ci: upload coverage to Codecov

[nficano]

Summary

• Emit Clover XML from PHPUnit (PCOV is already enabled, source is already configured in phpunit.xml).
• Upload coverage.xml to Codecov.
• fail_ci_if_error: false so a Codecov outage cannot break CI.

Pre-merge action required

• Add CODECOV_TOKEN as a repo secret (gh secret set CODECOV_TOKEN --repo agentruntimecontrolprotocol/php-sdk).
• Activate the repo at app.codecov.io.

Test plan

• Merge, confirm coverage uploads on next push to main.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Enhanced automated testing infrastructure with code coverage tracking and reporting capabilities to improve code quality monitoring.

[coderabbitai]

Walkthrough

The PR updates the CI test workflow to generate and report code coverage. The PHPUnit command now outputs Clover-format coverage data to coverage.xml, and a Codecov action step uploads this report using a pinned commit SHA with non-blocking error handling.

Changes

Code Coverage Reporting

Layer / File(s)	Summary
PHPUnit coverage generation and Codecov upload .github/workflows/test.yml	PHPUnit step adds --coverage-clover=coverage.xml to generate coverage output. New Codecov upload step uses pinned action commit SHA, uploads ./coverage.xml with unittests flag, configures fail_ci_if_error: false to prevent blocking, and authenticates with CODECOV_TOKEN.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: upload coverage to Codecov' directly and concisely describes the main change: adding Codecov coverage upload to the CI workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/codecov-upload

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/test.yml:
- Around line 79-87: Summary: The Codecov action is pinned to a commit SHA that
doesn't match the v6.0.1 tag object, causing confusion about which release is
used; update the step that uses codecov/codecov-action (the "Upload coverage to
Codecov" step) to use a correct ref. Fix by either (a) pinning to the canonical
v6.0.1 tag (uses: codecov/codecov-action@v6.0.1) so readers see the intended
release, or (b) if you require an exact commit, replace the SHA
e79a6962e0d4c0c17b229090214935d2e33f8354 with the tag object SHA returned by the
API (e.g., cddd853df119a48c5be31a973f8cd97e12e35e16) and add a brief inline
comment stating why the commit SHA is used instead of the tag to avoid future
confusion.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: abe6f4a5-66f6-4a5e-9ad6-10621e05768a

📥 Commits

Reviewing files that changed from the base of the PR and between 03afbaa and 9fb0369.

📒 Files selected for processing (1)

• .github/workflows/test.yml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the codecov-action SHA corresponds to v6.0.1 and check for latest release

# Fetch the commit SHA for the v6.0.1 tag
echo "=== Checking SHA for v6.0.1 tag ==="
gh api repos/codecov/codecov-action/git/ref/tags/v6.0.1 --jq '.object.sha' || echo "Tag v6.0.1 not found"

# Check what the provided SHA actually points to
echo -e "\n=== Checking provided SHA ==="
gh api repos/codecov/codecov-action/commits/e79a6962e0d4c0c17b229090214935d2e33f8354 --jq '{sha: .sha, commit_message: .commit.message, author_date: .commit.author.date}' || echo "SHA not found"

# Get latest release
echo -e "\n=== Latest release ==="
gh api repos/codecov/codecov-action/releases/latest --jq '{tag: .tag_name, published: .published_at, name: .name}'

# Check for any security advisories
echo -e "\n=== Security advisories ==="
gh api graphql -f query='
{
  repository(owner: "codecov", name: "codecov-action") {
    vulnerabilityAlerts(first: 5) {
      nodes {
        securityVulnerability {
          advisory {
            summary
            severity
          }
          package {
            name
          }
        }
      }
    }
  }
}'

Repository: agentruntimecontrolprotocol/php-sdk

Length of output: 505

---

Clarify Codecov action pin: resolve v6.0.1 tag vs provided SHA mismatch.

e79a6962e0d4c0c17b229090214935d2e33f8354 is a commit whose message is chore(release): 6.0.1 (#1949), and the latest Codecov action release is v6.0.1 (no newer release). However, the v6.0.1 tag object SHA returned by the API is cddd853df119a48c5be31a973f8cd97e12e35e16, not the pinned e79..., so the “SHA corresponds to v6.0.1” assumption needs resolving (e.g., annotated tag vs target commit).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test.yml around lines 79 - 87, Summary: The Codecov action
is pinned to a commit SHA that doesn't match the v6.0.1 tag object, causing
confusion about which release is used; update the step that uses
codecov/codecov-action (the "Upload coverage to Codecov" step) to use a correct
ref. Fix by either (a) pinning to the canonical v6.0.1 tag (uses:
codecov/codecov-action@v6.0.1) so readers see the intended release, or (b) if
you require an exact commit, replace the SHA
e79a6962e0d4c0c17b229090214935d2e33f8354 with the tag object SHA returned by the
API (e.g., cddd853df119a48c5be31a973f8cd97e12e35e16) and add a brief inline
comment stating why the commit SHA is used instead of the tag to avoid future
confusion.