CNTRLPLANE-244: ci: add Codecov integration to unit test workflow

[bryan-cox]

Summary

Add Codecov integration to the Unit Tests GitHub Actions workflow to upload
coverage data after each test run.

• Uses codecov/codecov-action@v5 to upload cover.out after each unit test run
• Token is passed via env: (not with:) so fork PRs gracefully fall back to tokenless upload
• CODECOV_TOKEN secret must be configured in the repository settings
• codecov.yml sets branch: main as the default branch (Codecov defaults to master otherwise)

Follow-up

• ConfigMap-based coverage tracking with job summary reporting: ci: add ConfigMap-based coverage tracking #8084 (draft)

Test plan

• Verify make test generates cover.out
• Verify Codecov upload succeeds and coverage data appears on Codecov dashboard
• Verify fork PRs fall back to tokenless upload

🤖 Generated with Claude Code

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: c1a95ac7-dc2c-4e0e-99b9-c576671df7e9

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

The GitHub Actions test workflow has been enhanced with additional triggers (push to main and workflow_dispatch) and new coverage tracking functionality. The workflow now computes test coverage from cover.out, publishes it to job outputs and step summaries, and manages a Kubernetes ConfigMap baseline on the main branch. Pull requests retrieve this baseline, calculate the coverage delta using bc, report the differential in the step summary, and fail if coverage decreases by more than 1%.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Dev as Developer
participant GH as GitHub Actions Runner
participant Go as go test / coverage
participant K8s as Kubernetes API (ConfigMap)
rect rgba(0,128,0,0.5)
Dev->>GH: push to main / workflow_dispatch
GH->>Go: run tests, generate cover.out
Go->>GH: coverage (cover.out)
GH->>GH: compute total coverage
GH->>K8s: kubectl patch ConfigMap coverage-baseline (arc-runners)
K8s-->>GH: patch response
end

mermaid
sequenceDiagram
participant Dev as Developer
participant GH as GitHub Actions Runner
participant Go as go test / coverage
participant K8s as Kubernetes API (ConfigMap)
rect rgba(0,0,255,0.5)
Dev->>GH: open/update pull request
GH->>Go: run tests, generate cover.out
Go->>GH: coverage (cover.out)
GH->>K8s: kubectl get ConfigMap coverage-baseline (arc-runners) (ignore missing)
K8s-->>GH: baseline value or empty
GH->>GH: compute numeric diff using bc
alt diff <= -1%
GH->>GH: write diff to step summary
GH->>GH: fail job (exit 1)
else
GH->>GH: write diff to step summary
end
end

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bryan-cox]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

.github/workflows/test.yaml (1)

39-42: Please verify that bc exists on arc-runner-set.

Lines 39-42 add a new runtime dependency that is not provisioned here. If the runner image does not ship bc, every PR will fail after tests.

Use `awk` instead of another CLI dependency

-            DIFF=$(echo "$PR_COV - $BASE_COV" | bc)
+            DIFF=$(awk -v pr="$PR_COV" -v base="$BASE_COV" 'BEGIN { printf "%.2f", pr - base }')
             echo "### Coverage diff: ${DIFF}% (main: ${BASE_COV}% → PR: ${PR_COV}%)" >> "$GITHUB_STEP_SUMMARY"
             # Fail if coverage drops by more than 1%
-            DROP=$(echo "$DIFF < -1.0" | bc)
+            DROP=$(awk -v diff="$DIFF" 'BEGIN { print (diff < -1.0) ? 1 : 0 }')

