2e/elicitation_test.go
• tests/e2e/multi_gateway_test.go
• tests/e2e/tool_discovery_test.go
• docs/ci.md
• tests/e2e/happy_path_test.go

🚧 Files skipped from review as they are similar to previous changes (3)

• .claude/rules/e2e-tests.md
• tests/e2e/url_elicitation_test.go
• build/e2e.mk