Skip to content

feat: add Codecov integration with cargo-llvm-cov#64

Merged
mrizzi merged 2 commits into
guacsec:mainfrom
ptomanRH:add-codecov-coverage
Jun 10, 2026
Merged

feat: add Codecov integration with cargo-llvm-cov#64
mrizzi merged 2 commits into
guacsec:mainfrom
ptomanRH:add-codecov-coverage

Conversation

@ptomanRH

@ptomanRH ptomanRH commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Add cargo-llvm-cov for Rust coverage report generation (same tooling as main trustify repo)
  • Replace cargo test -r with cargo llvm-cov --codecov to generate Codecov-format output
  • Add Codecov upload step using OIDC authentication (no secret needed)
  • Add codecov.yml with informational status checks, unit-tests flag with carryforward

Changes

File Change
.github/workflows/ci.yaml Add permissions: id-token: write, install cargo-llvm-cov + llvm-tools-preview, replace test step with coverage, add Codecov upload
codecov.yml Coverage config: informational checks, flag setup

Manual follow-up

After merging:

  1. Go to https://app.codecov.io/gh/guacsec/trustify-mcp
  2. Click the Flags tab → Enable flag analytics

Ref: COVERPORT-256

Summary by Sourcery

Integrate Rust coverage reporting into CI and upload results to Codecov using OIDC-based authentication.

Build:

  • Add installation of cargo-llvm-cov and llvm-tools-preview to the CI build steps.

CI:

  • Update CI workflow to run tests with cargo-llvm-cov instead of cargo test and upload coverage reports to Codecov using OIDC.

Tests:

  • Switch Rust test execution in CI to coverage-enabled runs that generate Codecov-compatible reports.

Chores:

  • Add Codecov configuration for informational coverage and patch status checks with unit-test flag carryforward.

- Add cargo-llvm-cov for coverage report generation
- Add Codecov upload step with OIDC auth and unit-tests flag
- Add codecov.yml with informational status checks and carryforward

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sourcery-ai

sourcery-ai Bot commented Jun 2, 2026

Copy link
Copy Markdown

Reviewer's Guide

Integrates Codecov coverage reporting into the Rust CI workflow by replacing the plain test run with cargo-llvm-cov, enabling OIDC-based uploads, and adding a Codecov configuration file with informational checks and a unit-test flag.

Sequence diagram for CI coverage generation and Codecov upload

sequenceDiagram
    actor Developer
    participant GitHubActions as GitHub_Actions_ci
    participant Cargo as cargo_llvm_cov
    participant Codecov as Codecov_API

    Developer->>GitHubActions: push to main / open PR
    GitHubActions->>GitHubActions: taiki-e/install-action@v2 (tool: cargo-llvm-cov)
    GitHubActions->>GitHubActions: rustup component add llvm-tools-preview
    GitHubActions->>Cargo: cargo llvm-cov --codecov --output-path codecov.json
    Cargo-->>GitHubActions: generate codecov.json
    GitHubActions->>Codecov: codecov/codecov-action@v5 (use_oidc: true, flags: unit-tests, files: codecov.json)
    Codecov-->>GitHubActions: record coverage with unit-tests flag
Loading

File-Level Changes

Change Details Files
Replace plain cargo test execution in CI with coverage-aware cargo-llvm-cov and upload results to Codecov using OIDC.
  • Add id-token: write permission to the CI job to support OIDC authentication for Codecov uploads.
  • Install cargo-llvm-cov via taiki-e/install-action and enable the llvm-tools-preview Rust component.
  • Replace the test step that ran cargo test -r with cargo llvm-cov --codecov --output-path codecov.json to generate Codecov-format coverage data.
  • Add a Codecov upload step using codecov/codecov-action@v5 configured to use OIDC, tag results with the unit-tests flag, and upload codecov.json for the guacsec/trustify-mcp slug.
.github/workflows/ci.yaml
Introduce a Codecov configuration file to control coverage status checks, flags, and PR comment layout.
  • Configure project and patch coverage status checks with automatic targets, a 1% threshold, and informational-only behavior.
  • Define a unit-tests flag with carryforward so coverage persists across runs.
  • Configure Codecov PR comments to show reach, diff, flags, and files with the default behavior.
codecov.yml

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 2 issues, and left some high level feedback:

  • Consider moving the coverage upload into a separate job with permissions: id-token: write so the main ci job doesn’t grant OIDC to steps that don’t require it, keeping GitHub token permissions more tightly scoped.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- Consider moving the coverage upload into a separate job with `permissions: id-token: write` so the main `ci` job doesn’t grant OIDC to steps that don’t require it, keeping GitHub token permissions more tightly scoped.

## Individual Comments

### Comment 1
<location path=".github/workflows/ci.yaml" line_range="17-18" />
<code_context>
 jobs:
   ci:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
       - name: Maximize build space
</code_context>
<issue_to_address>
**issue (bug_risk):** Codecov OIDC upload likely also needs `contents: read` in the permissions block

With an explicit `permissions` block, all unspecified permissions default to `none`. Codecov v5 with OIDC generally requires `contents: read` (and sometimes `pull-requests: write`, depending on your setup) on `GITHUB_TOKEN` to read commit/PR metadata. Without it, the upload step may fail.

Recommend:
```yaml
    permissions:
      id-token: write
      contents: read
```
</issue_to_address>

### Comment 2
<location path=".github/workflows/ci.yaml" line_range="44-45" />
<code_context>
+          tool: cargo-llvm-cov
+      - name: Install llvm-tools-preview
+        run: rustup component add llvm-tools-preview
+      - name: Test with coverage
+        run: cargo llvm-cov --codecov --output-path codecov.json
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v5
</code_context>
<issue_to_address>
**suggestion (testing):** Running `cargo llvm-cov` in debug mode changes behavior compared to the previous `cargo test -r`

`cargo test -r` runs tests with the release profile, while `cargo llvm-cov` defaults to dev, so this change affects optimization level and potentially test behavior/timing. If you want to keep the old semantics (e.g., catch release-only issues), pass `--release`:

```yaml
      - name: Test with coverage
        run: cargo llvm-cov --release --codecov --output-path codecov.json
```

If the move to dev profile is intentional, just confirm nothing in the suite depends on release-mode behavior.

```suggestion
      - name: Test with coverage
        run: cargo llvm-cov --release --codecov --output-path codecov.json
```
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Comment thread .github/workflows/ci.yaml
Comment on lines +17 to +18
permissions:
id-token: write

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue (bug_risk): Codecov OIDC upload likely also needs contents: read in the permissions block

With an explicit permissions block, all unspecified permissions default to none. Codecov v5 with OIDC generally requires contents: read (and sometimes pull-requests: write, depending on your setup) on GITHUB_TOKEN to read commit/PR metadata. Without it, the upload step may fail.

Recommend:

    permissions:
      id-token: write
      contents: read

Comment thread .github/workflows/ci.yaml Outdated
Keep the original `cargo test -r` for integration tests (MCP inspector
tests require release mode). Run `cargo llvm-cov --lib` separately
for coverage of library code only. Also remove hardcoded slug.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@codecov-commenter

Copy link
Copy Markdown

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

Thanks for integrating Codecov - We've got you covered ☂️

@mrizzi mrizzi left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ptomanRH thanks 👍

@mrizzi mrizzi merged commit 7fc383f into guacsec:main Jun 10, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants