From 7fd8844bb66792ce85de6e5e32c31f9d6a47a272 Mon Sep 17 00:00:00 2001 From: kdacosta0 Date: Thu, 7 May 2026 15:18:14 +0200 Subject: [PATCH 1/2] ci: enable codecov coverage checks for Python with patch and project thresholds [SECURESIGN-4375] Implements SECURESIGN-4375 Assisted-by: Claude Code --- .github/workflows/code-coverage.yml | 52 +++++++++++++++++++++++++++++ .gitignore | 2 ++ codecov.yml | 10 ++++++ 3 files changed, 64 insertions(+) create mode 100644 .github/workflows/code-coverage.yml create mode 100644 codecov.yml diff --git a/.github/workflows/code-coverage.yml b/.github/workflows/code-coverage.yml new file mode 100644 index 00000000..ffa6af92 --- /dev/null +++ b/.github/workflows/code-coverage.yml @@ -0,0 +1,52 @@ +# Copyright 2024 The Sigstore Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Code Coverage + +on: + pull_request: + branches: [main] + types: [opened, synchronize] + push: + branches: [main] + +permissions: {} + +defaults: + run: + shell: bash + +jobs: + coverage: + name: Upload code coverage + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + with: + python-version: '3.12' + - name: Set up Hatch + uses: pypa/hatch@257e27e51a6a5616ed08a39a408a21c35c9931bc # install + - name: Run tests with coverage + run: hatch test -c -py 3.12 -- --cov-report=xml + - name: Upload coverage to Codecov + uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6 + with: + files: coverage.xml + token: ${{ secrets.CODECOV_TOKEN }} + fail_ci_if_error: true diff --git a/.gitignore b/.gitignore index 80cadf40..1ee88669 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,6 @@ .coverage +coverage.xml +htmlcov/ .pytest_cache/ .pytype/ .ruff_cache/ diff --git a/codecov.yml b/codecov.yml new file mode 100644 index 00000000..2b5b0e4c --- /dev/null +++ b/codecov.yml @@ -0,0 +1,10 @@ +coverage: + status: + patch: + default: + target: 70% + threshold: 5% + project: + default: + target: auto + informational: true From 91404989b69c6b4b317d9cc71dd05ae9a5c956d8 Mon Sep 17 00:00:00 2001 From: kdacosta0 Date: Thu, 7 May 2026 15:21:25 +0200 Subject: [PATCH 2/2] fix: split coverage into test and xml report generation steps hatch test -c manages coverage internally via coverage.py and does not accept pytest-cov flags. Generate the XML report in a separate step using the hatch test environment's coverage tool. Implements SECURESIGN-4375 Assisted-by: Claude Code --- .github/workflows/code-coverage.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/code-coverage.yml b/.github/workflows/code-coverage.yml index ffa6af92..0aa19490 100644 --- a/.github/workflows/code-coverage.yml +++ b/.github/workflows/code-coverage.yml @@ -43,7 +43,9 @@ jobs: - name: Set up Hatch uses: pypa/hatch@257e27e51a6a5616ed08a39a408a21c35c9931bc # install - name: Run tests with coverage - run: hatch test -c -py 3.12 -- --cov-report=xml + run: hatch test -c -py 3.12 + - name: Generate coverage XML report + run: hatch run hatch-test.py3.12:coverage xml - name: Upload coverage to Codecov uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6 with: