Conversation
📝 WalkthroughWalkthroughAdd code coverage reporting infrastructure by introducing a new workflow that collects JaCoCo reports from OIDC conformance, FAPI conformance, and integration tests, uploads them to Codecov, and modifies the PR builder workflow with a new Codecov configuration file. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes 🚥 Pre-merge checks | ✅ 1 | ❌ 2❌ Failed checks (1 warning, 1 inconclusive)
✅ Passed checks (1 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🧹 Nitpick comments (1)
.github/workflows/coverage-generator.yml (1)
10-31: Replace workspace cache pattern with upload-artifact/download-artifact for job handoff.The report jobs only download external jacoco.xml files and upload them to Codecov—they don't use the built source code. Using
actions/cachewithpath: .creates unnecessary overhead: the build dependency, large cache storage, and cache restoration steps add complexity without providing value. Useactions/upload-artifactinbuild-sourceto save artifacts, andactions/download-artifactin the report jobs if needed, or remove the dependency entirely since these jobs only fetch external coverage files.This pattern repeats at lines 38-44, 98-104, and 158-164.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/coverage-generator.yml around lines 10 - 31, The workflow currently uses an actions/cache step with path: . inside the build-source job which unnecessarily caches the whole repository; replace that actions/cache usage with actions/upload-artifact from the build-source job (e.g., upload an artifact named like "source-artifact" or skip entirely if downstream report jobs don't need source), and update any report jobs that currently rely on that cache to either remove the dependency or use actions/download-artifact to retrieve the uploaded artifact; specifically modify the build-source job's step that references actions/cache to use actions/upload-artifact (or delete it) and update the corresponding report job steps that mirror this pattern (the repeated occurrences of actions/cache in other jobs) to use actions/download-artifact or be removed if not needed.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/coverage-generator.yml:
- Line 73: Replace the deprecated echo "::set-output
name=artifact-url::$ARTIFACT_URL" usage with the new $GITHUB_OUTPUT method:
instead of using ::set-output, append "artifact-url=$ARTIFACT_URL" to the file
referenced by $GITHUB_OUTPUT (same change for the other occurrence around the
second set-output), ensuring the variable name matches "artifact-url" so
downstream steps read it the same way; update both occurrences in the workflow
where ::set-output is used.
- Around line 46-56: Update the GitHub API queries and Jenkins artifact lookup
to pin artifacts to the branch being reported: in the job step named "Get the
latest Jacoco report URL" (id: get-artifact-url-oidc) and the other GitHub API
call used later (the second workflow run fetch), append the head_branch query
parameter (e.g., &head_branch=main or the appropriate branch variable) to the
runs API URL so the call only returns runs for that branch; for the Jenkins
artifact fetch that currently uses lastSuccessfulBuild, replace it with a
branch-specific build endpoint (or parameterize the job name/build selector for
the target branch) so artifacts are obtained from the exact branch instead of
the last successful build across branches.
- Around line 3-7: The scheduled cron trigger (the schedule: and cron: '00 22 *
* *' entries) will only run on the repository's default branch (master), so
either move this workflow file to the default branch or remove the schedule
block from this branch; update the workflow by deleting the schedule: section
(and its cron entry) if you intend to keep it in the 4.12.x branch, or relocate
the entire workflow file to master so the cron will execute.
In @.github/workflows/pr-builder.yml:
- Around line 48-53: The Codecov upload step ("Upload coverage reports to
Codecov") using codecov/codecov-action@v4 currently relies on the files input
but still auto-discovers other JaCoCo reports; add the input disable_search:
true to that action invocation to force upload only of the specified files
pattern ("**/target/coverage-reports/site/jacoco-aggregate/jacoco.xml") and
prevent merging other reports into the unit flag.
