Task/#681 move code coverage to its own workflow#682
Conversation
Removed LCOV report merging and upload steps from nightly build workflow.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: "Code Coverage" | ||
| env: | ||
| ASPNETCORE_ENVIRONMENT: "Production" | ||
|
|
||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v2.3.4 | ||
|
|
||
| - name: Restore Nuget Packages | ||
| run: dotnet restore FileProcessor.sln --source ${{ secrets.PUBLICFEEDURL }} --source ${{ secrets.PRIVATEFEED_URL }} | ||
|
|
||
| - name: Build Code | ||
| run: dotnet build FileProcessor.sln --configuration Release | ||
|
|
||
| - name: Run Unit Tests | ||
| run: | | ||
| echo "ASPNETCORE_ENVIRONMENT are > ${ASPNETCORE_ENVIRONMENT}" | ||
| dotnet test "FileProcessor.BusinessLogic.Tests\FileProcessor.BusinessLogic.Tests.csproj" /p:CollectCoverage=true /p:Exclude="[xunit*]*" /p:ExcludeByAttribute="Obsolete" /p:ExcludeByAttribute="GeneratedCodeAttribute" /p:ExcludeByAttribute="CompilerGeneratedAttribute" /p:ExcludeByAttribute="ExcludeFromCodeCoverageAttribute" /p:CoverletOutput="../lcov1.info" /maxcpucount:1 /p:CoverletOutputFormat="lcov" | ||
| dotnet test "FileProcessor.FileAggregate.Tests\FileProcessor.FileAggregate.Tests.csproj" /p:CollectCoverage=true /p:Exclude="[xunit*]*" /p:ExcludeByAttribute="Obsolete" /p:ExcludeByAttribute="GeneratedCodeAttribute" /p:ExcludeByAttribute="CompilerGeneratedAttribute" /p:ExcludeByAttribute="ExcludeFromCodeCoverageAttribute" /p:CoverletOutput="../lcov2.info" /maxcpucount:1 /p:CoverletOutputFormat="lcov" | ||
| dotnet test "FileProcessor.FileImportLogAggregate.Tests\FileProcessor.FileImportLogAggregate.Tests.csproj" /p:CollectCoverage=true /p:Exclude="[xunit*]*" /p:ExcludeByAttribute="Obsolete" /p:ExcludeByAttribute="GeneratedCodeAttribute" /p:ExcludeByAttribute="CompilerGeneratedAttribute" /p:ExcludeByAttribute="ExcludeFromCodeCoverageAttribute" /p:CoverletOutput="../lcov3.info" /maxcpucount:1 /p:CoverletOutputFormat="lcov" | ||
|
|
||
| - name: Install LCOV merger | ||
| run: npm install -g lcov-result-merger | ||
|
|
||
| - name: Merge LCOV reports | ||
| run: | | ||
| mkdir -p coverage | ||
| lcov-result-merger "*.info" > lcov.info | ||
|
|
||
| - name: Upload merged coverage to Codacy | ||
| uses: codacy/codacy-coverage-reporter-action@v1 | ||
| with: | ||
| project-token: ${{ secrets.CODACY_PROJECT_TOKEN }} | ||
| coverage-reports: ./lcov.info | ||
|
|
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
In general, the fix is to explicitly declare permissions: in the workflow (or job) so that the GITHUB_TOKEN is limited to the minimum access needed. This workflow only needs to read repository contents (for checkout) and does not perform any GitHub write operations, so contents: read is sufficient. Other permissions (issues, pull-requests, etc.) can remain at their default of none by not being specified.
The best minimal fix without changing functionality is to add a permissions: block at the workflow root level, just below the name: (or below on:), setting contents: read. This will apply to all jobs in the workflow (there is only build) and aligns with the CodeQL suggestion of using contents: read as a starting point. No additional imports or methods are needed; it is purely a YAML configuration change in .github/workflows/codecoverage.yml, around the top of the file (lines 1–3).
| @@ -1,5 +1,8 @@ | ||
| name: Code Coverage | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| # branches to consider in the event; optional, defaults to all |
github-actions
Bot
deleted the
task/#681-move-code-coverage-to-its-own-workflow
branch
2 participants
No description provided.