Create new action to measure code coverage of our test suite#8278
Create new action to measure code coverage of our test suite#8278g1rly-c0d3r wants to merge 132 commits into
Conversation
… we manually ran it
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughThis PR adds a Coverage GitHub Actions workflow with change detection, containerized execution, report collection, pytest defaults, testing dependencies, and documentation for the coverage-clone secret. ChangesCoverage workflow and test setup
Sequence Diagram(s)sequenceDiagram
participant GitHubActions
participant ChangesJob
participant SetupAndRunJob
participant DockerCompose
GitHubActions->>ChangesJob: trigger coverage workflow
ChangesJob->>ChangesJob: detect changed paths
ChangesJob->>SetupAndRunJob: pass change outputs
SetupAndRunJob->>DockerCompose: start Docker stack
SetupAndRunJob->>DockerCompose: collect logs and database output
SetupAndRunJob->>GitHubActions: upload coverage report
🚥 Pre-merge checks | ✅ 6✅ Passed checks (6 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Warning One or more dependencies are approaching or past End-of-Life. |
There was a problem hiding this comment.
Actionable comments posted: 6
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/coverage.yml (1)
1-110: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick winAdd a
permissions:block to follow least-privilege principle.The workflow has no
permissions:block, so it inherits the default token permissions (which may be broad depending on repo settings). Since this workflow only needs to read code and upload artifacts, it should use minimal permissions. This is flagged by zizmor.🔒 Proposed fix
+permissions: + contents: read + name: Coverage🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/coverage.yml around lines 1 - 110, The Coverage workflow currently relies on default GITHUB_TOKEN scope, so add an explicit least-privilege permissions block at the workflow level. Update the workflow definition for the Coverage job set so it only grants the minimal access needed for actions like actions/checkout and actions/upload-artifact, and keep the rest of the jobs unchanged. Reference the workflow’s top-level configuration near the existing on: and jobs: sections when applying the fix.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/coverage.yml:
- Line 31: The checkout steps in the workflow are persisting GitHub credentials
in .git/config, which triggers the artipacked warning. Update both
actions/checkout usages in the workflow to set persist-credentials to false,
since neither checkout needs to push or amend commits. Make the change on each
checkout step so the token is not retained after checkout.
- Around line 54-57: The setup job condition references an undefined changes
output, so frontend-only changes never satisfy the workflow gate. Update the if
expression in the setup job to use the actual output name exposed by the changes
job (the frontend-related output defined alongside backend_changed and
frontend/frontend_changes), and keep the workflow_dispatch branch intact so the
setup job triggers correctly for frontend-only edits.
- Around line 3-5: The coverage workflow is missing the pull_request trigger, so
its PR-specific logic in the changes job can never run. Update the workflow’s on
block to include pull_request alongside push and workflow_dispatch, and verify
the changes job condition still correctly evaluates for pull_request events by
referencing the existing changes job and event-based condition logic.
- Around line 17-23: The workflow condition in the `if` block is fragile because
`github.event.head_commit` can be null for `workflow_dispatch` events, so the
existing `head_commit.committer.name` checks in the coverage workflow should be
made null-safe. Update the conditional logic to explicitly handle
`workflow_dispatch` separately or guard access to `github.event.head_commit`
before reading `committer.name`, while preserving the existing `Hosted Weblate`,
`github-actions`, and forked pull request exclusions.
- Around line 52-107: The workflow splits setup and execution into separate
jobs, but GitHub Actions runners are ephemeral so the installed run-coverage
script and started Docker containers from setup are not available in run. Update
the coverage workflow by merging the setup and run steps into a single job (or
otherwise ensure all required artifacts/services are recreated in run), using
the setup and run job names as the key locations to refactor.
In @.github/workflows/README.md:
- Around line 72-83: Fix the broken markdown links in the COVERAGE_SCRIPT_CLONE
documentation table by updating the development repo link to use a fully
qualified GitHub URL and correcting the PR anchor so it points to the actual
pull request number shown as `#8278`. Update the affected entries in the README
table so the links resolve properly without changing the surrounding wording or
structure.
---
Outside diff comments:
In @.github/workflows/coverage.yml:
- Around line 1-110: The Coverage workflow currently relies on default
GITHUB_TOKEN scope, so add an explicit least-privilege permissions block at the
workflow level. Update the workflow definition for the Coverage job set so it
only grants the minimal access needed for actions like actions/checkout and
actions/upload-artifact, and keep the rest of the jobs unchanged. Reference the
workflow’s top-level configuration near the existing on: and jobs: sections when
applying the fix.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: e7dc0191-b0ed-47f9-9398-a9251ff1841c
📒 Files selected for processing (4)
.github/workflows/README.md.github/workflows/coverage.ymlpytest.inirequirements-testing.txt
Fixes #8264 #8228
This adds a new Github action that will run on PRs that will generate a report of code coverage that is downloadable for one day. This also adds support for running pytest as a test runner so that we can measure our backend code coverage from our tests.
Checklist
self-explanatory (or properly documented)
Testing instructions
Since you can not manually trigger a workflow on any other branch than main:
Coverageworkflow should attempt to runreport.tar.bz2archive is not emptySummary by CodeRabbit
pytest.inito set the defaultDJANGO_SETTINGS_MODULE.coverageandpytest-django.COVERAGE_SCRIPT_CLONEsecret details.