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test.yaml around lines 39 - 42, Replace the non-portable
use of bc by computing the coverage diff and the boolean drop check with awk (or
pure shell) so the workflow doesn't rely on bc being present; specifically
change the DIFF calculation (symbol DIFF) and the DROP determination (symbol
DROP) to use awk's arithmetic (e.g. DIFF=$(awk "BEGIN{print ${PR_COV} -
${BASE_COV}}") and DROP=$(awk "BEGIN{print (${DIFF} < -1.0) ? 1 : 0}") or
equivalent POSIX-safe logic) and keep the existing echo that writes the coverage
summary.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/test.yaml:
- Around line 26-36: The workflow exposes cluster RBAC to untrusted PRs via the
"Update baseline coverage" and "Compare coverage" steps that call kubectl
against the coverage-baseline ConfigMap; remove or gate all kubectl usage from
the PR test job (the steps named "Update baseline coverage" and "Compare
coverage" that reference the coverage-baseline configmap) so PRs cannot access
the cluster, move the baseline write (the patch implemented in Update baseline
coverage) into a trusted post-merge workflow that runs only on main, and replace
the PR comparison (the BASE_COV read in Compare coverage) with a
non-cluster-backed store such as a repo-stored file, an artifacts API lookup, or
the Actions cache to fetch the baseline for pull_request jobs. Ensure the job no
longer runs any kubectl commands for pull_request events.
- Around line 18-23: The workflow extracts coverage into cover.out but never
uploads it to Codecov; add a new job step after the existing "Extract coverage
percentage" step (reference step id coverage) that runs the official Codecov
uploader (uses: codecov/codecov-action@v4) and points to the generated cover.out
(files: cover.out) and uses the CODECOV_TOKEN secret if required (token: ${{
secrets.CODECOV_TOKEN }}), so the coverage file is published to the Codecov
dashboard.
- Around line 36-48: The current BASE_COV assignment hides real kubectl errors
by using `2>/dev/null || echo ""`; change the kubectl invocation that sets
BASE_COV to use `--ignore-not-found` (e.g., `kubectl get configmap
coverage-baseline -n arc-runners --ignore-not-found -o jsonpath=...`) so only a
missing ConfigMap yields an empty result, and remove the stderr suppression;
additionally, after running that kubectl command check its exit status and if
non-zero (and not just empty output) surface the error (fail the job or print
the kubectl stderr) instead of treating it as "no baseline"—update the logic
that uses BASE_COV and the `if [ -n "$BASE_COV" ]` branch accordingly.

---

Nitpick comments:
In @.github/workflows/test.yaml:
- Around line 39-42: Replace the non-portable use of bc by computing the
coverage diff and the boolean drop check with awk (or pure shell) so the
workflow doesn't rely on bc being present; specifically change the DIFF
calculation (symbol DIFF) and the DROP determination (symbol DROP) to use awk's
arithmetic (e.g. DIFF=$(awk "BEGIN{print ${PR_COV} - ${BASE_COV}}") and
DROP=$(awk "BEGIN{print (${DIFF} < -1.0) ? 1 : 0}") or equivalent POSIX-safe
logic) and keep the existing echo that writes the coverage summary.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: ea535024-6c00-4f93-87a4-172887443375

📥 Commits

Reviewing files that changed from the base of the PR and between 1d6b6a5 and 28c1264.

📒 Files selected for processing (1)

• .github/workflows/test.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Avoid giving this PR test job cluster access.

These kubectl steps make kube RBAC a requirement for the same self-hosted job that executes make test. That exposes whatever get/patch rights the runner has to untrusted PR code. Keep baseline writes in a trusted post-merge path, and use a non-cluster store for PR comparisons if you still need this gate.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test.yaml around lines 26 - 36, The workflow exposes
cluster RBAC to untrusted PRs via the "Update baseline coverage" and "Compare
coverage" steps that call kubectl against the coverage-baseline ConfigMap;
remove or gate all kubectl usage from the PR test job (the steps named "Update
baseline coverage" and "Compare coverage" that reference the coverage-baseline
configmap) so PRs cannot access the cluster, move the baseline write (the patch
implemented in Update baseline coverage) into a trusted post-merge workflow that
runs only on main, and replace the PR comparison (the BASE_COV read in Compare
coverage) with a non-cluster-backed store such as a repo-stored file, an
artifacts API lookup, or the Actions cache to fetch the baseline for
pull_request jobs. Ensure the job no longer runs any kubectl commands for
pull_request events.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Check kubectl documentation for --ignore-not-found flag behavior
# This flag should distinguish between "not found" vs actual errors
kubectl get configmap --help 2>/dev/null | grep -A 5 "ignore-not-found" || echo "Checking kubectl documentation online approach"

