Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions .codecov.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# Config can be validated before merging: curl -X POST --data-binary @.codecov.yaml https://codecov.io/validate
codecov:
max_report_age: "off" # see https://docs.codecov.io/docs/codecov-yaml#section-expired-reports

# See http://docs.codecov.io/docs/coverage-configuration
coverage:
precision: 2 # 2 = xx.xx%, 0 = xx%
round: down
# For example: 20...60 would result in any coverage less than 20%
# would have a red background. The color would gradually change to
# green approaching 60%. Any coverage over 60% would result in a
# solid green color.
range: "20...60"

# See https://docs.codecov.com/docs/commit-status
status:
# project will give us the diff in the total code coverage between a commit
# and its parent
project:
default:
# Allow the coverage to drop by 1%, and posting a success status.
threshold: 1%
# Patch gives just the coverage of the patch
patch: yes
# changes tells us if there are unexpected code coverage changes in other files
# which were not changed by the diff
changes: yes

# See http://docs.codecov.io/docs/ignoring-paths
ignore:
- "cmd/*"
- "test/*"

# See http://docs.codecov.io/docs/pull-request-comments-1
comment:
layout: "header, diff, tree"
# default = posts once then update, posts new if delete
# once = post once then updates
# new = delete old, post new
# spammy = post new
behavior: "new"
6 changes: 6 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,12 @@ jobs:
- name: Test
run: |
task test

- name: Upload coverage artifact
uses: actions/upload-artifact@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the relevant section around the referenced line
nl -ba .github/workflows/ci.yml | sed -n '20,60p'

# Find all usages of upload-artifact in the repo
rg -n "uses:\s*actions/upload-artifact@" .github/workflows || true

# Also find any pinned-to-SHA patterns for upload-artifact (heuristic: 40+ hex chars)
rg -n "uses:\s*actions/upload-artifact@[0-9a-f]{7,40}" .github/workflows || true

# Print any other upload-artifact usage with other tags
rg -n "uses:\s*actions/upload-artifact@" .github/workflows || true

Repository: codeready-toolchain/argocd-mcp-server

Length of output: 124


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== ci.yml excerpt (lines 20-60) ==="
python3 - <<'PY'
path = ".github/workflows/ci.yml"
with open(path, "r", encoding="utf-8") as f:
    lines = f.readlines()
for i in range(19, min(60, len(lines))):
    print(f"{i+1:4d}: {lines[i].rstrip()}")
PY

echo
echo "=== All upload-artifact usages ==="
rg -n "uses:\s*actions/upload-artifact@" .github/workflows || true

echo
echo "=== upload-artifact usages pinned to long hex (heuristic) ==="
rg -n "uses:\s*actions/upload-artifact@[0-9a-f]{7,40}" .github/workflows || true

Repository: codeready-toolchain/argocd-mcp-server

Length of output: 1453


Pin actions/upload-artifact to a full commit SHA.

The workflow uses actions/upload-artifact@v7, and the movable tag weakens supply-chain guarantees.

Suggested fix pattern
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@<full-length-commit-sha>
🧰 Tools
🪛 zizmor (1.25.2)

[error] 33-33: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 33, Replace the floating tag for the GitHub
Action by pinning actions/upload-artifact@v7 to a specific full commit SHA:
locate the workflow step that currently references "uses:
actions/upload-artifact@v7" and change it to use the action at a full commit SHA
(e.g., actions/upload-artifact@<full-commit-sha>); obtain the SHA from the
upload-artifact repository commit history or the action's release page and
update the workflow to use that exact SHA to hard-pin the dependency.

with:
name: coverage
path: ./build/_output/coverage/coverage.txt

- name: Install Podman
uses: redhat-actions/podman-install@main
Expand Down
30 changes: 30 additions & 0 deletions .github/workflows/upload-coverage.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: upload-coverage
on:
workflow_run:
workflows: [ ci ]
types: [ completed ]

jobs:
upload-coverage:
if: >
github.event.workflow_run.conclusion == 'success'
Comment on lines +9 to +10

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/upload-coverage.yml"
echo "== File =="
ls -l "$FILE"
echo
echo "== Lines 1-120 =="
nl -ba "$FILE" | sed -n '1,140p'

Repository: codeready-toolchain/argocd-mcp-server

Length of output: 258


🏁 Script executed:

#!/bin/bash
set -euo pipefail
rg -n "CODECOV_TOKEN|workflow_run|codecov-action|download-artifact" .github/workflows -S
echo
echo "== List workflow files =="
ls -1 .github/workflows

Repository: codeready-toolchain/argocd-mcp-server

Length of output: 700


Add a trusted-repo guard (and SHA-pin actions) in workflow_run coverage uploader.

codeready-toolchain/argocd-mcp-server/.github/workflows/upload-coverage.yml runs on workflow_run, gates only on github.event.workflow_run.conclusion == 'success', then uploads using secrets.CODECOV_TOKEN. Add a trust guard (e.g., require github.event.workflow_run.head_repository.full_name == github.repository) so fork-originated runs can’t trigger secret-bearing uploads. Also SHA-pin actions/download-artifact@v8 and codecov/codecov-action@v6 rather than using only major-version tags.

