Skip to content

ci: onboard codecov#74

Open
rsoaresd wants to merge 1 commit into
codeready-toolchain:masterfrom
rsoaresd:onboard_codecov
Open

ci: onboard codecov#74
rsoaresd wants to merge 1 commit into
codeready-toolchain:masterfrom
rsoaresd:onboard_codecov

Conversation

@rsoaresd

@rsoaresd rsoaresd commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

Description

Onboard CodeCov (action item from the Agentic Readiness discussion)

Summary by CodeRabbit

  • Chores
    • Updated Codecov configuration to refine reporting, thresholds, ignore rules, formatting, and PR comment behavior.
    • Added CI step to publish test coverage as an artifact and a follow-up workflow to upload coverage to Codecov after successful CI runs.
    • Ignored generated build output from version control.
    • Enhanced task automation to create output/coverage directories and generate a coverage report from tests.

@coderabbitai

coderabbitai Bot commented Jun 1, 2026

Copy link
Copy Markdown

Walkthrough

Adds test coverage generation and directories to Taskfile, uploads the coverage report as a CI artifact, introduces a workflow that downloads that artifact and uploads it to Codecov, and adds a .codecov.yaml configuration.

Changes

Code Coverage and Reporting

Layer / File(s) Summary
Test coverage instrumentation
taskfile.yaml
Adds OUT_DIR/COV_DIR vars, ensure-dirs task, and updates test to create coverage dir, remove prior coverage.txt, and run go test ./internal/... -coverprofile={{.COV_DIR}}/coverage.txt -covermode=atomic.
Coverage artifact capture and ignore
.github/workflows/ci.yml, .gitignore
CI test job now uploads build/_output/coverage/coverage.txt as an artifact named coverage; .gitignore adds build/_output/**.
Codecov upload and configuration
.github/workflows/upload-coverage.yml, .codecov.yaml
New upload-coverage workflow downloads the coverage artifact from the completed ci run and uploads coverage/coverage.txt to Codecov (uses secrets.CODECOV_TOKEN, verbose, fail-on-error); .codecov.yaml configures status checks, thresholds, ignored paths, coverage formatting, and PR comment behavior.

🎯 2 (Simple) | ⏱️ ~10 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Developer
  participant GitHubActions_CI as CI
  participant ArtifactStore
  participant UploadWorkflow
  participant Codecov
  Developer->>CI: trigger `ci` (runs `task test` producing `build/_output/coverage/coverage.txt`)
  CI->>ArtifactStore: upload artifact `coverage` (coverage.txt)
  UploadWorkflow->>ArtifactStore: download artifact from triggering run id
  UploadWorkflow->>Codecov: upload `coverage/coverage.txt` (uses secrets.CODECOV_TOKEN)
  Codecov-->>UploadWorkflow: respond with upload result
Loading

Suggested Labels

ci

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'ci: onboard codecov' directly and concisely describes the main change: integrating Codecov into the CI pipeline, which matches the PR's primary objective and all modifications across configuration files and workflows.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot added the ci Add or update CI/CD configuration label Jun 1, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 33: Replace the floating tag for the GitHub Action by pinning
actions/upload-artifact@v7 to a specific full commit SHA: locate the workflow
step that currently references "uses: actions/upload-artifact@v7" and change it
to use the action at a full commit SHA (e.g.,
actions/upload-artifact@<full-commit-sha>); obtain the SHA from the
upload-artifact repository commit history or the action's release page and
update the workflow to use that exact SHA to hard-pin the dependency.

In @.github/workflows/upload-coverage.yml:
- Line 15: The workflow currently references mutable tags for actions
(actions/download-artifact@v8 and codecov/codecov-action@v6); replace these
tag-based pins with the corresponding immutable commit SHAs for those actions to
ensure supply-chain integrity: find the uses of "actions/download-artifact@v8"
and "codecov/codecov-action@v6" in the upload-coverage.yml and update each to
the full commit SHA (e.g., actions/download-artifact@<full-sha> and
codecov/codecov-action@<full-sha>) obtained from the respective action
repositories' commit history, then run a quick workflow lint or dry run to
validate the YAML.
- Around line 9-10: The workflow currently only checks
github.event.workflow_run.conclusion and may run on forked workflow_run events;
update the if condition to also require the run came from the same repository
(e.g., require github.event.workflow_run.head_repository.full_name ==
github.repository) so secrets like CODECOV_TOKEN are not exposed to
fork-triggered runs, and replace the action references
actions/download-artifact@v8 and codecov/codecov-action@v6 with their SHA-pinned
commits (use the specific commit SHAs for those two actions in the
upload-coverage.yml job step definitions) so the workflow uses exact action
revisions.