Repository: openshift/hypershift

Length of output: 110

---

🌐 Web query:

kubectl get --ignore-not-found flag behavior exit code error handling

💡 Result:

The --ignore-not-found flag (default: false) for kubectl get suppresses the NotFound error message and returns exit code 0 when a specific named object does not exist. Without the flag (or with --ignore-not-found=false), it prints "Error from server (NotFound): [resource] "[name]" not found" and returns exit code 1. For collection queries (no specific name, e.g., kubectl get pods), the flag has no effect: it always prints "No resources found" (to stderr) and returns exit code 0, as an empty list is not considered an error. Example behaviors: - kubectl get pod foo (nonexistent): error message, exit 1 - kubectl get pod foo --ignore-not-found: no error message, exit 0 - kubectl get pods (none exist): "No resources found", exit 0 (flag irrelevant) This distinction is explicit in official docs: "If set to true, suppresses NotFound error for specific objects that do not exist. Using this flag with commands that query for collections of resources has no effect when no resources are found." The help text ("If the requested object does not exist the command will return exit code 0") implies specific objects, but could be clearer per ongoing SIG-CLI discussion. Source code confirms: ignores NotFound only for single-object gets, prints "No resources found" and exits 0 if no output and not ignoring NotFound (but collections always 0). For scripting/error handling, use the flag for idempotent specific-object checks (exit 0 if missing). Collections always succeed with 0 even if empty.

Citations:

• 1: kubectl get --ignore-not-found behavior unclear kubernetes/kubectl#1596
• 2: kubectl get should return non-zero value if not found kubernetes/kubectl#821
• 3: https://kubernetes.io/docs/reference/kubectl/generated/kubectl_get
• 4: https://github.com/kubernetes/kubectl/blob/master/pkg/cmd/get/get.go

---

Don't treat every kubectl failure as "no baseline".

2>/dev/null || echo "" suppresses RBAC, API, and connectivity errors, making them indistinguishable from a missing ConfigMap and silently disabling the coverage check. Use --ignore-not-found instead to handle only the missing-ConfigMap case as optional while surfacing real errors.

Suggested fix

-          BASE_COV=$(kubectl get configmap coverage-baseline -n arc-runners -o jsonpath='{.data.total}' 2>/dev/null || echo "")
+          BASE_COV=$(kubectl get configmap coverage-baseline \
+            -n arc-runners \
+            --ignore-not-found \
+            -o jsonpath='{.data.total}')

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	BASE_COV=$(kubectl get configmap coverage-baseline -n arc-runners -o jsonpath='{.data.total}' 2>/dev/null || echo "")
	PR_COV="${{ steps.coverage.outputs.total }}"
	if [ -n "$BASE_COV" ]; then
	DIFF=$(echo "$PR_COV - $BASE_COV" | bc)
	echo "### Coverage diff: ${DIFF}% (main: ${BASE_COV}% → PR: ${PR_COV}%)" >> "$GITHUB_STEP_SUMMARY"
	# Fail if coverage drops by more than 1%
	DROP=$(echo "$DIFF < -1.0" | bc)
	if [ "$DROP" -eq 1 ]; then
	echo "::error::Coverage dropped by ${DIFF}% (threshold: -1%)"
	exit 1
	fi
	else
	echo "### No baseline coverage found. Skipping comparison." >> "$GITHUB_STEP_SUMMARY"
	BASE_COV=$(kubectl get configmap coverage-baseline \
	-n arc-runners \
	--ignore-not-found \
	-o jsonpath='{.data.total}')
	PR_COV="${{ steps.coverage.outputs.total }}"
	if [ -n "$BASE_COV" ]; then
	DIFF=$(echo "$PR_COV - $BASE_COV" | bc)
	echo "### Coverage diff: ${DIFF}% (main: ${BASE_COV}% → PR: ${PR_COV}%)" >> "$GITHUB_STEP_SUMMARY"
	# Fail if coverage drops by more than 1%
	DROP=$(echo "$DIFF < -1.0" | bc)
	if [ "$DROP" -eq 1 ]; then
	echo "::error::Coverage dropped by ${DIFF}% (threshold: -1%)"
	exit 1
	fi
	else
	echo "### No baseline coverage found. Skipping comparison." >> "$GITHUB_STEP_SUMMARY"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test.yaml around lines 36 - 48, The current BASE_COV
assignment hides real kubectl errors by using `2>/dev/null || echo ""`; change
the kubectl invocation that sets BASE_COV to use `--ignore-not-found` (e.g.,
`kubectl get configmap coverage-baseline -n arc-runners --ignore-not-found -o
jsonpath=...`) so only a missing ConfigMap yields an empty result, and remove
the stderr suppression; additionally, after running that kubectl command check
its exit status and if non-zero (and not just empty output) surface the error
(fail the job or print the kubectl stderr) instead of treating it as "no
baseline"—update the logic that uses BASE_COV and the `if [ -n "$BASE_COV" ]`
branch accordingly.

