Skip to content

ci: add codecov configuration#2069

Merged
ralphbean merged 4 commits into
mainfrom
add-codecov-yml
Jun 11, 2026
Merged

ci: add codecov configuration#2069
ralphbean merged 4 commits into
mainfrom
add-codecov-yml

Conversation

@ralphbean

Copy link
Copy Markdown
Member

Summary

  • Adds .codecov.yml with standard coverage settings
  • Project coverage target: auto (threshold: 1%)
  • Patch coverage target: 80% (threshold: 5%)
  • Ignores non-code files: docs, hack, experiments, images, markdown, shell scripts, test files, testdata
  • Adds coverage profile generation and Codecov upload step to CI workflow

Supersedes #2064 (rebased from fork to upstream with fixes applied).

Original PR by @eedri.

🤖 Generated with Claude Code

eedri and others added 2 commits June 9, 2026 14:18
Adds Codecov coverage configuration with:
- Project target: auto (threshold: 1%)
- Patch target: 80% (threshold: 5%)
- Ignores non-code files (docs, hack, experiments, images, markdown, shell)

Signed-off-by: Eyal Edri <eedri@redhat.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Replace stale __data__ ignore pattern (from konflux-ui) with testdata
- Add coverage profile generation and Codecov upload step to CI
- PR title fixed to use conventional commit prefix

Assisted-by: Claude claude-opus-4-6 <noreply@anthropic.com>
Signed-off-by: Ralph Bean <rbean@redhat.com>
@github-actions

github-actions Bot commented Jun 9, 2026

Copy link
Copy Markdown

Site preview

Preview: https://61dae297-site.fullsend-ai.workers.dev

Commit: a30c11274efa3dd5fefc706637038d2dd36a45d3

@fullsend-ai-review

Copy link
Copy Markdown

🤖 Review · Started 11:58 AM UTC
Commit: ba204cb · View workflow run →

@ralphbean ralphbean requested a review from ifireball June 9, 2026 11:59
Use env block instead of inline VAR= assignment to avoid SC1007.

Assisted-by: Claude claude-opus-4-6 <noreply@anthropic.com>
Signed-off-by: Ralph Bean <rbean@redhat.com>
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 9, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 12:02 PM UTC · Completed 12:10 PM UTC
Commit: ba204cb · View workflow run →

@codecov

codecov Bot commented Jun 9, 2026

Copy link
Copy Markdown

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

ℹ️ You can also turn on project coverage checks and project coverage reporting on Pull Request comment

Thanks for integrating Codecov - We've got you covered ☂️

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 9, 2026

Copy link
Copy Markdown

Review

Findings

High

  • [protected-path] .github/workflows/lint.yml — This PR modifies a file under .github/, which is a protected path requiring human approval. The PR has no linked issue justifying the modification of governance/infrastructure files.
    Remediation: Link an issue authorizing the CI workflow change, or obtain explicit human approval for the protected-path modification.

Low

  • [supply-chain] .github/workflows/lint.yml:49 — The codecov/codecov-action is referenced by mutable major-version tag (@v5) rather than a full commit SHA. This follows the existing convention in the workflow (actions/setup-go@v5, actions/setup-node@v6 also use major-version tags), but SHA pinning is best practice. Risk is mitigated by the workflow's read-only permissions (contents: read).

  • [missing-authorization] .codecov.yml — This PR adds Codecov integration (a third-party SaaS service) without a linked issue. The PR body and title clearly describe intent and reference superseded PR ci: add codecov configuration #2064, but no formal issue captures the decision to adopt Codecov.

  • [workflow-coherence] .github/workflows/lint.yml — The workflow now runs go test -race -coverprofile=coverage.out ./... directly instead of calling make go-test (which runs go test -race -cover ./...). The commands differ only in that the CI version writes a coverage profile file; the env var handling is equivalent. This creates a minor maintenance concern: future changes to the go-test target won't automatically propagate to CI. Consider adding a make go-test-coverage Makefile target.

Previous run

Review

Findings

High

  • [protected-path] .github/workflows/lint.yml — This PR modifies a file under .github/, which is a protected path requiring human approval. The PR has no linked issue justifying the modification of governance/infrastructure files. Human review is required regardless of code quality.
    Remediation: Link an issue authorizing the CI workflow change, or obtain explicit human approval for the protected-path modification.

Medium

  • [missing-authorization] .codecov.yml — This PR adds Codecov integration (a third-party SaaS service) without a linked issue authorizing the change. Adding external service integration is a non-trivial architectural change that affects data flows and introduces a new dependency. The PR references superseded PR ci: add codecov configuration #2064, but no issue captures the authorization decision.
    Remediation: Create a GitHub issue documenting the decision to integrate Codecov, including justification and data residency considerations. Consider whether this warrants an ADR given the project's practice of documenting third-party integration decisions.

Low

  • [supply-chain] .github/workflows/lint.yml:49 — The codecov/codecov-action is referenced by mutable major-version tag (@v5) rather than a full commit SHA. This follows the existing convention in the workflow (all other actions also use version tags), but SHA pinning is best practice. Risk is mitigated by the workflow's read-only permissions (contents: read).

  • [redundant-execution] .github/workflows/lint.yml:43 — Go tests are executed twice in the same job: first via make test (which runs go test -race -cover ./...) and then via the explicit go test -race -coverprofile=coverage.out ./... step. The only difference is that the first produces a coverage summary while the second writes a profile file. This doubles Go test execution time.

  • [undocumented-threshold] .codecov.yml — Coverage thresholds (80% patch target, auto project target) are set while docs/problems/repo-readiness.md explicitly lists coverage thresholds as an open design question. This configuration implicitly answers that question without updating the document.

@fullsend-ai-review fullsend-ai-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the review comment for full details.


- name: Upload coverage to Codecov
uses: codecov/codecov-action@v5
with:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] supply-chain

The codecov/codecov-action is referenced by mutable major-version tag (@v5) rather than a full commit SHA. Follows existing repo convention but SHA pinning is best practice. Risk mitigated by read-only permissions.

Suggested fix: Pin the action to a specific commit SHA and use Dependabot or Renovate to keep the pin up to date.


- name: Generate coverage profile
run: go test -race -coverprofile=coverage.out ./...
env:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] redundant-execution

Go tests are executed twice in the same job: first via make test (go test -race -cover) then again via go test -race -coverprofile=coverage.out. This doubles Go test execution time.

Suggested fix: Modify the Makefile go-test target to accept a COVERPROFILE variable, or remove the make test step since the coverage step runs the same tests.

@rh-hemartin rh-hemartin left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fix the redundant execution of tests.

@eedri

eedri commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

just making sure you're OK with failing CI if patch coverage is below 80%, we can also set it to false to give a warning as well to start with.

Replace `make test` (which runs lint-all + go-test + script-test) with
its individual components, using the coverprofile-producing `go test`
invocation in place of `make go-test`. This avoids running Go tests
twice in the same CI job.

Assisted-by: Claude claude-opus-4-6 <noreply@anthropic.com>
Signed-off-by: Ralph Bean <rbean@redhat.com>
@ralphbean

Copy link
Copy Markdown
Member Author

Pushed a30c112. Splits make test into its three components (make lint-all, go test -coverprofile=..., make script-test) so Go tests only run once.

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 10, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 9:16 PM UTC · Completed 9:24 PM UTC
Commit: a30c112 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the review comment for full details.


- run: make script-test

- name: Upload coverage to Codecov

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] supply-chain

The codecov/codecov-action is referenced by mutable major-version tag (@v5) rather than a full commit SHA. This follows the existing convention in the workflow, but SHA pinning is best practice. Risk is mitigated by read-only permissions.

@ralphbean ralphbean added this pull request to the merge queue Jun 11, 2026
Merged via the queue into main with commit e153b95 Jun 11, 2026
13 checks passed
@ralphbean ralphbean deleted the add-codecov-yml branch June 11, 2026 12:10
@fullsend-ai-retro

fullsend-ai-retro Bot commented Jun 11, 2026

Copy link
Copy Markdown

🤖 Finished Retro · ✅ Success · Started 12:13 PM UTC · Completed 12:18 PM UTC
Commit: a30c112 · View workflow run →

@fullsend-ai-retro

Copy link
Copy Markdown

Retro: PR #2069ci: add codecov configuration

Workflow quality: Good overall. The review agent correctly identified the redundant test execution issue (Go tests running twice), which the human reviewer (rh-hemartin) independently flagged — validating the agent's review quality on this PR.

Main friction point: After the author fixed the redundant execution, the review agent's second pass still issued CHANGES_REQUESTED with only LOW-severity findings remaining (supply-chain SHA pinning, missing issue linkage, workflow coherence) plus the governance-level protected-path HIGH. This forced the human reviewer to override the bot's blocking verdict. This pattern is extensively tracked — at least 16 open issues cover verdict calibration (#2115, #2057, #2029, #1068, #1942, #1500, etc.) and 13+ cover protected-path behavior on human PRs (#1551, #1392, #1508, #1583, #1597).

No new proposals filed. All identified improvement areas have substantial existing issue coverage:

The 2-day time-to-merge was driven by human review cycles (timezone handoffs between ralphbean, rh-hemartin, and eedri), not agent overhead. Token cost was reasonable — 2 successful review runs plus 1 cancelled (superseded by push).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants