Expose secret within the reusable workflow in order to use repos secrets

[joselsegura]

Description

Minor fix to use CODECOV_TOKEN secret and being able to push coverage results into the platform

Type of change

• Refactor (refactoring code, removing useless files)
• Configuration update

Testing steps

To be tested on repos

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 6a1f7b0f-6e05-46be-9a1f-0bb24de9da18

📥 Commits

Reviewing files that changed from the base of the PR and between 26d5137 and 70d2e4d.

📒 Files selected for processing (2)

• .github/workflows/gotests.yaml
• workflows_examples/gotests.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• workflows_examples/gotests.yaml
• .github/workflows/gotests.yaml

---

Summary by CodeRabbit

• Chores
  • Updated CI workflows to use a newer workflow version and to pass an optional code coverage token to downstream steps, ensuring coverage uploads can run when a token is available while remaining optional.

Walkthrough

The PR declares an optional CODECOV_TOKEN secret on the reusable gotests workflow (on.workflow_call.secrets) and updates an example caller to use v0.4.2, passing CODECOV_TOKEN through its secrets mapping.

Changes

Workflow Secret Parameter Addition

Layer / File(s)	Summary
Workflow Interface .github/workflows/gotests.yaml	Adds secrets: CODECOV_TOKEN under on.workflow_call with required: false.
Caller / Wiring workflows_examples/gotests.yaml	Updates reuse from .../gotests.yaml@v0.4.1 to @v0.4.2 and adds secrets: { CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} } when invoking the reusable workflow.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: exposing a secret (CODECOV_TOKEN) within a reusable workflow to enable access to repository secrets.
Description check	✅ Passed	The description is directly related to the changeset, explaining the purpose of exposing the CODECOV_TOKEN secret for pushing coverage results to the platform.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@workflows_examples/gotests.yaml`:
- Line 8: The workflow currently references a mutable tag
"RedHatInsights/processing-tools/.github/workflows/gotests.yaml@v0.4.2" which
weakens CI supply-chain integrity; update the uses reference to the
corresponding immutable full commit SHA (replace "@v0.4.2" with
"@<full_commit_sha>") so the reusable workflow is pinned to a specific commit,
e.g., change the string in the uses key to
"RedHatInsights/processing-tools/.github/workflows/gotests.yaml@<full_sha>"
ensuring deterministic runs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 5eaf44b7-6c85-48f2-b427-e724b0c478a3

📥 Commits

Reviewing files that changed from the base of the PR and between 1ce1153 and 26d5137.

📒 Files selected for processing (2)

• .github/workflows/gotests.yaml
• workflows_examples/gotests.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether workflow references are pinned to immutable SHAs or mutable refs.
# Expected: no `uses:` entries ending with `@v`* / `@main` / `@master` for reusable workflows.
rg -nP --type=yaml '^\s*uses:\s*[^#\s]+/(?:\.github/workflows/[^@\s]+)@([A-Za-z0-9._-]+)\s*$' .github workflows_examples -C2

Repository: RedHatInsights/processing-tools

Length of output: 1688

---

Pin reusable workflow to an immutable commit SHA, not a mutable tag.

Using @v0.4.2 allows retagging and weakens supply-chain integrity for CI. Prefer @<full_sha> for deterministic and safer runs.

🔧 Proposed change

-    uses: RedHatInsights/processing-tools/.github/workflows/gotests.yaml@v0.4.2
+    uses: RedHatInsights/processing-tools/.github/workflows/gotests.yaml@<full_commit_sha>

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@workflows_examples/gotests.yaml` at line 8, The workflow currently references
a mutable tag
"RedHatInsights/processing-tools/.github/workflows/gotests.yaml@v0.4.2" which
weakens CI supply-chain integrity; update the uses reference to the
corresponding immutable full commit SHA (replace "@v0.4.2" with
"@<full_commit_sha>") so the reusable workflow is pinned to a specific commit,
e.g., change the string in the uses key to
"RedHatInsights/processing-tools/.github/workflows/gotests.yaml@<full_sha>"
ensuring deterministic runs.