[codecov]

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

Thanks for integrating Codecov - We've got you covered ☂️

[openshift-ci-robot]

@bryan-cox: This pull request references CNTRLPLANE-244 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary

Add Codecov integration to the Unit Tests GitHub Actions workflow to upload
coverage data after each test run.

• Uses codecov/codecov-action@v5 to upload cover.out after each unit test run
• Token is passed via env: (not with:) so fork PRs gracefully fall back to tokenless upload
• CODECOV_TOKEN secret must be configured in the repository settings
• codecov.yml sets branch: main as the default branch (Codecov defaults to master otherwise)

Follow-up

• ConfigMap-based coverage tracking with job summary reporting: ci: add ConfigMap-based coverage tracking #8084 (draft)

Test plan

• Verify make test generates cover.out
• Verify Codecov upload succeeds and coverage data appears on Codecov dashboard
• Verify fork PRs fall back to tokenless upload

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[bryan-cox]

/area ci-tooling

[enxebre]

/lgtm

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws

[bryan-cox]

/verified by unit tests

[bryan-cox]

/override "ci/prow/e2e-aks"

[openshift-ci-robot]

@bryan-cox: This PR has been marked as verified by unit tests.

Details

In response to this:

/verified by unit tests

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@bryan-cox: Overrode contexts on behalf of bryan-cox: ci/prow/e2e-aks

Details

In response to this:

/override "ci/prow/e2e-aks"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[bryan-cox]

/override e2e-aks
/override e2e-aws
/override e2e-aws-upgrade-hypershift-operator
/override e2e-kubevirt-aws-ovn-reduced
/override e2e-v2-aws

[openshift-ci]

@bryan-cox: /override requires failed status contexts, check run or a prowjob name to operate on.
The following unknown contexts/checkruns were given:

• e2e-aks
• e2e-aws
• e2e-aws-upgrade-hypershift-operator
• e2e-kubevirt-aws-ovn-reduced
• e2e-v2-aws

Only the following failed contexts/checkruns were expected:

• CodeRabbit
• ci/prow/e2e-aks
• ci/prow/e2e-aws
• ci/prow/e2e-aws-upgrade-hypershift-operator
• ci/prow/e2e-azure-self-managed
• ci/prow/e2e-kubevirt-aws-ovn-reduced
• ci/prow/e2e-v2-aws
• ci/prow/images
• ci/prow/okd-scos-images
• ci/prow/security
• ci/prow/verify-deps
• pull-ci-openshift-hypershift-main-e2e-aks
• pull-ci-openshift-hypershift-main-e2e-aws
• pull-ci-openshift-hypershift-main-e2e-aws-upgrade-hypershift-operator
• pull-ci-openshift-hypershift-main-e2e-azure-self-managed
• pull-ci-openshift-hypershift-main-e2e-kubevirt-aws-ovn-reduced
• pull-ci-openshift-hypershift-main-e2e-v2-aws
• pull-ci-openshift-hypershift-main-images
• pull-ci-openshift-hypershift-main-okd-scos-images
• pull-ci-openshift-hypershift-main-security
• pull-ci-openshift-hypershift-main-verify-deps
• tide

If you are trying to override a checkrun that has a space in it, you must put a double quote on the context.

