Skip to content

Add coverage workflows for baseline and pull request coverage comparison #307

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
karthiknadig wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add coverage workflows for baseline and pull request coverage comparison #307

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e9a1149
Add coverage workflows for baseline and pull request coverage comparison
karthiknadig Jan 29, 2026
f698b7b
Add permissions section for coverage baseline workflow
karthiknadig Jan 29, 2026
6fba5f1
Enhance coverage reporting in CI workflow with detailed metrics and c…
karthiknadig Jan 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
167 changes: 167 additions & 0 deletions .github/workflows/coverage-baseline.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,167 @@
name: Coverage Baseline

on:
push:
branches:
- main

permissions:
contents: read

jobs:
coverage:
name: Coverage Baseline
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
target: x86_64-unknown-linux-musl
- os: windows-latest
target: x86_64-pc-windows-msvc
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Set Python to PATH
uses: actions/setup-python@v5
with:
python-version: "3.12"

- name: Add Conda to PATH (Windows)
if: startsWith(matrix.os, 'windows')
run: |
$path = $env:PATH + ";" + $env:CONDA + "\condabin"
echo "PATH=$path" >> $env:GITHUB_ENV

- name: Add Conda to PATH (Linux)
if: startsWith(matrix.os, 'ubuntu')
run: echo "PATH=$PATH:$CONDA/condabin" >> $GITHUB_ENV
shell: bash

- name: Check Conda version
run: conda info --all

- name: Create Conda Environments
run: |
conda create -n test-env1 python=3.12 -y
conda create -n test-env-no-python -y
conda create -p ./prefix-envs/.conda1 python=3.12 -y
conda create -p ./prefix-envs/.conda-nopy -y

- name: Install pipenv
run: pip install pipenv

- name: Check pipenv version
run: pipenv --version

- name: Create a Pipenv Environment
run: pipenv install

- name: Install virtualenvwrapper (Linux)
if: startsWith(matrix.os, 'ubuntu')
run: |
pip install virtualenvwrapper
echo "WORKON_HOME=$HOME/.virtualenvs" >> $GITHUB_ENV
mkdir -p $HOME/.virtualenvs
source virtualenvwrapper.sh
mkvirtualenv venv_wrapper_env1
shell: bash

- name: Install virtualenvwrapper-win (Windows)
if: startsWith(matrix.os, 'windows')
run: |
pip install virtualenvwrapper-win
echo "WORKON_HOME=$HOME/.virtualenvs" >> $GITHUB_ENV
shell: bash

- name: Install pyenv (Windows)
if: startsWith(matrix.os, 'windows')
run: |
choco install pyenv-win -y
echo "PATH=$PATH;$HOME/.pyenv/pyenv-win/bin;$HOME/.pyenv/pyenv-win/shims" >> $GITHUB_ENV
echo "PYENV_ROOT=$HOME/.pyenv" >> $GITHUB_ENV
shell: bash

- name: Install pyenv and pyenv-virtualenv (Linux)
if: startsWith(matrix.os, 'ubuntu')
run: |
curl https://pyenv.run | bash
echo "PYENV_ROOT=$HOME/.pyenv" >> $GITHUB_ENV
echo "PATH=$HOME/.pyenv/bin:$PATH" >> $GITHUB_ENV
shell: bash

- name: Check Pyenv version
run: pyenv --version
shell: bash

- name: Install Pyenv Python(s) (Linux)
if: startsWith(matrix.os, 'ubuntu')
run: |
pyenv install --list
pyenv install 3.13:latest 3.12:latest 3.9:latest
shell: bash

- name: Install Pyenv Python(s) (Windows)
if: startsWith(matrix.os, 'windows')
run: |
pyenv install --list
pyenv install 3.10.5 3.8.10
shell: bash

- name: Create pyenv-virtualenv envs (Linux)
if: startsWith(matrix.os, 'ubuntu')
run: |
eval "$(pyenv virtualenv-init -)"
pyenv virtualenv 3.12 pyenv-virtualenv-env1
shell: bash

- name: Create .venv
run: python -m venv .venv
shell: bash

- name: Create .venv2
run: python -m venv .venv2
shell: bash

- name: Install Pixi
uses: prefix-dev/setup-pixi@v0.8.1
with:
run-install: false

- name: Create Pixi environments
run: |
pixi init
pixi add python
pixi add --feature dev python
pixi project environment add --feature dev dev
pixi install --environment dev
shell: bash

- name: Rust Tool Chain setup
uses: dtolnay/rust-toolchain@stable
with:
toolchain: stable
targets: ${{ matrix.target }}

- name: Install cargo-llvm-cov
uses: taiki-e/install-action@cargo-llvm-cov

- name: Cargo Fetch
run: cargo fetch
shell: bash

- name: Run Tests with Coverage
run: cargo llvm-cov --features ci --lcov --output-path lcov.info -- --nocapture --test-threads=1
env:
RUST_BACKTRACE: 1
RUST_LOG: trace
shell: bash

- name: Upload Coverage Artifact
uses: actions/upload-artifact@v4
with:
name: coverage-baseline-${{ matrix.os }}
path: lcov.info
retention-days: 90
Comment on lines +13 to +167

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 1 day ago

In general, to fix this class of issue you add a permissions block either at the top level of the workflow (applies to all jobs without their own block) or inside the specific job. For a coverage/test workflow that only checks out code and uploads artifacts, contents: read is a safe minimal starting point; no write permissions are needed.

For this specific workflow in .github/workflows/coverage-baseline.yml, the best minimal fix without changing functionality is to add a workflow-level permissions block right after the name: line and before the on: trigger, e.g.:

name: Coverage Baseline
permissions:
  contents: read

on:
  push:
    branches:
      - main

No steps in the coverage job perform writes to the repository or interact with issues/PRs, so only contents: read is required. Adding it at the workflow root limits the GITHUB_TOKEN for this workflow and documents the intended permissions. No imports or additional methods are needed since this is a YAML configuration change only.

Suggested changeset 1
.github/workflows/coverage-baseline.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/coverage-baseline.yml b/.github/workflows/coverage-baseline.yml
--- a/.github/workflows/coverage-baseline.yml
+++ b/.github/workflows/coverage-baseline.yml
@@ -1,4 +1,6 @@
 name: Coverage Baseline
+permissions:
+  contents: read
 
 on:
   push:
EOF
@@ -1,4 +1,6 @@
name: Coverage Baseline
permissions:
contents: read

on:
push:
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Copy link
Member

@eleanorjboyd eleanorjboyd Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot do this suggestion

Loading
Loading