In `@taskfile.yaml`:
- Line 6: The file contains a hardcoded secret under the key CODECOV_TOKEN;
remove the literal value and change the usage to read the token from
environment/CI secrets instead (replace the hardcoded "d85bfa60-..." in the
taskfile.yaml entry for CODECOV_TOKEN with an environment variable reference and
ensure the CI pipeline sets CODECOV_TOKEN as a secret); update any docs or CI
config to define the secret in the pipeline/secret store and verify code that
reads CODECOV_TOKEN (e.g., the taskfile.yaml entry) will fall back or fail
clearly if the env var is missing.
- Around line 38-56: The task target that uploads Codecov
(upload-codecov-report) currently prints env (the "- env" step) and uses
curl|bash plus a hardcoded {{.CODECOV_TOKEN}}, which leaks secrets and is
unsafe; remove the "- env" dump, stop using bash <(curl ...) and instead source
CODECOV_TOKEN from environment/Task/CI secrets (do not inline the token), and
replace the curl-to-bash invocation with a safe, pinned uploader strategy
consistent with GitHub CI (e.g., call the official codecov uploader binary from
a verified package or invoke codecov/codecov-action@v6 equivalent in Task by
running the pinned action or the downloaded, checksummed CLI), updating the
upload block in upload-codecov-report to use {{.COV_DIR}}/coverage.txt and the
appropriate commit variable ({{.PR_COMMIT}} or {{.BASE_COMMIT}}) without echoing
env or exposing secrets.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: ddbe1f9e-a3e9-46a4-a7f9-786dce65253e

📥 Commits

Reviewing files that changed from the base of the PR and between 9e576fc and b8d3369.

📒 Files selected for processing (5)
  • .codecov.yaml
  • .github/workflows/ci.yml
  • .github/workflows/upload-coverage.yml
  • .gitignore
  • taskfile.yaml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)
  • GitHub Check: Lint
  • GitHub Check: Build Image
  • GitHub Check: Test
  • GitHub Check: govulncheck
🧰 Additional context used
📓 Path-based instructions (1)
**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

  • taskfile.yaml
🪛 Betterleaks (1.3.1)
taskfile.yaml

[high] 6-6: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🪛 zizmor (1.25.2)
.github/workflows/upload-coverage.yml

[error] 2-5: use of fundamentally insecure workflow trigger (dangerous-triggers): workflow_run is almost always used insecurely

(dangerous-triggers)


[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 22-22: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

.github/workflows/ci.yml

[error] 33-33: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🔀 Multi-repo context codeready-toolchain/api, codeready-toolchain/toolchain-common, codeready-toolchain/host-operator, codeready-toolchain/toolchain-e2e

codeready-toolchain/api

  • Codecov config present: .codecov.yaml [::codeready-toolchain/api::.codecov.yaml]
  • Make targets and coverage paths:
    • OUT_DIR ./build/_output defined in make/out.mk [::codeready-toolchain/api::make/out.mk:4]
    • COV_DIR = $(OUT_DIR)/coverage and go test writes $(COV_DIR)/coverage.txt in make/test.mk [::codeready-toolchain/api::make/test.mk:21,27-29]
    • upload-codecov-report target calls bash <(curl -s https://codecov.io/bash) -f $(COV_DIR)/coverage.txt [::codeready-toolchain/api::make/test.mk:31-45]
  • .gitignore ignores build/_output and coverage.txt [::codeready-toolchain/api::.gitignore:17,?]
  • A YAML lint include references /.codecov.yaml [::codeready-toolchain/api::.yamllint:3]

