feat: add Codecov integration with cargo-llvm-cov#64
Conversation
- Add cargo-llvm-cov for coverage report generation - Add Codecov upload step with OIDC auth and unit-tests flag - Add codecov.yml with informational status checks and carryforward Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Reviewer's GuideIntegrates Codecov coverage reporting into the Rust CI workflow by replacing the plain test run with cargo-llvm-cov, enabling OIDC-based uploads, and adding a Codecov configuration file with informational checks and a unit-test flag. Sequence diagram for CI coverage generation and Codecov uploadsequenceDiagram
actor Developer
participant GitHubActions as GitHub_Actions_ci
participant Cargo as cargo_llvm_cov
participant Codecov as Codecov_API
Developer->>GitHubActions: push to main / open PR
GitHubActions->>GitHubActions: taiki-e/install-action@v2 (tool: cargo-llvm-cov)
GitHubActions->>GitHubActions: rustup component add llvm-tools-preview
GitHubActions->>Cargo: cargo llvm-cov --codecov --output-path codecov.json
Cargo-->>GitHubActions: generate codecov.json
GitHubActions->>Codecov: codecov/codecov-action@v5 (use_oidc: true, flags: unit-tests, files: codecov.json)
Codecov-->>GitHubActions: record coverage with unit-tests flag
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
There was a problem hiding this comment.
Hey - I've found 2 issues, and left some high level feedback:
- Consider moving the coverage upload into a separate job with
permissions: id-token: writeso the maincijob doesn’t grant OIDC to steps that don’t require it, keeping GitHub token permissions more tightly scoped.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- Consider moving the coverage upload into a separate job with `permissions: id-token: write` so the main `ci` job doesn’t grant OIDC to steps that don’t require it, keeping GitHub token permissions more tightly scoped.
## Individual Comments
### Comment 1
<location path=".github/workflows/ci.yaml" line_range="17-18" />
<code_context>
jobs:
ci:
runs-on: ubuntu-latest
+ permissions:
+ id-token: write
steps:
- name: Maximize build space
</code_context>
<issue_to_address>
**issue (bug_risk):** Codecov OIDC upload likely also needs `contents: read` in the permissions block
With an explicit `permissions` block, all unspecified permissions default to `none`. Codecov v5 with OIDC generally requires `contents: read` (and sometimes `pull-requests: write`, depending on your setup) on `GITHUB_TOKEN` to read commit/PR metadata. Without it, the upload step may fail.
Recommend:
```yaml
permissions:
id-token: write
contents: read
```
</issue_to_address>
### Comment 2
<location path=".github/workflows/ci.yaml" line_range="44-45" />
<code_context>
+ tool: cargo-llvm-cov
+ - name: Install llvm-tools-preview
+ run: rustup component add llvm-tools-preview
+ - name: Test with coverage
+ run: cargo llvm-cov --codecov --output-path codecov.json
+ - name: Upload coverage to Codecov
+ uses: codecov/codecov-action@v5
</code_context>
<issue_to_address>
**suggestion (testing):** Running `cargo llvm-cov` in debug mode changes behavior compared to the previous `cargo test -r`
`cargo test -r` runs tests with the release profile, while `cargo llvm-cov` defaults to dev, so this change affects optimization level and potentially test behavior/timing. If you want to keep the old semantics (e.g., catch release-only issues), pass `--release`:
```yaml
- name: Test with coverage
run: cargo llvm-cov --release --codecov --output-path codecov.json
```
If the move to dev profile is intentional, just confirm nothing in the suite depends on release-mode behavior.
```suggestion
- name: Test with coverage
run: cargo llvm-cov --release --codecov --output-path codecov.json
```
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
| permissions: | ||
| id-token: write |
There was a problem hiding this comment.
issue (bug_risk): Codecov OIDC upload likely also needs contents: read in the permissions block
With an explicit permissions block, all unspecified permissions default to none. Codecov v5 with OIDC generally requires contents: read (and sometimes pull-requests: write, depending on your setup) on GITHUB_TOKEN to read commit/PR metadata. Without it, the upload step may fail.
Recommend:
permissions:
id-token: write
contents: readKeep the original `cargo test -r` for integration tests (MCP inspector tests require release mode). Run `cargo llvm-cov --lib` separately for coverage of library code only. Also remove hardcoded slug. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Welcome to Codecov 🎉Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests. Thanks for integrating Codecov - We've got you covered ☂️ |
Summary
cargo test -rwithcargo llvm-cov --codecovto generate Codecov-format outputcodecov.ymlwith informational status checks,unit-testsflag with carryforwardChanges
.github/workflows/ci.yamlpermissions: id-token: write, install cargo-llvm-cov + llvm-tools-preview, replace test step with coverage, add Codecov uploadcodecov.ymlManual follow-up
After merging:
Ref: COVERPORT-256
Summary by Sourcery
Integrate Rust coverage reporting into CI and upload results to Codecov using OIDC-based authentication.
Build:
CI:
Tests:
Chores: