From 9a7e0a4e6c2623d78ad5346e30a4d3fd49addf0d Mon Sep 17 00:00:00 2001 From: texastony <5892063+texastony@users.noreply.github.com> Date: Tue, 17 Mar 2026 15:57:22 -0700 Subject: [PATCH 1/5] chore: add pytest-cov for line coverage reporting --- .github/workflows/python-integ.yml | 11 +++++++++++ .gitignore | 2 ++ Makefile | 10 +++++----- pyproject.toml | 7 +++++++ 4 files changed, 25 insertions(+), 5 deletions(-) diff --git a/.github/workflows/python-integ.yml b/.github/workflows/python-integ.yml index 9e5ae818..51ff7a0a 100644 --- a/.github/workflows/python-integ.yml +++ b/.github/workflows/python-integ.yml @@ -55,3 +55,14 @@ jobs: env: CI_S3_BUCKET: ${{ vars.CI_S3_BUCKET }} CI_KMS_KEY_ALIAS: ${{ vars.CI_KMS_KEY_ALIAS }} + + - name: Generate coverage HTML report + if: always() + run: uv run coverage html -d coverage-report + + - name: Upload coverage report + if: always() + uses: actions/upload-artifact@v4 + with: + name: coverage-report + path: coverage-report/ diff --git a/.gitignore b/.gitignore index 5cd8f239..3691eef4 100644 --- a/.gitignore +++ b/.gitignore @@ -55,3 +55,5 @@ smithy-java-core/out # test server *.pid +.coverage +coverage-report/ diff --git a/Makefile b/Makefile index f295452b..256f50b7 100644 --- a/Makefile +++ b/Makefile @@ -20,16 +20,16 @@ format: uv run black src/ test/ uv run ruff check --fix src/ test/ -# Run all tests +# Run all tests with combined coverage test: test-unit test-integration -# Run unit tests +# Run unit tests (creates .coverage report) test-unit: - uv run pytest test/ --ignore=test/integration/ --verbose + uv run pytest test/ --ignore=test/integration/ --verbose --cov=src/s3_encryption --cov-report=term-missing -# Run integration tests +# Run integration tests (appends to .coverage report from test-unit) test-integration: - uv run pytest test/integration/ --verbose + uv run pytest test/integration/ --verbose --cov=src/s3_encryption --cov-append --cov-report=term-missing # Clean up cache files clean: diff --git a/pyproject.toml b/pyproject.toml index a5ab41ef..93fcbfcf 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -17,6 +17,7 @@ dependencies = [ [project.optional-dependencies] test = [ "pytest>=8.4.1", + "pytest-cov>=6.1.1", ] dev = [ "black>=24.3.0,<27.0.0", @@ -61,3 +62,9 @@ known-first-party = ["s3_encryption"] [tool.ruff.lint.per-file-ignores] "test/**/*.py" = ["D100", "D101", "D102", "D103", "D104", "E501"] "src/s3_encryption/pipelines.py" = ["E501"] + +[tool.coverage.run] +source = ["src/s3_encryption"] + +[tool.coverage.report] +show_missing = true From c623260c7c672786ae60a507075b5d061025a20c Mon Sep 17 00:00:00 2001 From: texastony <5892063+texastony@users.noreply.github.com> Date: Tue, 17 Mar 2026 16:06:52 -0700 Subject: [PATCH 2/5] chore: update actions/checkout to v6, actions/cache to v5, actions/upload-artifact to v7, and actions/setup-python to v6 --- .github/workflows/duvet-test-server.yml | 10 +++++----- .github/workflows/duvet.yml | 2 +- .github/workflows/lint.yml | 4 ++-- .github/workflows/python-integ.yml | 8 ++++---- .github/workflows/test-server.yml | 10 +++++----- 5 files changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/duvet-test-server.yml b/.github/workflows/duvet-test-server.yml index f8f6e2ac..58ae19a2 100644 --- a/.github/workflows/duvet-test-server.yml +++ b/.github/workflows/duvet-test-server.yml @@ -14,11 +14,11 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@v6 # There are a lot of submodules here # This initializes the checkouts in parallel (--jobs) - # rather than in series the way actions/checkout@v5 does it. + # rather than in series the way actions/checkout@v6 does it. - name: Get CPU count id: cpu-count @@ -42,7 +42,7 @@ jobs: - name: Checkout CPP code cpp-v3 - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: submodules: recursive repository: aws/aws-sdk-cpp @@ -64,7 +64,7 @@ jobs: - name: Upload duvet reports if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: test-server-reports include-hidden-files: true @@ -95,7 +95,7 @@ jobs: - name: Upload compliance dashboard if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: compliance-dashboard include-hidden-files: true diff --git a/.github/workflows/duvet.yml b/.github/workflows/duvet.yml index eb7b49e2..23bbe45a 100644 --- a/.github/workflows/duvet.yml +++ b/.github/workflows/duvet.yml @@ -32,7 +32,7 @@ jobs: run: make duvet - name: Upload duvet reports - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: reports include-hidden-files: true diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index bb1655bb..b374a9a7 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -12,10 +12,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: '3.11' diff --git a/.github/workflows/python-integ.yml b/.github/workflows/python-integ.yml index 51ff7a0a..e31e049f 100644 --- a/.github/workflows/python-integ.yml +++ b/.github/workflows/python-integ.yml @@ -18,17 +18,17 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: submodules: false - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: ${{ inputs.python-version || '3.11' }} - name: Cache uv dependencies - uses: actions/cache@v4 + uses: actions/cache@v5 with: path: ~/.cache/uv key: ${{ runner.os }}-uv-${{ hashFiles('./test-server/python-v3-server/**/pyproject.toml') }} @@ -62,7 +62,7 @@ jobs: - name: Upload coverage report if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: coverage-report path: coverage-report/ diff --git a/.github/workflows/test-server.yml b/.github/workflows/test-server.yml index 80991a99..a1457395 100644 --- a/.github/workflows/test-server.yml +++ b/.github/workflows/test-server.yml @@ -19,14 +19,14 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: submodules: false token: ${{ secrets.PAT_FOR_SPEC }} # There are a lot of submodules here # This initializes the checkouts in parallel (--jobs) - # rather than in series the way actions/checkout@v5 does it. + # rather than in series the way actions/checkout@v6 does it. - name: Get CPU count id: cpu-count @@ -89,7 +89,7 @@ jobs: # Cache Gradle dependencies and build outputs - name: Cache Gradle packages - uses: actions/cache@v4 + uses: actions/cache@v5 with: path: | ~/.gradle/caches @@ -133,7 +133,7 @@ jobs: - name: Upload server logs if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: server-logs path: | @@ -144,7 +144,7 @@ jobs: - name: Upload results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: results path: test-server/java-tests/build/reports/tests/integ From f0b9e1681f4eedd2a02a31945076c675dde8befe Mon Sep 17 00:00:00 2001 From: texastony <5892063+texastony@users.noreply.github.com> Date: Tue, 17 Mar 2026 16:19:52 -0700 Subject: [PATCH 3/5] chore: update aws-actions/configure-aws-credentials to v6 --- .github/workflows/python-integ.yml | 2 +- .github/workflows/test-server.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/python-integ.yml b/.github/workflows/python-integ.yml index e31e049f..0f9d1226 100644 --- a/.github/workflows/python-integ.yml +++ b/.github/workflows/python-integ.yml @@ -42,7 +42,7 @@ jobs: run: make install - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v6 with: role-to-assume: arn:aws:iam::370957321024:role/S3EC-Python-Github-test-role aws-region: us-west-2 diff --git a/.github/workflows/test-server.yml b/.github/workflows/test-server.yml index a1457395..7b26c3fc 100644 --- a/.github/workflows/test-server.yml +++ b/.github/workflows/test-server.yml @@ -100,7 +100,7 @@ jobs: ${{ runner.os }}-gradle- - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v6 with: role-to-assume: arn:aws:iam::370957321024:role/S3EC-Python-Github-test-role aws-region: us-west-2 From 9cfe4c5efcfe0bd46575e91bbbf936a604dfa224 Mon Sep 17 00:00:00 2001 From: texastony <5892063+texastony@users.noreply.github.com> Date: Thu, 19 Mar 2026 13:01:59 -0700 Subject: [PATCH 4/5] ci: add coverage threshold check (fail-under=93%) --- .github/workflows/python-integ.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/python-integ.yml b/.github/workflows/python-integ.yml index 0f9d1226..e7453a8b 100644 --- a/.github/workflows/python-integ.yml +++ b/.github/workflows/python-integ.yml @@ -66,3 +66,6 @@ jobs: with: name: coverage-report path: coverage-report/ + + - name: Check coverage threshold + run: uv run coverage report --fail-under=93 From 6380e91f127718b563f1989940af996de647e369 Mon Sep 17 00:00:00 2001 From: texastony <5892063+texastony@users.noreply.github.com> Date: Thu, 19 Mar 2026 13:04:57 -0700 Subject: [PATCH 5/5] ci: suggest incrementing coverage threshold when exceeded --- .github/workflows/python-integ.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/python-integ.yml b/.github/workflows/python-integ.yml index e7453a8b..b845e725 100644 --- a/.github/workflows/python-integ.yml +++ b/.github/workflows/python-integ.yml @@ -68,4 +68,11 @@ jobs: path: coverage-report/ - name: Check coverage threshold - run: uv run coverage report --fail-under=93 + run: | + THRESHOLD=93 + ACTUAL=$(uv run coverage report --format=total) + echo "Coverage: ${ACTUAL}% (threshold: ${THRESHOLD}%)" + if [ "$ACTUAL" -gt "$THRESHOLD" ]; then + echo "::warning::Coverage is ${ACTUAL}%, consider updating --fail-under to ${ACTUAL} in python-integ.yml" + fi + uv run coverage report --fail-under=$THRESHOLD