codeready-toolchain/toolchain-common

  • Coverage integration already present:
    • OUT_DIR ./out and COV_DIR = $(OUT_DIR)/coverage defined in make/out.mk / make/test.mk [::codeready-toolchain/toolchain-common::make/out.mk:4,::codeready-toolchain/toolchain-common::make/test.mk:13,19]
    • test-ci/test-with-coverage flow and upload-codecov-report that posts $(COV_DIR)/coverage.txt [::codeready-toolchain/toolchain-common::make/test.mk:8-13,21-36]
  • GH Actions upload workflow exists: .github/workflows/upload-coverage.yml uses codecov/codecov-action@v6 and files: coverage/coverage.txt [::codeready-toolchain/toolchain-common::.github/workflows/upload-coverage.yml:1,22,27]
  • sonar config expects out/coverage/coverage.txt [::codeready-toolchain/toolchain-common::sonar-project.properties:19]
  • README badge referencing Codecov [::codeready-toolchain/toolchain-common::README.adoc:5]
  • codecov.yaml present (repo-specific config) [::codeready-toolchain/toolchain-common::codecov.yaml:1]

codeready-toolchain/host-operator

  • Coverage integration and upload target:
    • OUT_DIR ./build/_output and COV_DIR = $(OUT_DIR)/coverage; go test writes $(COV_DIR)/coverage.txt [::codeready-toolchain/host-operator::make/out.mk:4,::codeready-toolchain/host-operator::make/test.mk:21,27-29]
    • upload-codecov-report target uses codecov bash uploader -f $(COV_DIR)/coverage.txt [::codeready-toolchain/host-operator::make/test.mk:31-45]
  • GH Actions upload workflow exists: .github/workflows/upload-coverage.yml uses codecov action and files: coverage/coverage.txt [::codeready-toolchain/host-operator::.github/workflows/upload-coverage.yml:1,22,27]
  • .codecov.yaml present [::codeready-toolchain/host-operator::.codecov.yaml:1]
  • .gitignore contains build/_output and coverage.txt [::codeready-toolchain/host-operator::.gitignore:2,6]
  • README badge referencing Codecov [::codeready-toolchain/host-operator::README.adoc:5]

codeready-toolchain/toolchain-e2e

  • Repository uses build/_output OUT_DIR layout and ignores build/_output and coverage.txt in .gitignore [::codeready-toolchain/toolchain-e2e::make/out.mk:4,::codeready-toolchain/toolchain-e2e::.gitignore:2,7]
  • No explicit make/test.mk coverage upload targets or .codecov.yaml discovered in search results for this repo (only out.mk and various make files referencing OUT_DIR) [::codeready-toolchain/toolchain-e2e::make/out.mk:1]

Summary / impact

  • The PR adds CI steps and workflow files in argocd-mcp-server to upload coverage; the codeready-toolchain repos already have similar coverage conventions (OUT_DIR/COV_DIR -> coverage/coverage.txt), make targets (upload-codecov-report), and existing repo-level Codecov configs and upload workflows. Paths and artifact names (coverage/coverage.txt or build/_output/out/coverage/coverage.txt) are consistent and used across repos, so Codecov onboarding here follows established patterns and is unlikely to introduce API/contract breakage between repos.

Comment thread .github/workflows/ci.yml
task test

- name: Upload coverage artifact
uses: actions/upload-artifact@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the relevant section around the referenced line
nl -ba .github/workflows/ci.yml | sed -n '20,60p'

# Find all usages of upload-artifact in the repo
rg -n "uses:\s*actions/upload-artifact@" .github/workflows || true

# Also find any pinned-to-SHA patterns for upload-artifact (heuristic: 40+ hex chars)
rg -n "uses:\s*actions/upload-artifact@[0-9a-f]{7,40}" .github/workflows || true

# Print any other upload-artifact usage with other tags
rg -n "uses:\s*actions/upload-artifact@" .github/workflows || true

Repository: codeready-toolchain/argocd-mcp-server

Length of output: 124


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== ci.yml excerpt (lines 20-60) ==="
python3 - <<'PY'
path = ".github/workflows/ci.yml"
with open(path, "r", encoding="utf-8") as f:
    lines = f.readlines()
for i in range(19, min(60, len(lines))):
    print(f"{i+1:4d}: {lines[i].rstrip()}")
PY

echo
echo "=== All upload-artifact usages ==="
rg -n "uses:\s*actions/upload-artifact@" .github/workflows || true

echo
echo "=== upload-artifact usages pinned to long hex (heuristic) ==="
rg -n "uses:\s*actions/upload-artifact@[0-9a-f]{7,40}" .github/workflows || true

Repository: codeready-toolchain/argocd-mcp-server

Length of output: 1453


Pin actions/upload-artifact to a full commit SHA.