Suggested guard
-    if: >
-      github.event.workflow_run.conclusion == 'success'
+    if: >
+      github.event.workflow_run.conclusion == 'success' &&
+      github.event.workflow_run.head_repository.full_name == github.repository
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if: >
github.event.workflow_run.conclusion == 'success'
if: >
github.event.workflow_run.conclusion == 'success' &&
github.event.workflow_run.head_repository.full_name == github.repository
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/upload-coverage.yml around lines 9 - 10, The workflow
currently only checks github.event.workflow_run.conclusion and may run on forked
workflow_run events; update the if condition to also require the run came from
the same repository (e.g., require
github.event.workflow_run.head_repository.full_name == github.repository) so
secrets like CODECOV_TOKEN are not exposed to fork-triggered runs, and replace
the action references actions/download-artifact@v8 and codecov/codecov-action@v6
with their SHA-pinned commits (use the specific commit SHAs for those two
actions in the upload-coverage.yml job step definitions) so the workflow uses
exact action revisions.

runs-on: ubuntu-24.04

steps:
- name: Download coverage artifact
uses: actions/download-artifact@v8

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/upload-coverage.yml"
echo "== File: $FILE =="
nl -ba "$FILE" | sed -n '1,120p'
echo
echo "== All action uses in $FILE =="
rg -n "^\s*uses:" "$FILE" || true

Repository: codeready-toolchain/argocd-mcp-server

Length of output: 192


🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/upload-coverage.yml"

echo "== File: $FILE =="
awk '{printf "%5d\t%s\n", NR, $0}' "$FILE" | sed -n '1,140p'

echo
echo "== All action uses in $FILE =="
rg -n "^\s*uses:" "$FILE" || true

Repository: codeready-toolchain/argocd-mcp-server

Length of output: 1420


🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/upload-coverage.yml"
echo "== $FILE =="
awk '{printf "%5d\t%s\n", NR, $0}' "$FILE" | sed -n '1,140p'
echo
rg -n "^\s*uses:" "$FILE" || true

Repository: codeready-toolchain/toolchain-common

Length of output: 1362


🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/upload-coverage.yml"
echo "== $FILE =="
awk '{printf "%5d\t%s\n", NR, $0}' "$FILE" | sed -n '1,160p'
echo
rg -n "^\s*uses:" "$FILE" || true

Repository: codeready-toolchain/host-operator

Length of output: 1363


Pin GitHub Actions to commit SHAs (supply-chain integrity)

In .github/workflows/upload-coverage.yml, both action references are tag-based (actions/download-artifact@v8 at 15, codecov/codecov-action@v6 at 22) and should be replaced with immutable full commit SHAs.

Suggested fix pattern
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@<full-length-commit-sha>
...
-        uses: codecov/codecov-action@v6
+        uses: codecov/codecov-action@<full-length-commit-sha>
🧰 Tools
🪛 zizmor (1.25.2)

[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/upload-coverage.yml at line 15, The workflow currently
references mutable tags for actions (actions/download-artifact@v8 and
codecov/codecov-action@v6); replace these tag-based pins with the corresponding
immutable commit SHAs for those actions to ensure supply-chain integrity: find
the uses of "actions/download-artifact@v8" and "codecov/codecov-action@v6" in
the upload-coverage.yml and update each to the full commit SHA (e.g.,
actions/download-artifact@<full-sha> and codecov/codecov-action@<full-sha>)
obtained from the respective action repositories' commit history, then run a
quick workflow lint or dry run to validate the YAML.

with:
name: coverage
github-token: ${{ secrets.GITHUB_TOKEN }}
run-id: ${{ github.event.workflow_run.id }}

- name: Upload to Codecov
uses: codecov/codecov-action@v6
with:
token: ${{ secrets.CODECOV_TOKEN }}
# The 'files' attribute consists of 'coverage/coverage.txt'.
# The 'coverage' directory is created upon the download of the coverage artifact from previous step (it creates a directory with the name of the artifact).
files: coverage/coverage.txt
flags: unittests # optional
fail_ci_if_error: true
verbose: true
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
tmp
build/_output/**
15 changes: 14 additions & 1 deletion taskfile.yaml
Original file line number Diff line number Diff line change
@@ -1,11 +1,24 @@
version: '3'

vars:
OUT_DIR: ./build/_output
COV_DIR: ./build/_output/coverage

tasks:
ensure-dirs:
cmds:
- mkdir -p {{.OUT_DIR}}
silent: true

# Unit Tests
test:
desc: Run tests with coverage
cmds:
- echo "running the tests with coverage..."
- mkdir -p {{.COV_DIR}}
- rm -f {{.COV_DIR}}/coverage.txt
# The idiomatic way to disable test caching explicitly is to use -count=1
- go test ./internal/... -count=1 -v --failfast
- go test ./internal/... -count=1 -v --failfast -coverprofile={{.COV_DIR}}/coverage.txt -covermode=atomic

# Linting
lint:
Expand Down
Loading