Skip to content

fix: switch Codecov to OIDC auth and add unit-tests flag#2376

Open
ptomanRH wants to merge 1 commit into
guacsec:mainfrom
ptomanRH:fix-codecov-config
Open

fix: switch Codecov to OIDC auth and add unit-tests flag#2376
ptomanRH wants to merge 1 commit into
guacsec:mainfrom
ptomanRH:fix-codecov-config

Conversation

@ptomanRH

@ptomanRH ptomanRH commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Switch Codecov authentication from token-based to OIDC (more secure, no CODECOV_TOKEN secret needed)
  • Add flags: unit-tests for proper coverage categorization in Codecov UI
  • Add files: codecov.json to explicitly specify the coverage report file
  • Add permissions: id-token: write (required for GitHub OIDC token)
  • Add fail_ci_if_error: false to prevent CI failures on transient upload issues

Why

OIDC is the recommended authentication method for public GitHub repos on app.codecov.io — it eliminates the need to manage CODECOV_TOKEN secrets. Adding the unit-tests flag enables flag analytics in Codecov, making it possible to separate unit test coverage from future e2e coverage.

Manual follow-up

After merging, enable flag analytics in the Codecov UI:

  1. Go to https://app.codecov.io/gh/guacsec/trustify
  2. Click the Flags tab
  3. Click Enable flag analytics

Verification

  • CI workflow uploads coverage successfully with OIDC
  • unit-tests flag appears in Codecov Flags tab
  • Coverage percentage is non-zero on the main branch

Ref: COVERPORT-251

Summary by Sourcery

Switch Codecov coverage upload in the CI workflow to use OIDC authentication and improve coverage reporting configuration.

Enhancements:

  • Grant GitHub Actions the id-token write permission required for OIDC-based authentication with Codecov.
  • Configure the Codecov action to use OIDC instead of a token, tag uploads with a unit-tests flag, and explicitly specify the coverage report file.
  • Relax Codecov upload behavior so CI does not fail on Codecov upload errors.

@sourcery-ai

sourcery-ai Bot commented Jun 2, 2026

Copy link
Copy Markdown
Contributor
Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Updates the Codecov GitHub Actions workflow to authenticate via GitHub OIDC instead of a secret token and configures additional Codecov upload options for unit-test coverage reporting and CI robustness.

Sequence diagram for Codecov upload using GitHub OIDC

sequenceDiagram
    actor Developer
    participant GitHubActions_ci as GitHubActions_ci_job
    participant GitHubOIDC as GitHub_OIDC_Provider
    participant Codecov as Codecov

    Developer->>GitHubActions_ci: push/PR triggers codecov workflow
    GitHubActions_ci->>GitHubOIDC: request_id_token (permissions id-token: write)
    GitHubOIDC-->>GitHubActions_ci: id_token
    GitHubActions_ci->>Codecov: codecov-action@v5 use_oidc true
    GitHubActions_ci->>Codecov: upload coverage files codecov.json
    GitHubActions_ci->>Codecov: set flag unit-tests
    GitHubActions_ci->>GitHubActions_ci: handle fail_ci_if_error false
Loading

File-Level Changes

Change Details Files
Switch Codecov GitHub Action authentication from token-based to OIDC using GitHub id-token permissions.
  • Add a job-level permissions block granting id-token: write for the ci job so the Codecov action can request an OIDC token.
  • Replace the explicit CODECOV_TOKEN input on the Codecov action with use_oidc: true to enable OIDC-based authentication.
.github/workflows/codecov.yaml
Refine Codecov upload configuration for unit-test coverage and resiliency.
  • Set flags: unit-tests on the Codecov action to categorize this upload as unit-test coverage for flag analytics.
  • Specify files: codecov.json so the action uploads the intended coverage report explicitly.
  • Set fail_ci_if_error: false to avoid failing the CI job on transient Codecov upload errors while still running the upload step.
.github/workflows/codecov.yaml

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • Setting fail_ci_if_error: false will silently ignore persistent Codecov upload issues; consider keeping it true and handling known transient failures via a separate retry or monitoring mechanism.
  • The files: codecov.json configuration assumes a fixed report path; if the report location changes (e.g., per-package or matrix jobs), consider parameterizing this or using a glob to avoid brittle coupling.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- Setting `fail_ci_if_error: false` will silently ignore persistent Codecov upload issues; consider keeping it `true` and handling known transient failures via a separate retry or monitoring mechanism.
- The `files: codecov.json` configuration assumes a fixed report path; if the report location changes (e.g., per-package or matrix jobs), consider parameterizing this or using a glob to avoid brittle coupling.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@ptomanRH ptomanRH moved this to In review in Trustify Jun 2, 2026
@ptomanRH ptomanRH requested a review from ctron June 2, 2026 08:27
@ptomanRH ptomanRH self-assigned this Jun 2, 2026
@ctron

ctron commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

To my understanding fail_ci_if_error: false would not warn us if things go bad. I'd prefer to keep this as it is. So that we are aware of CI issues, rather than figuring out months later that something broke.

@codecov

codecov Bot commented Jun 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 71.39%. Comparing base (480d2bd) to head (3e3e1ca).
⚠️ Report is 16 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #2376      +/-   ##
==========================================
+ Coverage   70.90%   71.39%   +0.48%     
==========================================
  Files         442      441       -1     
  Lines       25369    26747    +1378     
  Branches    25369    26747    +1378     
==========================================
+ Hits        17987    19095    +1108     
- Misses       6400     6531     +131     
- Partials      982     1121     +139     
Flag Coverage Δ
unit-tests 71.39% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

ptomanRH added a commit to ptomanRH/trustify-da-javascript-client that referenced this pull request Jun 2, 2026
Per review feedback on guacsec/trustify#2376 — keep CI failing on
Codecov upload errors so broken coverage is caught immediately.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ptomanRH added a commit to ptomanRH/trustify-dependency-analytics that referenced this pull request Jun 2, 2026
Per review feedback on guacsec/trustify#2376 — keep CI failing on
Codecov upload errors so broken coverage is caught immediately.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ptomanRH added a commit to ptomanRH/trustify-da-api-spec that referenced this pull request Jun 2, 2026
Per review feedback on guacsec/trustify#2376 — keep CI failing on
Codecov upload errors so broken coverage is caught immediately.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ptomanRH added a commit to ptomanRH/trustify-da-java-client that referenced this pull request Jun 2, 2026
Per review feedback on guacsec/trustify#2376 — keep CI failing on
Codecov upload errors so broken coverage is caught immediately.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Switch from token-based auth to OIDC (more secure, no secret needed)
- Add flags: unit-tests for proper coverage categorization
- Add files: codecov.json to explicitly specify coverage file
- Add permissions: id-token: write required for OIDC

Ref: COVERPORT-251

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@ptomanRH ptomanRH force-pushed the fix-codecov-config branch from 9affca0 to 3e3e1ca Compare June 3, 2026 10:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: In review

Development

Successfully merging this pull request may close these issues.

2 participants