NVIDIA
diff --git a/‎.github/workflows/code-scanning.yml‎
Lines changed: 50 additions & 5 deletions b/‎.github/workflows/code-scanning.yml‎
Lines changed: 50 additions & 5 deletions
diff --git a/‎.github/workflows/coverage-report.yml‎
Lines changed: 202 additions & 0 deletions b/‎.github/workflows/coverage-report.yml‎
Lines changed: 202 additions & 0 deletions
diff --git a/‎.github/workflows/lint-test.yml‎
Lines changed: 0 additions & 94 deletions b/‎.github/workflows/lint-test.yml‎
Lines changed: 0 additions & 94 deletions
@@ -32,8 +32,9 @@ jobs:
   prepare-environment:
     uses: ./.github/workflows/prepare-environment.yml
 
-  analyze:
-    name: Analyze Go code with CodeQL
+  codeql-pr-analysis:
+    if: startsWith(github.ref, 'refs/heads/pull-request/')
+    name: CodeQL PR Analysis
     runs-on: linux-amd64-cpu4
     timeout-minutes: 360
     needs: prepare-environment
@@ -57,16 +58,60 @@ jobs:
         shellcheck-version: ${{ needs.prepare-environment.outputs.shellcheck_version }}
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@v4
       with:
         languages: go
         build-mode: manual
       env:
         CODEQL_EXTRACTOR_GO_BUILD_TRACING: on
-    - shell: bash
+
+    - name: Build with CodeQL
       run: |
         make build-all
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v4
+      with:
+        category: "/language:go"
+
+  codeql-baseline-analysis:
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    name: CodeQL Baseline Analysis
+    runs-on: linux-amd64-cpu4
+    timeout-minutes: 360
+    needs: prepare-environment
+    permissions:
+      security-events: write
+      packages: read
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Setup build environment
+      uses: ./.github/actions/setup-build-env
+      with:
+        go-version: ${{ needs.prepare-environment.outputs.go_version }}
+        python-version: ${{ needs.prepare-environment.outputs.python_version }}
+        poetry-version: ${{ needs.prepare-environment.outputs.poetry_version }}
+        golangci-lint-version: ${{ needs.prepare-environment.outputs.golangci_lint_version }}
+        protobuf-version: ${{ needs.prepare-environment.outputs.protobuf_version }}
+        protoc-gen-go-version: ${{ needs.prepare-environment.outputs.protoc_gen_go_version }}
+        protoc-gen-go-grpc-version: ${{ needs.prepare-environment.outputs.protoc_gen_go_grpc_version }}
+        shellcheck-version: ${{ needs.prepare-environment.outputs.shellcheck_version }}
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v4
+      with:
+        languages: go
+        build-mode: manual
+      env:
+        CODEQL_EXTRACTOR_GO_BUILD_TRACING: on
+
+    - name: Build with CodeQL
+      run: |
+        make build-all
+
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@v4
       with:
         category: "/language:go"
@@ -0,0 +1,202 @@
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Coverage Report
+
+on:
+  workflow_run:
+    workflows: ["Lint and Test"]
+    types:
+      - completed
+    branches:
+      - main
+      - "pull-request/[0-9]+"
+
+permissions:
+  contents: read         # Required for checking out code
+  actions: write         # Required for downloading artifacts
+  pull-requests: write   # Required for coverage report comments
+
+env:
+  # Go cache settings (specific to this workflow)
+  GOPATH: /home/runner/go
+  GOCACHE: /home/runner/.cache/go-build
+
+jobs:
+  coverage-report:
+    # Only run on successful completion of lint-test workflow for PR branches
+    if: github.event.workflow_run.conclusion == 'success' && (github.event.workflow_run.event == 'pull_request' || startsWith(github.event.workflow_run.head_branch, 'pull-request/'))
+    runs-on: linux-amd64-cpu4
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.workflow_run.head_sha }}
+
+      - name: Download all coverage artifacts from completed workflow
+        uses: actions/download-artifact@v4
+        with:
+          pattern: "*-results"
+          path: coverage-artifacts
+          merge-multiple: true
+          run-id: ${{ github.event.workflow_run.id }}
+
+      - name: Consolidate coverage files
+        run: |
+          echo "Consolidating coverage files from all components..."