The workflow uses actions/upload-artifact@v7, and the movable tag weakens supply-chain guarantees.

Suggested fix pattern
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@<full-length-commit-sha>
🧰 Tools
🪛 zizmor (1.25.2)

[error] 33-33: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 33, Replace the floating tag for the GitHub
Action by pinning actions/upload-artifact@v7 to a specific full commit SHA:
locate the workflow step that currently references "uses:
actions/upload-artifact@v7" and change it to use the action at a full commit SHA
(e.g., actions/upload-artifact@<full-commit-sha>); obtain the SHA from the
upload-artifact repository commit history or the action's release page and
update the workflow to use that exact SHA to hard-pin the dependency.

Comment on lines +9 to +10
if: >
github.event.workflow_run.conclusion == 'success'

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/upload-coverage.yml"
echo "== File =="
ls -l "$FILE"
echo
echo "== Lines 1-120 =="
nl -ba "$FILE" | sed -n '1,140p'

Repository: codeready-toolchain/argocd-mcp-server

Length of output: 258


🏁 Script executed:

#!/bin/bash
set -euo pipefail
rg -n "CODECOV_TOKEN|workflow_run|codecov-action|download-artifact" .github/workflows -S
echo
echo "== List workflow files =="
ls -1 .github/workflows

Repository: codeready-toolchain/argocd-mcp-server

Length of output: 700


Add a trusted-repo guard (and SHA-pin actions) in workflow_run coverage uploader.

codeready-toolchain/argocd-mcp-server/.github/workflows/upload-coverage.yml runs on workflow_run, gates only on github.event.workflow_run.conclusion == 'success', then uploads using secrets.CODECOV_TOKEN. Add a trust guard (e.g., require github.event.workflow_run.head_repository.full_name == github.repository) so fork-originated runs can’t trigger secret-bearing uploads. Also SHA-pin actions/download-artifact@v8 and codecov/codecov-action@v6 rather than using only major-version tags.

Suggested guard
-    if: >
-      github.event.workflow_run.conclusion == 'success'
+    if: >
+      github.event.workflow_run.conclusion == 'success' &&
+      github.event.workflow_run.head_repository.full_name == github.repository
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if: >
github.event.workflow_run.conclusion == 'success'
if: >
github.event.workflow_run.conclusion == 'success' &&
github.event.workflow_run.head_repository.full_name == github.repository
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/upload-coverage.yml around lines 9 - 10, The workflow
currently only checks github.event.workflow_run.conclusion and may run on forked
workflow_run events; update the if condition to also require the run came from
the same repository (e.g., require
github.event.workflow_run.head_repository.full_name == github.repository) so
secrets like CODECOV_TOKEN are not exposed to fork-triggered runs, and replace
the action references actions/download-artifact@v8 and codecov/codecov-action@v6
with their SHA-pinned commits (use the specific commit SHAs for those two
actions in the upload-coverage.yml job step definitions) so the workflow uses
exact action revisions.


steps:
- name: Download coverage artifact
uses: actions/download-artifact@v8

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/upload-coverage.yml"
echo "== File: $FILE =="
nl -ba "$FILE" | sed -n '1,120p'
echo
echo "== All action uses in $FILE =="
rg -n "^\s*uses:" "$FILE" || true

Repository: codeready-toolchain/argocd-mcp-server

Length of output: 192


🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/upload-coverage.yml"

echo "== File: $FILE =="
awk '{printf "%5d\t%s\n", NR, $0}' "$FILE" | sed -n '1,140p'

echo
echo "== All action uses in $FILE =="
rg -n "^\s*uses:" "$FILE" || true

Repository: codeready-toolchain/argocd-mcp-server

Length of output: 1420


🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/upload-coverage.yml"
echo "== $FILE =="
awk '{printf "%5d\t%s\n", NR, $0}' "$FILE" | sed -n '1,140p'
echo
rg -n "^\s*uses:" "$FILE" || true

Repository: codeready-toolchain/toolchain-common

Length of output: 1362


🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/upload-coverage.yml"
echo "== $FILE =="
awk '{printf "%5d\t%s\n", NR, $0}' "$FILE" | sed -n '1,160p'
echo
rg -n "^\s*uses:" "$FILE" || true

Repository: codeready-toolchain/host-operator

Length of output: 1363


Pin GitHub Actions to commit SHAs (supply-chain integrity)

In .github/workflows/upload-coverage.yml, both action references are tag-based (actions/download-artifact@v8 at 15, codecov/codecov-action@v6 at 22) and should be replaced with immutable full commit SHAs.

