Task/#458 move code coverage to its own workflow#459
Conversation
Removed LCOV merger installation and coverage upload steps.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: "Code Coverage" | ||
| env: | ||
| ASPNETCORE_ENVIRONMENT: "Production" | ||
|
|
||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v2.3.4 | ||
|
|
||
| - name: Restore Nuget Packages | ||
| run: dotnet restore EstateReportingAPI.sln --source ${{ secrets.PUBLICFEEDURL }} --source ${{ secrets.PRIVATEFEED_URL }} | ||
|
|
||
| - name: Build Code | ||
| run: dotnet build EstateReportingAPI.sln --configuration Release | ||
|
|
||
| - name: Run Unit Tests | ||
| run: | | ||
| echo "ASPNETCORE_ENVIRONMENT are > ${ASPNETCORE_ENVIRONMENT}" | ||
| dotnet test "EstateReportingAPI.Tests\EstateReportingAPI.Tests.csproj" /p:CollectCoverage=true /p:Exclude="[xunit*]*" /p:ExcludeByAttribute="Obsolete" /p:ExcludeByAttribute="GeneratedCodeAttribute" /p:ExcludeByAttribute="CompilerGeneratedAttribute" /p:ExcludeByAttribute="ExcludeFromCodeCoverageAttribute" /p:CoverletOutput="../lcov1.info" /maxcpucount:1 /p:CoverletOutputFormat="lcov" | ||
|
|
||
| - name: Build Docker Image | ||
| run: docker build . --file EstateReportingAPI/Dockerfile --tag estatereportingapi:latest | ||
|
|
||
| - name: Run Integration Tests | ||
| run: | | ||
| dotnet test "EstateReportingAPI.IntegrationTests\EstateReportingAPI.IntegrationTests.csproj" /p:CollectCoverage=true /p:Exclude="[xunit*]*" /p:ExcludeByAttribute="Obsolete" /p:ExcludeByAttribute="GeneratedCodeAttribute" /p:ExcludeByAttribute="CompilerGeneratedAttribute" /p:ExcludeByAttribute="ExcludeFromCodeCoverageAttribute" /p:CoverletOutput="../lcov2.info" /maxcpucount:1 /p:CoverletOutputFormat="lcov" | ||
|
|
||
| - name: Install LCOV merger | ||
| run: npm install -g lcov-result-merger | ||
|
|
||
| - name: Merge LCOV reports | ||
| run: | | ||
| mkdir -p coverage | ||
| lcov-result-merger "*.info" > lcov.info | ||
|
|
||
| - name: Upload merged coverage to Codacy | ||
| uses: codacy/codacy-coverage-reporter-action@v1 | ||
| with: | ||
| project-token: ${{ secrets.CODACY_PROJECT_TOKEN }} | ||
| coverage-reports: ./lcov.info |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fix the problem, explicitly define minimal GITHUB_TOKEN permissions in the workflow. Since this job only checks out the code and uploads coverage to Codacy (an external service) without modifying anything in the GitHub repository (no pushes, PR changes, issue edits, etc.), it only needs read access to repository contents. The best fix is to add a permissions block at the workflow root level (so it applies to all jobs) with contents: read. This documents the required permissions and prevents unintended write access if the org/repo default is broad.
Concretely, in .github/workflows/codecoverage.yml, insert:
permissions:
contents: readbetween the on: block (ending at line 8) and the jobs: block (line 10). No other steps or functionality need to change, and no new imports or methods are required.
| @@ -7,6 +7,9 @@ | ||
| - main | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| codecoverage: | ||
| name: "Code Coverage" |
github-actions
Bot
deleted the
task/#458-move-code-coverage-to-its-own-workflow
branch
2 participants
No description provided.