Add code coverage tracking and enforce 90% minimum#25
Merged
Conversation
Add @vitest/coverage-v8 with 90% thresholds on statements, branches, functions, and lines. Coverage enforcement runs in both pre-commit hooks and CI, with coverage-final.json uploaded as a GitHub Actions artifact. Added 21 new tests (34 -> 55) to achieve 100% coverage across all metrics for main.ts, service_worker.ts, and utils.ts. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Jared Scott <jared.scott@variable.team>
Add a coverage-report workflow that triggers after CI completes on PRs. It downloads coverage artifacts from both the PR and master branches, compares them, and posts a markdown summary as a PR comment showing overall coverage delta and per-file coverage for changed files. Changes: - ci.yml: trigger on push to master, upload coverage-main artifact - coverage-report.yml: new workflow_run-triggered reporter - scripts/coverage-report.cjs: coverage comparison and report generation - src/coverage-report.spec.ts: 29 tests for the report script Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Jared Scott <jared.scott@variable.team>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Jared Scott <jared.scott@variable.team>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
- Checkout default branch instead of PR head to prevent untrusted code execution in a privileged workflow_run context - Move attacker-controllable values (head_branch, head_owner) to env variables to prevent shell injection via crafted branch names - Replace tj-actions/changed-files with gh pr diff API call to avoid needing PR code checkout Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Jared Scott <jared.scott@variable.team>
Move steps.pr.outputs.number and steps.changed.outputs.files from
direct ${{ }} interpolation in run: blocks to env: variables,
preventing potential shell injection via attacker-controlled values.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Jared Scott <jared.scott@variable.team>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PR checklist
What type of PR is this?
Test / CI enhancement
What this PR does / why we need it:
Adds code coverage tracking, enforcement, and PR reporting to the repository without relying on third-party web services:
Coverage enforcement
@vitest/coverage-v8as the coverage providervitest.config.tstest:coverageandtest:coverage:summaryscripts topackage.jsonpnpm test:coverage(blocks commits below 90%)coverage-final.jsonas a GitHub Actions artifactCoverage report workflow
coverage-report.ymlworkflow that triggers after CI completes on PRsscripts/coverage-report.cjsto compare coverage and generate a markdown reportmasterto maintain a baseline coverage artifactWorkflow security hardening
scripts/coverage-report.cjsto exfiltrate secrets via thepull-requests:writepermissionworkflow_runcontext values (head_branch,head_repository.owner.login,pull_requests[0].number) intoenv:variables to prevent shell injection via crafted branch namessteps.pr.outputs.number,steps.changed.outputs.files) throughenv:variables instead of direct${{ }}interpolation inrun:blockstj-actions/changed-fileswithgh pr diff --name-onlyvia the GitHub API, eliminating the need to check out untrusted PR codeTest improvements
main.tsandservice_worker.tscovering all branches, functions, and error pathsscripts/coverage-report.cjs(unit tests for each function + CLI integration tests)coverage/to.gitignoreand biome ignore listWhich issue(s) this PR fixes:
N/A - new quality enforcement
Special notes for your reviewer:
Coverage results after this change:
The 90% threshold is enforced in both pre-commit hooks and CI. The coverage report workflow pattern is adapted from other OSS repositories, simplified for a frontend-only repository with the report script written in JavaScript (not Python) to match the project tech stack and enable Vitest testing.
The
coverage-report.ymlworkflow follows the GitHub Security Lab guidance for safeworkflow_runusage: no untrusted code checkout, no expression injection in shell contexts, and all external inputs sanitized through environment variables.Does this PR introduce a user-facing change?:
NONE