ci: upload coverage to Codecov

[nficano]

Summary

• Upload the existing coverage.out profile (produced on the stable matrix entry) to Codecov.
• fail_ci_if_error: false so a Codecov outage cannot break CI.

Pre-merge action required

• Add CODECOV_TOKEN as a repo secret (gh secret set CODECOV_TOKEN --repo agentruntimecontrolprotocol/go-sdk).
• Activate the repo at app.codecov.io.

Test plan

• Merge, confirm coverage uploads on next push to main.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Enhanced continuous integration workflow to improve code coverage tracking and reporting capabilities.

[coderabbitai]

Walkthrough

This pull request adds a new CI workflow step to upload Go unit test coverage to Codecov. The step executes during the test job when the Go matrix variant is stable, uploads the coverage artifact with a pinned action version, and handles upload failures without blocking the workflow.

Changes

Codecov Integration

Layer / File(s)	Summary
Codecov coverage upload step .github/workflows/test.yml	Adds a workflow step to upload ./coverage.out to Codecov using pinned action v6.0.1, configured with fail_ci_if_error: false, flags: unittests, and authenticated with secrets.CODECOV_TOKEN, running only on the stable Go matrix variant.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: upload coverage to Codecov' is concise, clear, and directly summarizes the main change—adding a CI step to upload test coverage to Codecov.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/codecov-upload

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/test.yml:
- Line 101: The pinned SHA in the GitHub Actions step "uses:
codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354" does not match
the v6.0.1 tag noted in the inline comment; update that step so the SHA matches
the v6.0.1 commit (cddd853df119a48c5be31a973f8cd97e12e35e16) or remove/adjust
the "# v6.0.1" comment to reflect the currently pinned SHA, ensuring the "uses:
codecov/codecov-action@..." entry and its version comment are consistent.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 118ebf66-29bd-4060-9853-544a862c2a94

📥 Commits

Reviewing files that changed from the base of the PR and between 21f1461 and 925b5c3.

📒 Files selected for processing (1)

• .github/workflows/test.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify codecov-action commit SHA and check for security advisories.

# Check if the commit SHA corresponds to v6.0.1
echo "Checking codecov/codecov-action commit SHA..."
gh api repos/codecov/codecov-action/git/ref/tags/v6.0.1 --jq '.object.sha' || echo "Tag not found"

# Check for security advisories
echo -e "\nChecking for security advisories..."
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: ACTIONS, package: "codecov/codecov-action") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: agentruntimecontrolprotocol/go-sdk

Length of output: 251

---

Fix codecov-action v6.0.1 pin mismatch (and update the version comment)
In .github/workflows/test.yml (line 101), the pinned SHA e79a6962e0d4c0c17b229090214935d2e33f8354 does not match the v6.0.1 tag commit SHA (cddd853df119a48c5be31a973f8cd97e12e35e16). Update the pinned SHA to the v6.0.1 commit or correct/remove the # v6.0.1 comment. No GitHub security advisories were returned for codecov/codecov-action in the ACTIONS ecosystem query.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test.yml at line 101, The pinned SHA in the GitHub Actions
step "uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354"
does not match the v6.0.1 tag noted in the inline comment; update that step so
the SHA matches the v6.0.1 commit (cddd853df119a48c5be31a973f8cd97e12e35e16) or
remove/adjust the "# v6.0.1" comment to reflect the currently pinned SHA,
ensuring the "uses: codecov/codecov-action@..." entry and its version comment
are consistent.