---
Nitpick comments:
In @.github/workflows/coverage-generator.yml:
- Around line 10-31: The workflow currently uses an actions/cache step with
path: . inside the build-source job which unnecessarily caches the whole
repository; replace that actions/cache usage with actions/upload-artifact from
the build-source job (e.g., upload an artifact named like "source-artifact" or
skip entirely if downstream report jobs don't need source), and update any
report jobs that currently rely on that cache to either remove the dependency or
use actions/download-artifact to retrieve the uploaded artifact; specifically
modify the build-source job's step that references actions/cache to use
actions/upload-artifact (or delete it) and update the corresponding report job
steps that mirror this pattern (the repeated occurrences of actions/cache in
other jobs) to use actions/download-artifact or be removed if not needed.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: CHILL
Plan: Pro
Run ID: 8149e444-2b92-4f3b-8492-470c60c15c55
📒 Files selected for processing (3)
.github/workflows/coverage-generator.yml.github/workflows/pr-builder.ymlcodecov.yml
| on: | ||
| workflow_dispatch: | ||
| schedule: | ||
| # Daily 22:00 UTC (3.30 AM SL time). | ||
| - cron: '00 22 * * *' |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
curl -s "https://api.github.com/repos/wso2/carbon-kernel" | jq -r '.default_branch'Repository: wso2/carbon-kernel
Length of output: 66
🏁 Script executed:
#!/bin/bash
# Get full API response to diagnose the null result
curl -s "https://api.github.com/repos/wso2/carbon-kernel" | head -100Repository: wso2/carbon-kernel
Length of output: 341
🏁 Script executed:
#!/bin/bash
# Check if the repository exists by testing different API endpoints
curl -s -w "\nHTTP Status: %{http_code}\n" "https://api.github.com/repos/wso2/carbon-kernel" | head -50Repository: wso2/carbon-kernel
Length of output: 359
🏁 Script executed:
#!/bin/bash
# Try alternative approach: check git remote if this is a cloned repo
# and look for any branch/default-branch related files
git ls-files | grep -E "(branch|default)" || echo "No branch-related files found"
git config --get-all | grep -i branch || echo "No git config branch settings"Repository: wso2/carbon-kernel
Length of output: 2541
🏁 Script executed:
#!/bin/bash
# Check current git branch
git symbolic-ref --short HEAD 2>/dev/null || git rev-parse --abbrev-ref HEAD || echo "Unable to determine branch"Repository: wso2/carbon-kernel
Length of output: 66
🏁 Script executed:
#!/bin/bash
# Check git remote URL and look for any branch/PR information
git remote -v
echo "---"
git branch -a | head -20Repository: wso2/carbon-kernel
Length of output: 294
🏁 Script executed:
#!/bin/bash
# Check if there are any other workflow files that might hint at branch strategy
find .github/workflows -name "*.yml" -o -name "*.yaml" | head -10 | xargs grep -l "branches:" 2>/dev/null || echo "No branch filters found in workflows"Repository: wso2/carbon-kernel
Length of output: 94
Scheduled workflows only run on the default branch (master).
If this change is intended for the 4.12.x branch, the cron trigger on line 7 will never execute. Move this workflow to the default branch or remove the schedule trigger from non-default branches.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/coverage-generator.yml around lines 3 - 7, The scheduled
cron trigger (the schedule: and cron: '00 22 * * *' entries) will only run on
the repository's default branch (master), so either move this workflow file to
the default branch or remove the schedule block from this branch; update the
workflow by deleting the schedule: section (and its cron entry) if you intend to
keep it in the 4.12.x branch, or relocate the entire workflow file to master so
the cron will execute.
| - name: Get the latest Jacoco report URL | ||
| id: get-artifact-url-oidc | ||
| run: | | ||
| GITHUB_API_URL="https://api.github.com" | ||
| OWNER="wso2" | ||
| REPO="product-is" | ||
| WORKFLOW_ID="oidc-conformance-test.yml" | ||
| GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}" | ||
|
|
||
| # Get the latest successful workflow run | ||
| WORKFLOW_RUNS=$(curl -s -H "Authorization: token $GITHUB_TOKEN" "$GITHUB_API_URL/repos/$OWNER/$REPO/actions/workflows/$WORKFLOW_ID/runs?status=success&per_page=1") |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
curl -s "https://api.github.com/repos/wso2/product-is/actions/workflows/oidc-conformance-test.yml/runs?status=success&per_page=5" \
| jq -r '.workflow_runs[] | [.id, .head_branch, .head_sha, .created_at] | `@tsv`'
curl -s "https://api.github.com/repos/wso2/product-is/actions/workflows/fapi-oidc-conformance-test.yml/runs?status=success&per_page=5" \
| jq -r '.workflow_runs[] | [.id, .head_branch, .head_sha, .created_at] | `@tsv`'Repository: wso2/carbon-kernel
Length of output: 541
🏁 Script executed:
cat -n .github/workflows/coverage-generator.yml | head -180Repository: wso2/carbon-kernel
Length of output: 7172
Pin external coverage artifacts to the branch being reported.
The GitHub API calls at lines 56 and 116 fetch the latest successful workflow run across all branches, and line 169 uses Jenkins lastSuccessfulBuild without branch restriction. This means coverage artifacts from a different branch or commit than the sources Codecov is indexing can be published together.
To fix, add branch filtering to the GitHub API queries:
- Line 56: Add
&head_branch=main(or appropriate branch name) to the API query - Line 116: Add
&head_branch=mainto the API query - Line 169: Specify a branch-specific Jenkins build URL instead of
lastSuccessfulBuild
🧰 Tools
🪛 actionlint (1.7.12)
[error] 48-48: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions
(deprecated-commands)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/coverage-generator.yml around lines 46 - 56, Update the
GitHub API queries and Jenkins artifact lookup to pin artifacts to the branch
being reported: in the job step named "Get the latest Jacoco report URL" (id:
get-artifact-url-oidc) and the other GitHub API call used later (the second
workflow run fetch), append the head_branch query parameter (e.g.,
&head_branch=main or the appropriate branch variable) to the runs API URL so the
call only returns runs for that branch; for the Jenkins artifact fetch that
currently uses lastSuccessfulBuild, replace it with a branch-specific build
endpoint (or parameterize the job name/build selector for the target branch) so
artifacts are obtained from the exact branch instead of the last successful
build across branches.
| exit 1 | ||
| fi | ||
|
|
||
| echo "::set-output name=artifact-url::$ARTIFACT_URL" |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
rg -n '::set-output' .github/workflowsRepository: wso2/carbon-kernel
Length of output: 276
🏁 Script executed:
cat -n .github/workflows/coverage-generator.yml | sed -n '65,80p'Repository: wso2/carbon-kernel
Length of output: 851
🏁 Script executed:
cat -n .github/workflows/coverage-generator.yml | sed -n '125,140p'Repository: wso2/carbon-kernel
Length of output: 855
Replace deprecated ::set-output with $GITHUB_OUTPUT environment variable.
