ci: emit test data to codecov + prevent failing status check

[danielroe]

No description provided.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
npmx.dev	Ready	Preview, Comment	Feb 4, 2026 11:35am

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
docs.npmx.dev	Ignored	Preview	Feb 4, 2026 11:35am
npmx-lunaria	Ignored		Feb 4, 2026 11:35am

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request updates CI workflows and adds Codecov configuration. The CI workflow (.github/workflows/ci.yml) now emits JUnit-formatted test-report.junit.xml for unit, component and Nuxt/browser tests, adds Codecov upload steps after those test jobs sourcing CODECOV_TOKEN from repository secrets, and replaces hardcoded tokens. Several action usages were annotated with inline commit-hash comments (cosmetic). A new codecov.yml was added to mark project and patch coverage status as informational and configure comment layout.

Possibly related PRs

• ci: split ci tests #871: Modifies the same CI workflow test steps and test command parameters that this change further updates to emit JUnit reports and add Codecov uploads.
• ci: upload coverage to codecov #830: Alters the CI workflow to add Codecov upload and adjust coverage reporting behavior, overlapping with this PR’s Codecov/coverage changes.
• ci: add codecov token inline #856: Changes how the CI workflow supplies the Codecov token, directly related to this PR’s move to using secrets.CODECOV_TOKEN.

Suggested reviewers

• serhalp
• wojtekmaj

🚥 Pre-merge checks | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The pull request lacks an author-provided description, making it impossible to verify alignment between stated intent and actual changes.	Add a clear pull request description explaining the rationale for the changes and how they address the stated objectives of emitting test data to Codecov and preventing failing status checks.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci/codecov-2

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/ci.yml (1)

110-113: ⚠️ Potential issue | 🔴 Critical

Security: Hardcoded Codecov token must be moved to GitHub secrets.

The CODECOV_TOKEN is exposed in plaintext in the workflow file. This token should be stored as a GitHub secret and referenced securely. Anyone with read access to this repository can see and potentially misuse this token.

🔒 Proposed fix

       - name: Upload coverage reports to Codecov
         uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5
         env:
-          CODECOV_TOKEN: 17b4bed9-d407-4ce2-9c10-2ccd4328a1d9
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

Immediate action required: Rotate this token in Codecov settings as it has been exposed in version control.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 2

[coderabbitai]

Actionable comments posted: 1

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/ci.yml | head -130

Repository: npmx-dev/npmx.dev

Length of output: 4668

---

🏁 Script executed:

# Search for all Codecov-related steps in the workflow
rg -n "codecov" .github/workflows/ci.yml -i -A 3

Repository: npmx-dev/npmx.dev

Length of output: 876

---

🌐 Web query:

How does codecov/test-results-action handle missing or empty CODECOV_TOKEN - does it fail?

💡 Result:

codecov/test-results-action will still run if CODECOV_TOKEN is missing/empty; what happens next depends on whether Codecov will accept a tokenless upload for that repo/commit.

• If tokenless uploads are allowed (e.g., public repo + org setting “token authentication for public repos” disabled, or an “unprotected” branch like forkname:main), the upload can succeed without a token. [1]
• If a token is required (always for private repos; often for protected branches on public repos), the upload will be rejected by Codecov due to missing auth. [1]
• Whether your GitHub Actions job fails then depends on the action’s “fail on error” behavior (Codecov’s GH Actions uploader supports fail_ci_if_error, default false, meaning upload errors don’t fail the job unless you opt in). [2]

Sources:
[1] Codecov Tokens (when a token is required / tokenless conditions) https://docs.codecov.com/docs/codecov-tokens
[2] codecov/codecov-action README (fail_ci_if_error default and behavior) https://github.com/codecov/codecov-action

---

🌐 Web query:

Recommended way to conditionally skip codecov actions on forked PRs with missing secrets

💡 Result:

For forked PRs, GitHub Actions won’t pass repository secrets (including CODECOV_TOKEN) to the runner (except GITHUB_TOKEN). (docs.github.com) The cleanest approach is to avoid needing the secret on forked PRs and only use it on trusted (non-fork) runs.

Recommended setup (2 paths)

1) Prefer tokenless uploads for fork PRs (public repos)

Codecov supports tokenless uploads for public repos when token authentication is disabled for the org, and/or for fork PR commits on “unprotected” branches (the Codecov Action v4+ handles fork PR branch naming to make this work). (docs.codecov.com)

Then use two steps:

# Upload with token on non-fork PRs / pushes
- name: Upload coverage (trusted)
  if: ${{ github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork }}
  uses: codecov/codecov-action@v5
  with:
    token: ${{ secrets.CODECOV_TOKEN }}

# Upload without token on fork PRs
- name: Upload coverage (fork PR - tokenless)
  if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork }}
  uses: codecov/codecov-action@v5

2) If you require a token, skip entirely on forks

- name: Upload coverage (skip on forks)
  if: ${{ github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork }}
  uses: codecov/codecov-action@v5
  with:
    token: ${{ secrets.CODECOV_TOKEN }}

Note on “checking if the secret exists”

GitHub notes secrets can’t be referenced directly in if: conditionals. (docs.github.com) Using the fork check above is the most reliable way to avoid “missing secret” failures on fork PRs.

Citations:

• 1: https://docs.github.com/en/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets?utm_source=openai
• 2: https://docs.codecov.com/docs/codecov-tokens?utm_source=openai
• 3: https://docs.github.com/en/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets?utm_source=openai

---

Guard Codecov uploads on forked PRs using fork detection instead of secret checking. Secrets are not passed to forked PRs, and GitHub Actions does not allow direct secret references in if: conditionals. The suggested condition (secrets.CODECOV_TOKEN != '') will not work as intended. Instead, skip these steps on fork PRs using fork detection:

if: ${{ github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork }}

This applies to lines 85–90, 116–120, and also to lines 122–125 (which currently has no conditional guard at all).