Skip to content

ci: upload coverage to Codecov #57

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nficano merged 1 commit into from
May 25, 2026
+12 −0
Merged

ci: upload coverage to Codecov #57

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,18 @@ jobs:
retention-days: 30
if-no-files-found: ignore

# Upload Go coverage profile from the `stable` matrix entry only.
# Non-blocking so a Codecov outage cannot break CI.
- name: Upload coverage to Codecov
if: matrix.go == 'stable'
# codecov/codecov-action v6.0.1
uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify codecov-action commit SHA and check for security advisories.

# Check if the commit SHA corresponds to v6.0.1
echo "Checking codecov/codecov-action commit SHA..."
gh api repos/codecov/codecov-action/git/ref/tags/v6.0.1 --jq '.object.sha' || echo "Tag not found"

# Check for security advisories
echo -e "\nChecking for security advisories..."
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: ACTIONS, package: "codecov/codecov-action") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: agentruntimecontrolprotocol/go-sdk

Length of output: 251

Fix codecov-action v6.0.1 pin mismatch (and update the version comment)
In .github/workflows/test.yml (line 101), the pinned SHA e79a6962e0d4c0c17b229090214935d2e33f8354 does not match the v6.0.1 tag commit SHA (cddd853df119a48c5be31a973f8cd97e12e35e16). Update the pinned SHA to the v6.0.1 commit or correct/remove the # v6.0.1 comment. No GitHub security advisories were returned for codecov/codecov-action in the ACTIONS ecosystem query.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test.yml at line 101, The pinned SHA in the GitHub Actions
step "uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354"
does not match the v6.0.1 tag noted in the inline comment; update that step so
the SHA matches the v6.0.1 commit (cddd853df119a48c5be31a973f8cd97e12e35e16) or
remove/adjust the "# v6.0.1" comment to reflect the currently pinned SHA,
ensuring the "uses: codecov/codecov-action@..." entry and its version comment
are consistent.

with:
fail_ci_if_error: false
flags: unittests
files: ./coverage.out
token: ${{ secrets.CODECOV_TOKEN }}

- name: Upload test output on failure
if: failure() && hashFiles('test-output.txt') != ''
uses: actions/upload-artifact@v7
Expand Down