+          mkdir -p consolidated-coverage
+
+          # Find all coverage.txt files and merge them
+          find coverage-artifacts -name "coverage.txt" -type f | while read -r file; do
+            echo "Processing: $file"
+            # Extract the mode line (first line) if it's the first file
+            if [ ! -f consolidated-coverage/coverage.txt ]; then
+              head -n 1 "$file" > consolidated-coverage/coverage.txt
+            fi
+            # Append coverage data (skip mode line)
+            tail -n +2 "$file" >> consolidated-coverage/coverage.txt
+          done
+
+          echo "Consolidated coverage file created:"
+          ls -la consolidated-coverage/
+          head -n 10 consolidated-coverage/coverage.txt
+
+      - name: Upload consolidated coverage
+        uses: actions/upload-artifact@v4
+        with:
+          name: consolidated-code-coverage
+          path: consolidated-coverage/coverage.txt
+          retention-days: 30
+
+      - name: Extract PR number from branch name
+        id: pr-number
+        run: |
+          if [[ "${{ github.event.workflow_run.head_branch }}" =~ pull-request/([0-9]+) ]]; then
+            echo "pr_number=${BASH_REMATCH[1]}" >> $GITHUB_OUTPUT
+          else
+            echo "pr_number=" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: 'stable'
+
+      - name: Install go-coverage-report CLI tool
+        run: go install github.com/fgrosse/go-coverage-report/cmd/go-coverage-report@latest
+
+      - name: Get changed files
+        uses: tj-actions/changed-files@aa08304bd477b800d468db44fe10f6c61f7f7b11
+        id: changed-files
+        with:
+          write_output_files: true
+          json: true
+          files: "**.go"
+          files_ignore: "vendor/**"
+          output_dir: .github/outputs
+
+      - name: Generate Coverage Report with Fixed PR Number
+        run: |
+          # Download current coverage
+          gh run download "${{ github.event.workflow_run.id }}" --name=consolidated-code-coverage --dir=/tmp/current-coverage
+          mv /tmp/current-coverage/coverage.txt .github/outputs/new-coverage.txt
+
+          # Download baseline coverage from main
+          LAST_SUCCESSFUL_RUN=$(gh run list --status=success --branch=main --workflow=lint-test.yml --event=push --json=databaseId --limit=1 -q '.[] | .databaseId')
+
+          if [[ -n "$LAST_SUCCESSFUL_RUN" ]]; then
+            gh run download "$LAST_SUCCESSFUL_RUN" --name=consolidated-code-coverage --dir=/tmp/baseline-coverage 2>/dev/null || true
+            if [[ -f /tmp/baseline-coverage/coverage.txt ]]; then
+              mv /tmp/baseline-coverage/coverage.txt .github/outputs/old-coverage.txt
+            fi
+          fi
+
+          # Generate the report using fgrosse's CLI tool (same format!)
+          go-coverage-report -root=github.com/NVIDIA/nvsentinel \
+            .github/outputs/old-coverage.txt \
+            .github/outputs/new-coverage.txt \
+            .github/outputs/all_modified_files.json > coverage-report.md 2>&1 || true
+
+          # Post comment using our correct PR number (this is the only fix needed!)
+          if [[ -n "${{ steps.pr-number.outputs.pr_number }}" && -f coverage-report.md ]]; then
+            # Check for existing coverage comment
+            EXISTING_COMMENT=$(gh api "repos/${{ github.repository }}/issues/${{ steps.pr-number.outputs.pr_number }}/comments" \
+              --jq '.[] | select(.user.login=="github-actions[bot]" and (.body | test("Coverage Report|Coverage Δ"))) | .id' \
+              | head -1)
+
+            COVERAGE_BODY=$(cat coverage-report.md)
+
+            if [[ -n "$EXISTING_COMMENT" ]]; then
+              echo "Updating existing comment..."
+              gh api "repos/${{ github.repository }}/issues/${{ steps.pr-number.outputs.pr_number }}/comments/$EXISTING_COMMENT" \
+                --method PATCH --field body="$COVERAGE_BODY"
+            else
+              echo "Creating new comment..."
+              gh api "repos/${{ github.repository }}/issues/${{ steps.pr-number.outputs.pr_number }}/comments" \
+                --method POST --field body="$COVERAGE_BODY"
+            fi
+          fi
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        continue-on-error: true  # Don't fail if baseline coverage doesn't exist yet
+
+  coverage-baseline:
+    # Only run on successful completion of lint-test workflow for main branch
+    if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.head_branch == 'main' && github.event.workflow_run.event == 'push'
+    runs-on: linux-amd64-cpu4
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.workflow_run.head_sha }}
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: 'stable'
+
+      - name: Download all coverage artifacts from completed workflow
+        uses: actions/download-artifact@v4
+        with:
+          pattern: "*-results"
+          path: coverage-artifacts
+          merge-multiple: true
+          run-id: ${{ github.event.workflow_run.id }}
+
+      - name: Consolidate coverage files
+        run: |
+          echo "Consolidating coverage files from all components for baseline..."