Suggested fix pattern
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@<full-length-commit-sha>
...
-        uses: codecov/codecov-action@v6
+        uses: codecov/codecov-action@<full-length-commit-sha>
🧰 Tools
🪛 zizmor (1.25.2)

[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/upload-coverage.yml at line 15, The workflow currently
references mutable tags for actions (actions/download-artifact@v8 and
codecov/codecov-action@v6); replace these tag-based pins with the corresponding
immutable commit SHAs for those actions to ensure supply-chain integrity: find
the uses of "actions/download-artifact@v8" and "codecov/codecov-action@v6" in
the upload-coverage.yml and update each to the full commit SHA (e.g.,
actions/download-artifact@<full-sha> and codecov/codecov-action@<full-sha>)
obtained from the respective action repositories' commit history, then run a
quick workflow lint or dry run to validate the YAML.

Comment thread taskfile.yaml Outdated
Comment thread taskfile.yaml Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (3)
.github/workflows/ci.yml (1)

33-33: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin actions/upload-artifact to an immutable commit SHA.

Line 33 uses a floating major tag (@v7), which weakens supply-chain guarantees for CI.

Suggested fix
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@<full-length-commit-sha>
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 33, Replace the floating major tag for the
upload artifact action with an immutable commit SHA to harden CI supply-chain;
locate the workflow step that uses "actions/upload-artifact@v7" and change it to
the corresponding pinned commit reference (e.g.,
"actions/upload-artifact@<commit-sha>") and include a short comment with the
upstream release or date if helpful, then run the workflow locally or in a test
branch to verify the action still behaves as expected.
.github/workflows/upload-coverage.yml (2)

15-15: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin both action references to full commit SHAs.

Lines 15 and 22 use mutable tags; replace both with immutable SHAs.

Suggested fix
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@<full-length-commit-sha>
...
-        uses: codecov/codecov-action@v6
+        uses: codecov/codecov-action@<full-length-commit-sha>

Also applies to: 22-22

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/upload-coverage.yml at line 15, Replace the mutable action
tags with immutable commit SHAs: locate the uses of actions/download-artifact
(currently "actions/download-artifact@v8") and actions/upload-artifact (the
other mutable tag around line 22) in the workflow and replace their tag suffixes
with the corresponding full commit SHA for each action's repository (e.g.,
"actions/download-artifact@<full-commit-sha>" and
"actions/upload-artifact@<full-commit-sha>") so the workflow pins to immutable
references; ensure you fetch the correct commit SHAs from the official action
repos and update both occurrences.

9-10: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add a trusted-repo guard before using CODECOV_TOKEN.

Line 10 checks only for successful completion; add a same-repository condition so this secret-bearing job does not run for untrusted workflow_run sources.

Suggested fix
-    if: >
-      github.event.workflow_run.conclusion == 'success'
+    if: >
+      github.event.workflow_run.conclusion == 'success' &&
+      github.event.workflow_run.head_repository.full_name == github.repository
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/upload-coverage.yml around lines 9 - 10, The job currently
only checks github.event.workflow_run.conclusion == 'success' before using the
secret CODECOV_TOKEN; update the job's if condition to also require the
workflow_run originate from the same repository (e.g., add a check against
github.event.workflow_run.repository.full_name == github.repository or
github.event.workflow_run.head_repository.full_name == github.repository) so the
secret is only used for trusted, same-repo workflow runs; modify the existing if
expression to combine the success check and this same-repo guard.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.github/workflows/ci.yml:
- Line 33: Replace the floating major tag for the upload artifact action with an
immutable commit SHA to harden CI supply-chain; locate the workflow step that
uses "actions/upload-artifact@v7" and change it to the corresponding pinned
commit reference (e.g., "actions/upload-artifact@<commit-sha>") and include a
short comment with the upstream release or date if helpful, then run the
workflow locally or in a test branch to verify the action still behaves as
expected.

In @.github/workflows/upload-coverage.yml:
- Line 15: Replace the mutable action tags with immutable commit SHAs: locate
the uses of actions/download-artifact (currently "actions/download-artifact@v8")
and actions/upload-artifact (the other mutable tag around line 22) in the
workflow and replace their tag suffixes with the corresponding full commit SHA
for each action's repository (e.g.,
"actions/download-artifact@<full-commit-sha>" and
"actions/upload-artifact@<full-commit-sha>") so the workflow pins to immutable
references; ensure you fetch the correct commit SHAs from the official action
repos and update both occurrences.
- Around line 9-10: The job currently only checks
github.event.workflow_run.conclusion == 'success' before using the secret
CODECOV_TOKEN; update the job's if condition to also require the workflow_run
originate from the same repository (e.g., add a check against
github.event.workflow_run.repository.full_name == github.repository or
github.event.workflow_run.head_repository.full_name == github.repository) so the
secret is only used for trusted, same-repo workflow runs; modify the existing if
expression to combine the success check and this same-repo guard.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: c91ec208-e156-4075-ad51-5dbbc91dcccb

📥 Commits

Reviewing files that changed from the base of the PR and between c9c6f5d and 1c44940.

📒 Files selected for processing (5)
  • .codecov.yaml
  • .github/workflows/ci.yml
  • .github/workflows/upload-coverage.yml
  • .gitignore
  • taskfile.yaml
✅ Files skipped from review due to trivial changes (2)
  • .gitignore
  • .codecov.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
  • taskfile.yaml
📜 Review details
🧰 Additional context used
🪛 zizmor (1.25.2)
.github/workflows/ci.yml

[error] 33-33: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

.github/workflows/upload-coverage.yml

[error] 2-5: use of fundamentally insecure workflow trigger (dangerous-triggers): workflow_run is almost always used insecurely

(dangerous-triggers)


[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 22-22: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🔀 Multi-repo context codeready-toolchain/api, codeready-toolchain/toolchain-common, codeready-toolchain/host-operator, codeready-toolchain/toolchain-e2e

Linked repositories findings

codeready-toolchain/api

  • Has an upload-codecov make target and uses the Codecov bash uploader: make/test.mk (lines with .PHONY: upload-codecov-report and bash <(curl -s https://codecov.io/bash)) [::codeready-toolchain/api::make/test.mk]
  • A CODECOV_TOKEN literal appears in make/test.mk (token value present in search output) [::codeready-toolchain/api::make/test.mk]

codeready-toolchain/toolchain-common

  • Sonar expects coverage at out/coverage/coverage.txt: sonar-project.properties:19 [::codeready-toolchain/toolchain-common::sonar-project.properties]
  • Has test CI flow and upload-codecov-report target in make/test.mk (.PHONY: upload-codecov-report; test-ci: test-with-coverage upload-codecov-report) [::codeready-toolchain/toolchain-common::make/test.mk]
  • Has a codecov.yaml and README badge referencing Codecov [::codeready-toolchain/toolchain-common::codecov.yaml][::codeready-toolchain/toolchain-common::README.adoc]
  • A CODECOV_TOKEN literal appears in make/test.mk (token value present in search output) [::codeready-toolchain/toolchain-common::make/test.mk]

codeready-toolchain/host-operator

  • Has upload-codecov-report target using the Codecov bash uploader in make/test.mk (.PHONY: upload-codecov-report and bash <(curl -s https://codecov.io/bash)) [::codeready-toolchain/host-operator::make/test.mk]
  • README includes Codecov badge [::codeready-toolchain/host-operator::README.adoc]
  • A CODECOV_TOKEN literal appears in make/test.mk (token value present in search output) [::codeready-toolchain/host-operator::make/test.mk]

codeready-toolchain/toolchain-e2e

  • No matches for coverage/codecov found in the search output (no make/test.mk or codecov config detected) — may lack repo-level Codecov CI plumbing [::codeready-toolchain/toolchain-e2e::]

Summary: The argocd-mcp-server PR's Codecov onboarding aligns with patterns already present in api, toolchain-common, and host-operator (coverage paths, make upload targets, workflows). toolchain-e2e appears not to have similar Codecov config in the searched locations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci Add or update CI/CD configuration

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants