test: testing codecov coverage control

.github/workflows/100-flow-ats-test.yaml

@@ -8,6 +8,7 @@ on:
       - "packages/ats/**"
       - "apps/ats/**"
       - "package.json"
+      - "codecov.yml"
       - ".github/workflows/*ats*.yaml"
   workflow_dispatch:
 
@@ -17,6 +18,7 @@ defaults:
 
 permissions:
   contents: read
+  statuses: read # gate step reads the codecov/project commit status
 
 jobs:
   test-ats:
@@ -99,3 +101,50 @@ jobs:
       - name: Upload coverage report
         if: ${{ steps.generate_coverage.outcome == 'success' }}
         uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v5.4.0
+
+      # TEMPORARY DIAGNOSTIC (non-blocking).
+      # The prior enforcement step only read commit *statuses* and never found
+      # `codecov/project` (state='<none>' for 5 min), producing a false failure.
+      # Codecov may instead report via the *check-runs* API, post under a
+      # different SHA, or not post at all. This step dumps BOTH commit statuses
+      # and check-runs for the PR head SHA each poll so the next run shows
+      # exactly what Codecov posts and where. It NEVER fails the job — re-enable
+      # enforcement once we know the reporting mechanism.
+      - name: Diagnose Codecov status/check-run posting
+        if: ${{ github.event_name == 'pull_request' && steps.generate_coverage.outcome == 'success' }}
+        env:
+          GH_TOKEN: ${{ github.token }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          REPO: ${{ github.repository }}
+        run: |
+          echo "Inspecting Codecov reporting for head SHA ${HEAD_SHA} in ${REPO}"
+          for attempt in $(seq 1 30); do
+            echo "----- attempt ${attempt}/30 -----"
+
+            echo "[commit statuses]"
+            gh api "repos/${REPO}/commits/${HEAD_SHA}/statuses" \
+              --jq '.[] | "  status: \(.context) = \(.state)"' \
+              || echo "  (statuses query failed)"
+
+            echo "[check runs]"
+            gh api "repos/${REPO}/commits/${HEAD_SHA}/check-runs" \
+              --jq '.check_runs[] | "  check : \(.name) = status:\(.status) conclusion:\(.conclusion // "n/a")"' \
+              || echo "  (check-runs query failed)"
+
+            # Stop early once anything Codecov-related has posted in either place.
+            found=$(
+              {
+                gh api "repos/${REPO}/commits/${HEAD_SHA}/statuses" --jq '.[].context' 2>/dev/null
+                gh api "repos/${REPO}/commits/${HEAD_SHA}/check-runs" --jq '.check_runs[].name' 2>/dev/null
+              } | grep -i codecov || true
+            )
+            if [ -n "${found}" ]; then
+              echo "✓ Found Codecov entries (note whether they are statuses or checks above):"
+              echo "${found}" | sed 's/^/    /'
+              break
+            fi
+
+            echo "  no codecov entry yet — waiting 10s"
+            sleep 10
+          done
+          echo "Diagnostic complete (non-blocking; job will not fail here)."

codecov.yml

@@ -10,10 +10,13 @@ coverage:
       default:
         target: auto
         threshold: 0%
+        if_ci_failed: error
     project:
       default:
         target: auto
         threshold: 0%
+        if_ci_failed: error # don't report success if the test job itself failed
+        informational: false # blocking status, not advisory (this is the default — explicit here)
 
 ignore:
   - "packages/*/dist"

packages/ats/contracts/test/contracts/integration/accessControl/accessControl.test.ts

@@ -26,52 +26,52 @@ export function accessControlTests(getCtx: () => AssetMockCtx): void {
       await executeRbac(asset, [{ role: ATS_ROLES.ROLE_PAUSER, members: [ctx.user1.address] }]);
     });
 
-    it.only("GIVEN a deactivated asset WHEN grantRole THEN transaction fails with Deactivated", async () => {
+    it.skip("GIVEN a deactivated asset WHEN grantRole THEN transaction fails with Deactivated", async () => {
       await asset.forceDeactivate();
       await expect(
         asset.connect(deployer).grantRole(ATS_ROLES.ROLE_PAUSER, unknownSigner.address),
       ).to.be.revertedWithCustomError(asset, "Deactivated");
     });
 
-    it.only("GIVEN an account without administrative role WHEN grantRole THEN transaction fails with AccountHasNoRole", async () => {
+    it.skip("GIVEN an account without administrative role WHEN grantRole THEN transaction fails with AccountHasNoRole", async () => {
       await expect(asset.connect(signer_C).grantRole(ATS_ROLES.ROLE_PAUSER, unknownSigner.address))
         .to.be.revertedWithCustomError(asset, "AccountHasNoRole")
         .withArgs(signer_C.address, ATS_ROLES.DEFAULT_ADMIN_ROLE);
     });
 
-    it.only("GIVEN a deactivated asset WHEN revokeRole THEN transaction fails with Deactivated", async () => {
+    it.skip("GIVEN a deactivated asset WHEN revokeRole THEN transaction fails with Deactivated", async () => {
       await asset.forceDeactivate();
       await expect(
         asset.connect(deployer).revokeRole(ATS_ROLES.DEFAULT_ADMIN_ROLE, unknownSigner.address),
       ).to.be.revertedWithCustomError(asset, "Deactivated");
     });
 
-    it.only("GIVEN an account without administrative role WHEN revokeRole THEN transaction fails with AccountHasNoRole", async () => {
+    it.skip("GIVEN an account without administrative role WHEN revokeRole THEN transaction fails with AccountHasNoRole", async () => {
       await expect(asset.connect(signer_C).revokeRole(ATS_ROLES.DEFAULT_ADMIN_ROLE, unknownSigner.address))
         .to.be.revertedWithCustomError(asset, "AccountHasNoRole")
         .withArgs(signer_C.address, ATS_ROLES.DEFAULT_ADMIN_ROLE);
     });
 
-    it.only("GIVEN a deactivated asset WHEN applyRoles THEN transaction fails with Deactivated", async () => {
+    it.skip("GIVEN a deactivated asset WHEN applyRoles THEN transaction fails with Deactivated", async () => {
       await asset.forceDeactivate();
       await expect(
         asset.connect(signer_C).applyRoles([ATS_ROLES.DEFAULT_ADMIN_ROLE], [true], unknownSigner.address),
       ).to.be.revertedWithCustomError(asset, "Deactivated");
     });
 
-    it.only("GIVEN an account without administrative role WHEN applyRoles THEN transaction fails with AccountHasNoRole", async () => {
+    it.skip("GIVEN an account without administrative role WHEN applyRoles THEN transaction fails with AccountHasNoRole", async () => {
       await expect(asset.connect(signer_C).applyRoles([ATS_ROLES.DEFAULT_ADMIN_ROLE], [true], unknownSigner.address))
         .to.be.revertedWithCustomError(asset, "AccountHasNoRole")
         .withArgs(signer_C.address, ATS_ROLES.DEFAULT_ADMIN_ROLE);
     });
 
-    it.only("GIVEN a list of roles and actives that is not equally long WHEN applyRoles THEN transaction fails with RolesAndActivesLengthMismatch", async () => {
+    it.skip("GIVEN a list of roles and actives that is not equally long WHEN applyRoles THEN transaction fails with RolesAndActivesLengthMismatch", async () => {
       await expect(asset.connect(signer_C).applyRoles([ATS_ROLES.DEFAULT_ADMIN_ROLE], [], unknownSigner.address))
         .to.be.revertedWithCustomError(asset, "RolesAndActivesLengthMismatch")
         .withArgs(1, 0);
     });
 
-    it.only("GIVEN a list of contradictory roles (enable and disable) role WHEN applyRoles THEN transaction fails with ApplyRoleContradiction", async () => {
+    it.skip("GIVEN a list of contradictory roles (enable and disable) role WHEN applyRoles THEN transaction fails with ApplyRoleContradiction", async () => {
       const Roles_1 = [
         ATS_ROLES.DEFAULT_ADMIN_ROLE,
         ATS_ROLES.ROLE_PAUSER,
@@ -96,31 +96,31 @@ export function accessControlTests(getCtx: () => AssetMockCtx): void {
         .withArgs(3, 6);
     });
 
-    it.only("GIVEN a paused Token WHEN grantRole THEN transaction fails with IsPaused", async () => {
+    it.skip("GIVEN a paused Token WHEN grantRole THEN transaction fails with IsPaused", async () => {
       await asset.connect(signer_B).pause();
 
       await expect(
         asset.connect(deployer).grantRole(ATS_ROLES.ROLE_PAUSER, unknownSigner.address),
       ).to.be.revertedWithCustomError(asset, "IsPaused");
     });
 
-    it.only("GIVEN a paused Token WHEN revokeRole THEN transaction fails with IsPaused", async () => {
+    it.skip("GIVEN a paused Token WHEN revokeRole THEN transaction fails with IsPaused", async () => {
       await asset.connect(signer_B).pause();
 
       await expect(
         asset.connect(deployer).revokeRole(ATS_ROLES.ROLE_PAUSER, unknownSigner.address),
       ).to.be.revertedWithCustomError(asset, "IsPaused");
     });
 
-    it.only("GIVEN a deactivated asset WHEN renounceRole THEN transaction fails with Deactivated", async () => {
+    it.skip("GIVEN a deactivated asset WHEN renounceRole THEN transaction fails with Deactivated", async () => {
       await asset.forceDeactivate();
       await expect(asset.connect(signer_C).renounceRole(ATS_ROLES.ROLE_PAUSER)).to.be.revertedWithCustomError(
         asset,
         "Deactivated",
       );
     });
 
-    it.only("GIVEN a paused Token WHEN renounce THEN transaction fails with IsPaused", async () => {
+    it.skip("GIVEN a paused Token WHEN renounce THEN transaction fails with IsPaused", async () => {
       // Pausing the token
       await asset.connect(signer_B).pause();
 
@@ -131,7 +131,7 @@ export function accessControlTests(getCtx: () => AssetMockCtx): void {
       );
     });
 
-    it.only("GIVEN an paused Token WHEN applyRoles THEN transaction fails with IsPaused", async () => {
+    it.skip("GIVEN an paused Token WHEN applyRoles THEN transaction fails with IsPaused", async () => {
       // Pausing the token
       await asset.connect(signer_B).pause();
 
@@ -141,7 +141,7 @@ export function accessControlTests(getCtx: () => AssetMockCtx): void {
       ).to.be.revertedWithCustomError(asset, "IsPaused");
     });
 
-    it.only("GIVEN an account with administrative role WHEN grantRole THEN transaction succeeds", async () => {
+    it.skip("GIVEN an account with administrative role WHEN grantRole THEN transaction succeeds", async () => {
       // check that C does not have the role
       let check_C = await asset.hasRole(ATS_ROLES.ROLE_PAUSER, unknownSigner.address);
       expect(check_C).to.equal(false);
@@ -168,7 +168,7 @@ export function accessControlTests(getCtx: () => AssetMockCtx): void {
       expect(membersFor_Pause[1].toUpperCase()).to.equal(unknownSigner.address.toUpperCase());
     });
 
-    it.only("GIVEN an account with administrative role WHEN revokeRole THEN transaction succeeds", async () => {
+    it.skip("GIVEN an account with administrative role WHEN revokeRole THEN transaction succeeds", async () => {
       // check that B has the role
       let check_B = await asset.hasRole(ATS_ROLES.ROLE_PAUSER, signer_B.address);
       expect(check_B).to.equal(true);
@@ -192,7 +192,7 @@ export function accessControlTests(getCtx: () => AssetMockCtx): void {
       expect(membersFor_Pause.length).to.equal(memberCountFor_Pause);
     });
 
-    it.only("GIVEN an account with pauser role WHEN renouncing the pauser role THEN transaction succeeds", async () => {
+    it.skip("GIVEN an account with pauser role WHEN renouncing the pauser role THEN transaction succeeds", async () => {
       // check that B has the role
       let check_B = await asset.hasRole(ATS_ROLES.ROLE_PAUSER, signer_B.address);
       expect(check_B).to.equal(true);
@@ -216,7 +216,7 @@ export function accessControlTests(getCtx: () => AssetMockCtx): void {
       expect(membersFor_Pause.length).to.equal(memberCountFor_Pause);
     });
 
-    it.only("GIVEN an account with administrative role WHEN applyRoles THEN transaction succeeds", async () => {
+    it.skip("GIVEN an account with administrative role WHEN applyRoles THEN transaction succeeds", async () => {
       // check that C does not have the role
       await asset.connect(deployer).grantRole(ATS_ROLES.ROLE_PAUSER, signer_C.address);
 
@@ -256,7 +256,7 @@ export function accessControlTests(getCtx: () => AssetMockCtx): void {
       expect(membersFor_Default[1].toUpperCase()).to.equal(signer_C.address.toUpperCase());
     });
 
-    it.only("GIVEN an account with administrative role, if roles are duplicated but not contradictory WHEN applyRoles THEN transaction succeeds", async () => {
+    it.skip("GIVEN an account with administrative role, if roles are duplicated but not contradictory WHEN applyRoles THEN transaction succeeds", async () => {
       // check that C does not have the role
       await asset.connect(deployer).grantRole(ATS_ROLES.ROLE_PAUSER, signer_C.address);
 
@@ -291,7 +291,7 @@ export function accessControlTests(getCtx: () => AssetMockCtx): void {
       expect(rolesFor_C[0].toUpperCase()).to.equal(ATS_ROLES.ROLE_PAUSER.toUpperCase());
     });
 
-    it.only("GIVEN a mixed batch of effective and no-op entries WHEN applyRoles THEN RolesApplied carries only the effectively changed entries in input order", async () => {
+    it.skip("GIVEN a mixed batch of effective and no-op entries WHEN applyRoles THEN RolesApplied carries only the effectively changed entries in input order", async () => {
       // Pre-state: signer_C holds ROLE_PAUSER and ROLE_AGENT, nothing else.
       await asset.connect(deployer).grantRole(ATS_ROLES.ROLE_PAUSER, signer_C.address);
       await asset.connect(deployer).grantRole(ATS_ROLES.ROLE_AGENT, signer_C.address);