Lines 73 and 133 use the deprecated ::set-output syntax which has been replaced by GitHub Actions. Migrate to the $GITHUB_OUTPUT environment variable to ensure long-term compatibility.
Proposed fix
- echo "::set-output name=artifact-url::$ARTIFACT_URL"
+ echo "artifact-url=$ARTIFACT_URL" >> "$GITHUB_OUTPUT"📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| echo "::set-output name=artifact-url::$ARTIFACT_URL" | |
| echo "artifact-url=$ARTIFACT_URL" >> "$GITHUB_OUTPUT" |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/coverage-generator.yml at line 73, Replace the deprecated
echo "::set-output name=artifact-url::$ARTIFACT_URL" usage with the new
$GITHUB_OUTPUT method: instead of using ::set-output, append
"artifact-url=$ARTIFACT_URL" to the file referenced by $GITHUB_OUTPUT (same
change for the other occurrence around the second set-output), ensuring the
variable name matches "artifact-url" so downstream steps read it the same way;
update both occurrences in the workflow where ::set-output is used.
| - name: Upload coverage reports to Codecov | ||
| uses: codecov/codecov-action@v4 | ||
| with: | ||
| token: ${{ secrets.CODECOV_TOKEN }} | ||
| files: "**/target/coverage-reports/site/jacoco-aggregate/jacoco.xml" | ||
| flags: unit |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
Does codecov/codecov-action@v4 still auto-discover coverage files when the filesinput is set, and isdisable_search: true required to limit the upload to only the provided JaCoCo XML file(s)?
💡 Result:
No, codecov/codecov-action@v4 does not stop auto-discovering coverage files when the files input is set; the specified files are added to those found by the default search. Yes, disable_search: true is required to limit the upload to only the provided JaCoCo XML file(s), disabling the automatic search.
Citations:
- 1: https://github.com/codecov/codecov-action/blob/main/action.yml
- 2: https://github.com/codecov/codecov-action/blob/main/README.md
- 3: Files are ignored and extra files are picked codecov/codecov-action#1354
- 4: https://docs.codecov.com/docs/file-search
Add disable_search: true to restrict Codecov upload to the specified file only.
The codecov/codecov-action@v4 automatically discovers coverage files regardless of the files input. Without disable_search: true, this step will merge any other JaCoCo reports from the Maven build into the unit flag, defeating the purpose of uploading only the aggregate report on line 52.
Proposed fix
- name: Upload coverage reports to Codecov
uses: codecov/codecov-action@v4
with:
token: ${{ secrets.CODECOV_TOKEN }}
files: "**/target/coverage-reports/site/jacoco-aggregate/jacoco.xml"
flags: unit
+ disable_search: true📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Upload coverage reports to Codecov | |
| uses: codecov/codecov-action@v4 | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| files: "**/target/coverage-reports/site/jacoco-aggregate/jacoco.xml" | |
| flags: unit | |
| - name: Upload coverage reports to Codecov | |
| uses: codecov/codecov-action@v4 | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| files: "**/target/coverage-reports/site/jacoco-aggregate/jacoco.xml" | |
| flags: unit | |
| disable_search: true |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/pr-builder.yml around lines 48 - 53, The Codecov upload
step ("Upload coverage reports to Codecov") using codecov/codecov-action@v4
currently relies on the files input but still auto-discovers other JaCoCo
reports; add the input disable_search: true to that action invocation to force
upload only of the specified files pattern
("**/target/coverage-reports/site/jacoco-aggregate/jacoco.xml") and prevent
merging other reports into the unit flag.
Welcome to Codecov 🎉Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests. Thanks for integrating Codecov - We've got you covered ☂️ |
2 participants
Purpose
This PR integrates Codecov with JaCoCo to enable automated code coverage tracking on pull requests and scheduled checks.
Summary
pom.xmlto instrument tests and generate XML reports.codecov.ymlto define coverage rules — patch coverage target of 80% for the unit flag withcarryforwardenabled.coverage-generator.ymlworkflow for scheduled (daily) upload of OIDC conformance, FAPI conformance, and integration test coverage reports from product-is runs.Goals
Approach
User stories
Release note
Documentation
Training
Certification
Marketing
Automation tests
Security checks
Samples
Related PRs
Migrations (if applicable)
Test environment
Learning