Details

In response to this:

/override e2e-aks
/override e2e-aws
/override e2e-aws-upgrade-hypershift-operator
/override e2e-kubevirt-aws-ovn-reduced
/override e2e-v2-aws

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[bryan-cox]

/override "e2e-aks"
/override "e2e-aws"
/override "e2e-aws-upgrade-hypershift-operator"
/override "e2e-kubevirt-aws-ovn-reduced"
/override "e2e-v2-aws"

[openshift-ci]

@bryan-cox: /override requires failed status contexts, check run or a prowjob name to operate on.
The following unknown contexts/checkruns were given:

• e2e-aks
• e2e-aws
• e2e-aws-upgrade-hypershift-operator
• e2e-kubevirt-aws-ovn-reduced
• e2e-v2-aws

Only the following failed contexts/checkruns were expected:

• CodeRabbit
• ci/prow/e2e-aks
• ci/prow/e2e-aws
• ci/prow/e2e-aws-upgrade-hypershift-operator
• ci/prow/e2e-azure-self-managed
• ci/prow/e2e-kubevirt-aws-ovn-reduced
• ci/prow/e2e-v2-aws
• ci/prow/images
• ci/prow/okd-scos-images
• ci/prow/security
• ci/prow/verify-deps
• pull-ci-openshift-hypershift-main-e2e-aks
• pull-ci-openshift-hypershift-main-e2e-aws
• pull-ci-openshift-hypershift-main-e2e-aws-upgrade-hypershift-operator
• pull-ci-openshift-hypershift-main-e2e-azure-self-managed
• pull-ci-openshift-hypershift-main-e2e-kubevirt-aws-ovn-reduced
• pull-ci-openshift-hypershift-main-e2e-v2-aws
• pull-ci-openshift-hypershift-main-images
• pull-ci-openshift-hypershift-main-okd-scos-images
• pull-ci-openshift-hypershift-main-security
• pull-ci-openshift-hypershift-main-verify-deps
• tide

If you are trying to override a checkrun that has a space in it, you must put a double quote on the context.

Details

In response to this:

/override "e2e-aks"
/override "e2e-aws"
/override "e2e-aws-upgrade-hypershift-operator"
/override "e2e-kubevirt-aws-ovn-reduced"
/override "e2e-v2-aws"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[bryan-cox]

/override "ci/prow/e2e-aks"
/override "ci/prow/e2e-aws"
/override "ci/prow/e2e-aws-upgrade-hypershift-operator"
/override "ci/prow/e2e-kubevirt-aws-ovn-reduced"
/override "ci/prow/e2e-v2-aws"

[openshift-ci]

@bryan-cox: Overrode contexts on behalf of bryan-cox: ci/prow/e2e-aks, ci/prow/e2e-aws, ci/prow/e2e-aws-upgrade-hypershift-operator, ci/prow/e2e-kubevirt-aws-ovn-reduced, ci/prow/e2e-v2-aws

Details

In response to this:

/override "ci/prow/e2e-aks"
/override "ci/prow/e2e-aws"
/override "ci/prow/e2e-aws-upgrade-hypershift-operator"
/override "ci/prow/e2e-kubevirt-aws-ovn-reduced"
/override "ci/prow/e2e-v2-aws"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[bryan-cox]

/override "ci/prow/e2e-azure-self-managed"

[openshift-ci]

@bryan-cox: Overrode contexts on behalf of bryan-cox: ci/prow/e2e-azure-self-managed

Details

In response to this:

/override "ci/prow/e2e-azure-self-managed"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@bryan-cox: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.