Skip to content

ci: emit test data to codecov + prevent failing status check #928

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
danielroe merged 5 commits into from
Feb 4, 2026
Merged

ci: emit test data to codecov + prevent failing status check #928

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
f77447f
ci: emit test data to codecov
danielroe Feb 4, 2026
7bf981b
ci: upload tests + rotate token
danielroe Feb 4, 2026
78670a3
ci: also upload unit tests
danielroe Feb 4, 2026
44d7f1e
chore: pin other actions
danielroe Feb 4, 2026
66b1f68
chore: remove inverted comments
danielroe Feb 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/autofix.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
with:
node-version: lts/*

- uses: pnpm/action-setup@1e1c8eafbd745f64b1ef30a7d7ed7965034c486c
- uses: pnpm/action-setup@1e1c8eafbd745f64b1ef30a7d7ed7965034c486c # 1e1c8eafbd745f64b1ef30a7d7ed7965034c486c
name: 🟧 Install pnpm
with:
cache: true
Expand All @@ -41,4 +41,4 @@ jobs:
- name: 🔠 Fix lint errors
run: pnpm lint:fix

- uses: autofix-ci/action@635ffb0c9798bd160680f18fd73371e355b85f27
- uses: autofix-ci/action@635ffb0c9798bd160680f18fd73371e355b85f27 # 635ffb0c9798bd160680f18fd73371e355b85f27
34 changes: 23 additions & 11 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ jobs:
with:
node-version: lts/*

- uses: pnpm/action-setup@1e1c8eafbd745f64b1ef30a7d7ed7965034c486c
- uses: pnpm/action-setup@1e1c8eafbd745f64b1ef30a7d7ed7965034c486c # 1e1c8eafbd745f64b1ef30a7d7ed7965034c486c
name: 🟧 Install pnpm
# pnpm cache skipped deliberately as the project is not actually installed here

Expand All @@ -49,7 +49,7 @@ jobs:
with:
node-version: lts/*

- uses: pnpm/action-setup@1e1c8eafbd745f64b1ef30a7d7ed7965034c486c
- uses: pnpm/action-setup@1e1c8eafbd745f64b1ef30a7d7ed7965034c486c # 1e1c8eafbd745f64b1ef30a7d7ed7965034c486c
name: 🟧 Install pnpm
with:
cache: true
Expand All @@ -71,7 +71,7 @@ jobs:
with:
node-version: lts/*

- uses: pnpm/action-setup@1e1c8eafbd745f64b1ef30a7d7ed7965034c486c
- uses: pnpm/action-setup@1e1c8eafbd745f64b1ef30a7d7ed7965034c486c # 1e1c8eafbd745f64b1ef30a7d7ed7965034c486c
name: 🟧 Install pnpm
with:
cache: true
Expand All @@ -80,7 +80,13 @@ jobs:
run: pnpm install

- name: 🧪 Unit tests
run: pnpm test:unit --project unit run --coverage
run: pnpm test:unit run --coverage --reporter=junit --outputFile=test-report.junit.xml

- name: ⬆︎ Upload test results to Codecov
if: ${{ !cancelled() }}
uses: codecov/test-results-action@0fa95f0e1eeaafde2c782583b36b28ad0d8c77d3 # v1
with:
token: ${{ secrets.CODECOV_TOKEN }}

Comment on lines +85 to 90
Copy link
Contributor

@coderabbitai coderabbitai bot Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/ci.yml | head -130

Repository: npmx-dev/npmx.dev

Length of output: 4668

🏁 Script executed:

# Search for all Codecov-related steps in the workflow
rg -n "codecov" .github/workflows/ci.yml -i -A 3

Repository: npmx-dev/npmx.dev

Length of output: 876

🌐 Web query:

How does codecov/test-results-action handle missing or empty CODECOV_TOKEN - does it fail?

💡 Result:

codecov/test-results-action will still run if CODECOV_TOKEN is missing/empty; what happens next depends on whether Codecov will accept a tokenless upload for that repo/commit.

  • If tokenless uploads are allowed (e.g., public repo + org setting “token authentication for public repos” disabled, or an “unprotected” branch like forkname:main), the upload can succeed without a token. [1]
  • If a token is required (always for private repos; often for protected branches on public repos), the upload will be rejected by Codecov due to missing auth. [1]
  • Whether your GitHub Actions job fails then depends on the action’s “fail on error” behavior (Codecov’s GH Actions uploader supports fail_ci_if_error, default false, meaning upload errors don’t fail the job unless you opt in). [2]

Sources:
[1] Codecov Tokens (when a token is required / tokenless conditions) https://docs.codecov.com/docs/codecov-tokens
[2] codecov/codecov-action README (fail_ci_if_error default and behavior) https://github.com/codecov/codecov-action

🌐 Web query:

Recommended way to conditionally skip codecov actions on forked PRs with missing secrets

💡 Result:

For forked PRs, GitHub Actions won’t pass repository secrets (including CODECOV_TOKEN) to the runner (except GITHUB_TOKEN). (docs.github.com) The cleanest approach is to avoid needing the secret on forked PRs and only use it on trusted (non-fork) runs.