+          mkdir -p consolidated-coverage
+
+          # Find all coverage.txt files and merge them
+          find coverage-artifacts -name "coverage.txt" -type f | while read -r file; do
+            echo "Processing: $file"
+            # Extract the mode line (first line) if it's the first file
+            if [ ! -f consolidated-coverage/coverage.txt ]; then
+              head -n 1 "$file" > consolidated-coverage/coverage.txt
+            fi
+            # Append coverage data (skip mode line)
+            tail -n +2 "$file" >> consolidated-coverage/coverage.txt
+          done
+
+          echo "Baseline coverage file created:"
+          ls -la consolidated-coverage/
+          echo "Total coverage lines: $(wc -l < consolidated-coverage/coverage.txt)"
+
+      - name: Upload consolidated coverage baseline
+        uses: actions/upload-artifact@v4
+        with:
+          name: consolidated-code-coverage
+          path: consolidated-coverage/coverage.txt
+          retention-days: 90  # Keep baseline longer
@@ -30,7 +30,6 @@ concurrency:
 permissions:
   contents: read         # Required for checking out code
   actions: write         # Required for uploading test artifacts
-  pull-requests: write   # Required for coverage report comments
 
 env:
   # Go cache settings (specific to this workflow)
@@ -170,96 +169,3 @@ jobs:
             ${{ matrix.component }}/coverage.txt
             ${{ matrix.component }}/report.xml
 
-  consolidated-coverage-report:
-    if: github.event_name == 'pull_request' || startsWith(github.ref, 'refs/heads/pull-request/')
-    runs-on: linux-amd64-cpu4
-    timeout-minutes: 15
-    needs: [health-monitors-lint-test, modules-lint-test]
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Download all coverage artifacts
-        uses: actions/download-artifact@v4
-        with:
-          pattern: "*-results"
-          path: coverage-artifacts
-          merge-multiple: true
-
-      - name: Consolidate coverage files
-        run: |
-          echo "Consolidating coverage files from all components..."
-          mkdir -p consolidated-coverage
-
-          # Find all coverage.txt files and merge them
-          find coverage-artifacts -name "coverage.txt" -type f | while read -r file; do
-            echo "Processing: $file"
-            # Extract the mode line (first line) if it's the first file
-            if [ ! -f consolidated-coverage/coverage.txt ]; then
-              head -n 1 "$file" > consolidated-coverage/coverage.txt
-            fi
-            # Append coverage data (skip mode line)
-            tail -n +2 "$file" >> consolidated-coverage/coverage.txt
-          done
-
-          echo "Consolidated coverage file created:"
-          ls -la consolidated-coverage/
-          head -n 10 consolidated-coverage/coverage.txt
-
-      - name: Upload consolidated coverage
-        uses: actions/upload-artifact@v4
-        with:
-          name: consolidated-code-coverage
-          path: consolidated-coverage/coverage.txt
-          retention-days: 30
-
-      - name: Generate Go Coverage Report
-        uses: fgrosse/go-coverage-report@8c1d1a09864211d258937b1b1a5b849f7e4f2682 # v1.2.0
-        with:
-          coverage-artifact-name: "consolidated-code-coverage"
-          coverage-file-name: "coverage.txt"
-          root-package: "github.com/NVIDIA/nvsentinel"
-          skip-comment: false
-        continue-on-error: true  # Don't fail if baseline coverage doesn't exist yet
-
-  consolidated-coverage-baseline:
-    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
-    runs-on: linux-amd64-cpu4
-    timeout-minutes: 15
-    needs: [health-monitors-lint-test, modules-lint-test]
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Download all coverage artifacts
-        uses: actions/download-artifact@v4
-        with:
-          pattern: "*-results"
-          path: coverage-artifacts
-          merge-multiple: true
-
-      - name: Consolidate coverage files
-        run: |
-          echo "Consolidating coverage files from all components for baseline..."
-          mkdir -p consolidated-coverage
-
-          # Find all coverage.txt files and merge them
-          find coverage-artifacts -name "coverage.txt" -type f | while read -r file; do
-            echo "Processing: $file"
-            # Extract the mode line (first line) if it's the first file
-            if [ ! -f consolidated-coverage/coverage.txt ]; then
-              head -n 1 "$file" > consolidated-coverage/coverage.txt
-            fi
-            # Append coverage data (skip mode line)
-            tail -n +2 "$file" >> consolidated-coverage/coverage.txt
-          done
-
-          echo "Baseline coverage file created:"
-          ls -la consolidated-coverage/
-          echo "Total coverage lines: $(wc -l < consolidated-coverage/coverage.txt)"
-
-      - name: Upload consolidated coverage baseline
-        uses: actions/upload-artifact@v4
-        with:
-          name: consolidated-code-coverage
-          path: consolidated-coverage/coverage.txt
-          retention-days: 90  # Keep baseline longer
-