Fix CodeScene secret check in CI

[leynos]

Summary

• avoid GitHub CI error about undefined secrets
• only upload coverage when CS_ACCESS_TOKEN is available

Testing

• make fmt
• make lint
• make test

---

https://chatgpt.com/codex/tasks/task_e_688be01494648322bc097f4e504d4b0a

Summary by Sourcery

Fix the CI workflow to correctly handle the CodeScene access token and prevent undefined secrets errors by exporting the token and adjusting the coverage upload step.

CI:

• Export CS_ACCESS_TOKEN from GitHub secrets into the CI job environment
• Run the coverage upload step only when CS_ACCESS_TOKEN env var is non-empty
• Use env.CS_ACCESS_TOKEN as the access-token input for the CodeScene upload action

[sourcery-ai]

Reviewer's Guide

This PR surfaces the CodeScene access token into the CI environment and refactors the coverage upload step to guard on and consume the token from an environment variable, preventing undefined secret errors and ensuring uploads occur only when the token is set.

Flow diagram for conditional CodeScene coverage upload in CI

flowchart TD
    A[Start CI Job] --> B[Set env.CS_ACCESS_TOKEN from secrets]
    B --> C[Run coverage]
    C --> D{Is env.CS_ACCESS_TOKEN set?}
    D -- Yes --> E[Upload coverage to CodeScene]
    D -- No --> F[Skip upload step]
    E --> G[End]
    F --> G

Loading

File-Level Changes

Change	Details	Files
Expose CS_ACCESS_TOKEN in CI job environment	Added CS_ACCESS_TOKEN env var sourced from secrets	.github/workflows/ci.yml
Refactor coverage upload step to use and check the env var	Changed conditional to check env.CS_ACCESS_TOKEN != '' Switched access-token input to use env.CS_ACCESS_TOKEN	.github/workflows/ci.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Removed unnecessary trailing whitespace from the CI workflow configuration.

Walkthrough

Removed a trailing whitespace line from the CodeScene coverage upload step in the CI workflow without altering any logic, environment variables, conditions, or parameters.

Changes

Cohort / File(s)	Change Summary
CI Workflow Whitespace Cleanup .github/workflows/ci.yml	Removed a single trailing whitespace line from the CodeScene coverage upload step; no functional changes made.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• Add CodeScene upload to CI falcon-pachinko#16: Introduced the original CodeScene upload integration in the CI workflow, related to the whitespace removal here.
• Switch coverage upload to CodeScene mdtablefix#12: Made extensive changes to the CodeScene coverage upload step, connected to this PR’s modification of the same step.

Poem

A space removed, so small, so slight,
Yet keeps our workflow clean and tight.
No logic shifted, no steps undone,
Just tidying up for CI to run.
In code’s quiet corners, neatness gleams—
A silent hero behind the scenes! 🌟

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9ec2c6c and afc1acb.

📒 Files selected for processing (1)

• .github/workflows/ci.yml (0 hunks)

💤 Files with no reviewable changes (1)

• .github/workflows/ci.yml

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/fix-runtime-errors-in-ci.yml

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[sourcery-ai]

Hey @leynos - I've reviewed your changes and they look great!

Prompt for AI Agents

Please address the comments from this code review:
## Individual Comments

### Comment 1
<location> `.github/workflows/ci.yml:17` </location>
<code_context>
     env:
       CARGO_TERM_COLOR: always
       BUILD_PROFILE: debug
+      CS_ACCESS_TOKEN: ${{ secrets.CS_ACCESS_TOKEN }}
     steps:
       - uses: actions/checkout@v4
</code_context>

<issue_to_address>
Storing secrets in environment variables can increase exposure risk.

Assigning the secret to an environment variable can make it accessible to all steps. If this isn't required, reference the secret only in the steps that need it.
</issue_to_address>

### Comment 2
<location> `.github/workflows/ci.yml:32` </location>
<code_context>
       - name: Run coverage
         run: cargo tarpaulin --out lcov
       - name: Upload coverage data to CodeScene
-        if: ${{ secrets.CS_ACCESS_TOKEN }}
+        if: ${{ env.CS_ACCESS_TOKEN != '' }}
         uses: leynos/shared-actions/.github/actions/upload-codescene-coverage@v1.1.0
         with:
</code_context>

<issue_to_address>
The new conditional may not behave identically to the previous one.

The new check may allow undefined values, causing the step to run when the token is missing. Use a check like `env.CS_ACCESS_TOKEN` or `env.CS_ACCESS_TOKEN != null && env.CS_ACCESS_TOKEN != ''` for reliability.
</issue_to_address>

### Comment 3
<location> `.github/workflows/ci.yml:36` </location>
<code_context>
         uses: leynos/shared-actions/.github/actions/upload-codescene-coverage@v1.1.0
         with:
           format: lcov
-          access-token: ${{ secrets.CS_ACCESS_TOKEN }}
+          access-token: ${{ env.CS_ACCESS_TOKEN }}
           installer-checksum: ${{ vars.CODESCENE_CLI_SHA256 }}

</code_context>

<issue_to_address>
Passing the access token via environment variable may not be necessary.

Referencing the secret directly in the `with` block is simpler and reduces unnecessary indirection, unless there's a specific reason to use the environment variable.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

🚨 issue (security): Storing secrets in environment variables can increase exposure risk.

Assigning the secret to an environment variable can make it accessible to all steps. If this isn't required, reference the secret only in the steps that need it.

[sourcery-ai]

issue (bug_risk): The new conditional may not behave identically to the previous one.

The new check may allow undefined values, causing the step to run when the token is missing. Use a check like env.CS_ACCESS_TOKEN or env.CS_ACCESS_TOKEN != null && env.CS_ACCESS_TOKEN != '' for reliability.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ec8f010 and ad8a591.

📒 Files selected for processing (1)

• .github/workflows/ci.yml (1 hunks)

🔇 Additional comments (1)

.github/workflows/ci.yml (1)

25-29: Confirm coverage artefact path compatibility

generate-coverage outputs lcov.info. Ensure the chosen path aligns with CodeScene expectations and any later artefact upload. Mismatched filenames silently break metrics.

[coderabbitai]

🧹 Nitpick (assertive)

Pinning actions to a commit SHA locks updates

Pinning to a specific commit guarantees reproducibility but blocks security and bug-fix updates. Add Dependabot or a scheduled bump workflow to track newer SHAs or switch to a signed, versioned tag to balance safety and maintainability.

🤖 Prompt for AI Agents

In .github/workflows/ci.yml at line 20, the GitHub action is pinned to a
specific commit SHA, which prevents automatic updates for security and bug
fixes. To fix this, either add Dependabot or a scheduled workflow to regularly
update the pinned SHA, or switch the action reference to a signed, versioned tag
to allow safe updates while maintaining reproducibility.

[coderabbitai]

⚠️ Potential issue

Fix the if condition – step is always skipped

env.CS_ACCESS_TOKEN referenced in the if is populated after the condition is evaluated, so the expression is always empty and the upload step never runs. Refer to secrets directly or promote the variable to job-level env.

-        env:
-          CS_ACCESS_TOKEN: ${{ secrets.CS_ACCESS_TOKEN }}
-        if: ${{ env.CS_ACCESS_TOKEN != '' }}
+        if: ${{ secrets.CS_ACCESS_TOKEN != '' }}
+        env:
+          CS_ACCESS_TOKEN: ${{ secrets.CS_ACCESS_TOKEN }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	env:
	CS_ACCESS_TOKEN: ${{ secrets.CS_ACCESS_TOKEN }}
	if: ${{ env.CS_ACCESS_TOKEN != '' }}
	uses: leynos/shared-actions/.github/actions/upload-codescene-coverage@e48ed26d7f53f12f56eb7bcfdfdfe4d97065ea4c
	if: ${{ secrets.CS_ACCESS_TOKEN != '' }}
	env:
	CS_ACCESS_TOKEN: ${{ secrets.CS_ACCESS_TOKEN }}
	uses: leynos/shared-actions/.github/actions/upload-codescene-coverage@e48ed26d7f53f12f56eb7bcfdfdfe4d97065ea4c

🤖 Prompt for AI Agents

In .github/workflows/ci.yml around lines 31 to 34, the if condition uses
env.CS_ACCESS_TOKEN which is not yet set when the condition is evaluated,
causing the step to always be skipped. Fix this by referencing
secrets.CS_ACCESS_TOKEN directly in the if condition or by moving
CS_ACCESS_TOKEN to the job-level env so it is available when the condition runs.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

.github/workflows/ci.yml (2)

20-20: Pinning action to SHA still lacks an update path
Dependabot or a scheduled bump workflow is still missing, so the repository will freeze on this commit indefinitely. Add an update mechanism or switch to a signed, versioned tag.

---

31-34: Fix step condition – step is always skipped
if: ${{ env.CS_ACCESS_TOKEN }} evaluates before the step-level env: block is applied, so the variable is empty and the upload never runs. Reference the secret directly or promote the variable to job-level env.

-        env:
-          CS_ACCESS_TOKEN: ${{ secrets.CS_ACCESS_TOKEN }}
-        if: ${{ env.CS_ACCESS_TOKEN }}
+        if: ${{ secrets.CS_ACCESS_TOKEN != '' }}
+        env:
+          CS_ACCESS_TOKEN: ${{ secrets.CS_ACCESS_TOKEN }}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ad8a591 and 9ec2c6c.

📒 Files selected for processing (1)

• .github/workflows/ci.yml (1 hunks)

[coderabbitai]

🧹 Nitpick (assertive)

Introduce an update strategy for the newly-pinned generate-coverage action
The action is now hard-pinned to a commit. Guarantee periodic refreshes (Dependabot, Renovate, or scheduled workflow) or move to a signed tag to avoid stale or vulnerable code.

🤖 Prompt for AI Agents

In .github/workflows/ci.yml around lines 25 to 29, the generate-coverage action
is pinned to a specific commit hash, which can lead to stale or vulnerable code
over time. To fix this, implement an update strategy by either configuring
Dependabot or Renovate to periodically check and update this pinned commit, or
switch the action reference to use a signed tag or release version instead of a
commit hash to ensure safer and more maintainable dependency management.