Recommended setup (2 paths)

1) Prefer tokenless uploads for fork PRs (public repos)

Codecov supports tokenless uploads for public repos when token authentication is disabled for the org, and/or for fork PR commits on “unprotected” branches (the Codecov Action v4+ handles fork PR branch naming to make this work). (docs.codecov.com)

Then use two steps:

# Upload with token on non-fork PRs / pushes
- name: Upload coverage (trusted)
  if: ${{ github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork }}
  uses: codecov/codecov-action@v5
  with:
    token: ${{ secrets.CODECOV_TOKEN }}

# Upload without token on fork PRs
- name: Upload coverage (fork PR - tokenless)
  if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork }}
  uses: codecov/codecov-action@v5

2) If you require a token, skip entirely on forks

- name: Upload coverage (skip on forks)
  if: ${{ github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork }}
  uses: codecov/codecov-action@v5
  with:
    token: ${{ secrets.CODECOV_TOKEN }}

Note on “checking if the secret exists”

GitHub notes secrets can’t be referenced directly in if: conditionals. (docs.github.com) Using the fork check above is the most reliable way to avoid “missing secret” failures on fork PRs.

Citations:

Guard Codecov uploads on forked PRs using fork detection instead of secret checking. Secrets are not passed to forked PRs, and GitHub Actions does not allow direct secret references in if: conditionals. The suggested condition (secrets.CODECOV_TOKEN != '') will not work as intended. Instead, skip these steps on fork PRs using fork detection:

if: ${{ github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork }}

This applies to lines 85–90, 116–120, and also to lines 122–125 (which currently has no conditional guard at all).

test:
name: 🧪 Component tests
Expand All @@ -93,7 +99,7 @@ jobs:
with:
node-version: lts/*

- uses: pnpm/action-setup@1e1c8eafbd745f64b1ef30a7d7ed7965034c486c
- uses: pnpm/action-setup@1e1c8eafbd745f64b1ef30a7d7ed7965034c486c # 1e1c8eafbd745f64b1ef30a7d7ed7965034c486c
name: 🟧 Install pnpm
with:
cache: true
Expand All @@ -105,12 +111,18 @@ jobs:
run: pnpm playwright install chromium-headless-shell

- name: 🧪 Component tests
run: pnpm vite test --project nuxt run --coverage
run: pnpm test:nuxt run --coverage --reporter=junit --outputFile=test-report.junit.xml

- name: ⬆︎ Upload test results to Codecov
if: ${{ !cancelled() }}
uses: codecov/test-results-action@0fa95f0e1eeaafde2c782583b36b28ad0d8c77d3 # v1
with:
token: ${{ secrets.CODECOV_TOKEN }}

- name: Upload coverage reports to Codecov
- name: ⬆︎ Upload coverage reports to Codecov
uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5
env:
CODECOV_TOKEN: 17b4bed9-d407-4ce2-9c10-2ccd4328a1d9
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

browser:
name: 🖥️ Browser tests
Expand All @@ -125,7 +137,7 @@ jobs:
with:
node-version: lts/*

- uses: pnpm/action-setup@1e1c8eafbd745f64b1ef30a7d7ed7965034c486c
- uses: pnpm/action-setup@1e1c8eafbd745f64b1ef30a7d7ed7965034c486c # 1e1c8eafbd745f64b1ef30a7d7ed7965034c486c
name: 🟧 Install pnpm
with:
cache: true
Expand Down Expand Up @@ -153,7 +165,7 @@ jobs:
with:
node-version: lts/*

- uses: pnpm/action-setup@1e1c8eafbd745f64b1ef30a7d7ed7965034c486c
- uses: pnpm/action-setup@1e1c8eafbd745f64b1ef30a7d7ed7965034c486c # 1e1c8eafbd745f64b1ef30a7d7ed7965034c486c
name: 🟧 Install pnpm
with:
cache: true
Expand Down Expand Up @@ -181,7 +193,7 @@ jobs:
with:
node-version: lts/*

- uses: pnpm/action-setup@1e1c8eafbd745f64b1ef30a7d7ed7965034c486c
- uses: pnpm/action-setup@1e1c8eafbd745f64b1ef30a7d7ed7965034c486c # 1e1c8eafbd745f64b1ef30a7d7ed7965034c486c
name: 🟧 Install pnpm
with:
cache: true
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/lunaria.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ jobs:
with:
node-version: lts/*

- uses: pnpm/action-setup@1e1c8eafbd745f64b1ef30a7d7ed7965034c486c
- uses: pnpm/action-setup@1e1c8eafbd745f64b1ef30a7d7ed7965034c486c # 1e1c8eafbd745f64b1ef30a7d7ed7965034c486c
name: 🟧 Install pnpm
with:
cache: true
Expand All @@ -41,4 +41,4 @@ jobs:
run: pnpm install

- name: Generate Lunaria Overview
uses: lunariajs/action@v1-prerelease
uses: lunariajs/action@4911ad0736d1e3b20af4cb70f5079aea2327ed8e # v1-prerelease
13 changes: 13 additions & 0 deletions codecov.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
coverage:
status:
project:
default:
informational: true
patch:
default:
informational: true

comment:
layout: 'reach,diff,flags,tree,components,tests,build'
behavior: default
require_changes: false
Loading