Skip to content

Split test-with-coverage.yml workflow in two pieces: ci-pr (untrusted… #1229

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jrosental merged 11 commits into from
Feb 5, 2026
Merged

Split test-with-coverage.yml workflow in two pieces: ci-pr (untrusted… #1229

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
57efb96
Split test-with-coverage.yml workflow in two pieces: ci-pr (untrusted…
jrosental Jan 19, 2026
9fbfc40
Changing actions/upload-artifact to v6.
jrosental Jan 21, 2026
3b45ae6
Add github-token parameter to download artifact step
jrosental Jan 21, 2026
8f8944b
Update coverage.txt path
jrosental Jan 22, 2026
b6df27c
fix name of workflow
jrosental Jan 22, 2026
996affd
change name of workflow
jrosental Jan 22, 2026
425d194
fix typo in upload path to codecov
jrosental Jan 23, 2026
182ee22
Change path for uploading coverage.txt artifact
jrosental Jan 28, 2026
48feb6c
Add flags: unittests option
jrosental Jan 28, 2026
389bc30
Remove trailing spaces
jrosental Jan 29, 2026
badc443
bump download-artifact action version to v7
jrosental Jan 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 25 additions & 32 deletions .github/workflows/test-with-coverage.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,45 +1,38 @@
name: ci-build
name: test-with-coverage
on:
pull_request:
branches: [ master ]
push:
branches:
- master
tags-ignore:
- '*.*'
pull_request_target:
types: [ opened, synchronize, reopened, ready_for_review ]
branches:
- master
- '*.*'

jobs:
test-with-coverage:
name: Test with Coverage
test:
runs-on: ubuntu-24.04

steps:
- name: Checkout code
uses: actions/checkout@v6
with:
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
fetch-depth: 0
- name: Checkout PR code
uses: actions/checkout@v6
with:
fetch-depth: 0

- name: Install Go
uses: actions/setup-go@v6
with:
go-version-file: go.mod
- name: Install Go
uses: actions/setup-go@v6
with:
go-version-file: go.mod

- name: generate
run: |
make generate
- name: generate
run: |
make generate

- name: Test
run: |
make test-with-coverage
- name: Test
run: |
make test-with-coverage

- name: Upload code coverage
uses: codecov/codecov-action@v5
with:
token: ${{ secrets.CODECOV_TOKEN }}
files: ./build/_output/coverage/coverage.txt
flags: unittests # optional
fail_ci_if_error: true # optional (default = false)
verbose: true # optional (default = false)
- name: Upload coverage artifact
uses: actions/upload-artifact@v4
Copy link
Copy Markdown
Contributor

@MatousJobanek MatousJobanek Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

codeready-toolchain/registration-service@468f6e9

Suggested change
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v6

with:
name: coverage
path: ./build/_output/coverage/coverage.txt
30 changes: 30 additions & 0 deletions .github/workflows/upload-coverage.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: upload-coverage
on:
workflow_run:
workflows: [ test-with-coverage ]
types: [ completed ]

jobs:
upload-coverage:
if: >
github.event.workflow_run.conclusion == 'success'
runs-on: ubuntu-24.04

steps:
- name: Download coverage artifact
uses: actions/download-artifact@v7
with:
name: coverage
github-token: ${{ secrets.GITHUB_TOKEN }}
run-id: ${{ github.event.workflow_run.id }}
Comment thread
coderabbitai[bot] marked this conversation as resolved.

- name: Upload to Codecov
uses: codecov/codecov-action@v5
with:
token: ${{ secrets.CODECOV_TOKEN }}
# The 'files' attribute consists of 'coverage/coverage.txt'.
# The 'coverage' directory is created upon the download of the coverage artifact from previous step (it creates a directory with the name of the artifact).
files: coverage/coverage.txt
flags: unittests # optional
fail_ci_if_error: true
Comment on lines +21 to +29
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

codecov-action v5 workflow_run github actions context commit SHA

💡 Result:

When your upload job runs on on: workflow_run, github.sha / GITHUB_SHA is not the triggering commit—it’s the latest commit on the default branch for that event type. [1]

To get the commit SHA that the triggering workflow actually ran for, use the workflow_run payload:

  • Triggering commit SHA: ${{ github.event.workflow_run.head_sha }} [2]
  • Triggering branch: ${{ github.event.workflow_run.head_branch }} [2]

For codecov/codecov-action@v5, make sure you check out that exact SHA (Codecov requires actions/checkout first). [3]

on:
  workflow_run:
    workflows: ["CI"]
    types: [completed]

jobs:
  codecov:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.workflow_run.head_sha }}

      - uses: codecov/codecov-action@v5
        with:
          token: ${{ secrets.CODECOV_TOKEN }}

Sources: GitHub Actions workflow_run event behavior [1], workflow run fields (head_sha, head_branch) [2], Codecov Action v5 requirement to run actions/checkout before upload [3].

🏁 Script executed:

cat .github/workflows/upload-coverage.yml

Repository: codeready-toolchain/host-operator

Length of output: 763

Add actions/checkout with the correct ref before uploading to Codecov.

When using workflow_run triggers, github.sha refers to the default branch commit, not the PR head commit. codecov/codecov-action@v5 requires actions/checkout to run first with the triggering workflow's commit SHA to properly associate coverage reports:

Required fix 
    steps:
      - name: Download coverage artifact
        uses: actions/download-artifact@v4
        with:
          name: coverage
          github-token: ${{ secrets.GITHUB_TOKEN }}
          run-id: ${{ github.event.workflow_run.id }}

+     - name: Checkout triggering workflow commit
+       uses: actions/checkout@v4
+       with:
+         ref: ${{ github.event.workflow_run.head_sha }}

      - name: Upload to Codecov
        uses: codecov/codecov-action@v5
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          files: build/_output/coverage/coverage.txt
          fail_ci_if_error: true
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Upload to Codecov
uses: codecov/codecov-action@v5
with:
token: ${{ secrets.CODECOV_TOKEN }}
files: build/_output/coverage/coverage.txt
fail_ci_if_error: true
steps:
- name: Download coverage artifact
uses: actions/download-artifact@v4
with:
name: coverage
github-token: ${{ secrets.GITHUB_TOKEN }}
run-id: ${{ github.event.workflow_run.id }}
- name: Checkout triggering workflow commit
uses: actions/checkout@v4
with:
ref: ${{ github.event.workflow_run.head_sha }}
- name: Upload to Codecov
uses: codecov/codecov-action@v5
with:
token: ${{ secrets.CODECOV_TOKEN }}
files: build/_output/coverage/coverage.txt
fail_ci_if_error: true
🤖 Prompt for AI Agents 
In @.github/workflows/upload-coverage.yml around lines 21 - 26, Add an explicit
checkout step before the codecov upload: run actions/checkout (e.g.,
actions/checkout@v4) and set the ref to the triggering workflow's commit SHA
(use github.event.workflow_run.head_commit.id or
github.event.workflow_run.head_commit.sha) with fetch-depth: 0 so the repo is
checked out at the PR head commit; place this checkout step before the existing
codecov/codecov-action@v5 step to ensure the uploaded coverage is associated
with the correct commit.

verbose: true