fix: switch Codecov to OIDC auth and add unit-tests flag#2376
Conversation
Reviewer's guide (collapsed on small PRs)Reviewer's GuideUpdates the Codecov GitHub Actions workflow to authenticate via GitHub OIDC instead of a secret token and configures additional Codecov upload options for unit-test coverage reporting and CI robustness. Sequence diagram for Codecov upload using GitHub OIDCsequenceDiagram
actor Developer
participant GitHubActions_ci as GitHubActions_ci_job
participant GitHubOIDC as GitHub_OIDC_Provider
participant Codecov as Codecov
Developer->>GitHubActions_ci: push/PR triggers codecov workflow
GitHubActions_ci->>GitHubOIDC: request_id_token (permissions id-token: write)
GitHubOIDC-->>GitHubActions_ci: id_token
GitHubActions_ci->>Codecov: codecov-action@v5 use_oidc true
GitHubActions_ci->>Codecov: upload coverage files codecov.json
GitHubActions_ci->>Codecov: set flag unit-tests
GitHubActions_ci->>GitHubActions_ci: handle fail_ci_if_error false
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- Setting
fail_ci_if_error: falsewill silently ignore persistent Codecov upload issues; consider keeping ittrueand handling known transient failures via a separate retry or monitoring mechanism. - The
files: codecov.jsonconfiguration assumes a fixed report path; if the report location changes (e.g., per-package or matrix jobs), consider parameterizing this or using a glob to avoid brittle coupling.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- Setting `fail_ci_if_error: false` will silently ignore persistent Codecov upload issues; consider keeping it `true` and handling known transient failures via a separate retry or monitoring mechanism.
- The `files: codecov.json` configuration assumes a fixed report path; if the report location changes (e.g., per-package or matrix jobs), consider parameterizing this or using a glob to avoid brittle coupling.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
|
To my understanding |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #2376 +/- ##
==========================================
+ Coverage 70.90% 71.39% +0.48%
==========================================
Files 442 441 -1
Lines 25369 26747 +1378
Branches 25369 26747 +1378
==========================================
+ Hits 17987 19095 +1108
- Misses 6400 6531 +131
- Partials 982 1121 +139
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Per review feedback on guacsec/trustify#2376 — keep CI failing on Codecov upload errors so broken coverage is caught immediately. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Per review feedback on guacsec/trustify#2376 — keep CI failing on Codecov upload errors so broken coverage is caught immediately. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Per review feedback on guacsec/trustify#2376 — keep CI failing on Codecov upload errors so broken coverage is caught immediately. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Per review feedback on guacsec/trustify#2376 — keep CI failing on Codecov upload errors so broken coverage is caught immediately. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Switch from token-based auth to OIDC (more secure, no secret needed) - Add flags: unit-tests for proper coverage categorization - Add files: codecov.json to explicitly specify coverage file - Add permissions: id-token: write required for OIDC Ref: COVERPORT-251 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
9affca0 to
3e3e1ca
Compare
Summary
CODECOV_TOKENsecret needed)flags: unit-testsfor proper coverage categorization in Codecov UIfiles: codecov.jsonto explicitly specify the coverage report filepermissions: id-token: write(required for GitHub OIDC token)fail_ci_if_error: falseto prevent CI failures on transient upload issuesWhy
OIDC is the recommended authentication method for public GitHub repos on app.codecov.io — it eliminates the need to manage
CODECOV_TOKENsecrets. Adding theunit-testsflag enables flag analytics in Codecov, making it possible to separate unit test coverage from future e2e coverage.Manual follow-up
After merging, enable flag analytics in the Codecov UI:
Verification
unit-testsflag appears in Codecov Flags tabRef: COVERPORT-251
Summary by Sourcery
Switch Codecov coverage upload in the CI workflow to use OIDC authentication and improve coverage reporting configuration.
Enhancements: