upload-code-coverage/action.yml at main · actions/upload-code-coverage · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
name: 'Upload Code Coverage'
description: 'Upload a Cobertura XML coverage report to GitHub code coverage API'

inputs:
  file:
    description: 'Path to the Cobertura XML coverage report'
    required: true
  language:
    description: 'Linguist language name (e.g. "Java", "Go", "Python")'
    required: true
  label:
    description: 'Label for the coverage report (e.g. "code-coverage/jacoco")'
    required: true
  token:
    description: 'GitHub token with security-events:write permission'
    required: false
    default: ${{ github.token }}

runs:
  using: composite
  steps:
    - name: Upload coverage report
      shell: bash
      env:
        GH_TOKEN: ${{ inputs.token }}
        INPUT_FILE: ${{ inputs.file }}
        INPUT_LANGUAGE: ${{ inputs.language }}
        INPUT_LABEL: ${{ inputs.label }}
      run: |
        set -euo pipefail

        if [ ! -f "$INPUT_FILE" ]; then
          echo "::error::Coverage file not found: $INPUT_FILE"
          exit 1
        fi

        # Skip coverage upload for merge queue runs — coverage should be
        # uploaded for PRs and the default branch, making merge queue
        # uploads unnecessary.
        if [ "${{ github.event_name }}" = "merge_group" ]; then
          echo "::warning::Skipping coverage upload for merge queue. Configure your workflow to upload coverage for PRs and the default branch instead. To avoid spinning up a runner, add \"if: github.event_name != 'merge_group'\" to the upload job."
          exit 0
        fi

        # Skip coverage upload for fork PRs — the token won't have write
        # permissions to the base repository.
        if [ "${{ github.event.pull_request.head.repo.full_name }}" != "" ] && \
           [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then
          echo "::notice::Skipping coverage upload for fork PR (from ${{ github.event.pull_request.head.repo.full_name }})"
          exit 0
        fi

        # Resolve the commit SHA and ref. On pull_request events, github.sha
        # and github.ref point to the merge commit — use the PR head instead.
        if [ "${{ github.event_name }}" = "pull_request" ] || [ "${{ github.event_name }}" = "pull_request_target" ]; then
          COMMIT_OID="${{ github.event.pull_request.head.sha }}"
          REF="refs/heads/${{ github.event.pull_request.head.ref }}"
          PR_NUMBER="${{ github.event.pull_request.number }}"
        else
          COMMIT_OID="${{ github.sha }}"
          REF="${{ github.ref }}"
          # For push events, check if this branch has an open PR.
          PR_NUMBER=$(gh pr list \
            --repo "${{ github.repository }}" \
            --head "${{ github.ref_name }}" \
            --state open \
            --json number \
            --jq '.[0].number // empty' 2>/dev/null || true)
        fi

        # Gzip and base64-encode the report. We write to files and use jq
        # --rawfile to avoid hitting the OS argument length limit on large
        # coverage reports.
        gzip -c "$INPUT_FILE" | base64 -w 0 > __coverage_b64.txt

        # The API requires either ref or pull_request_number (not both).
        if [ -n "${PR_NUMBER:-}" ]; then
          # pull-request-based upload: provide pull_request_number, omit ref
          jq -n \
            --arg commit_oid "$COMMIT_OID" \
            --rawfile coverage_report __coverage_b64.txt \
            --arg language_name "$INPUT_LANGUAGE" \
            --arg label "$INPUT_LABEL" \
            --argjson pr_number "$PR_NUMBER" \
            '{commit_oid: $commit_oid, coverage_report: $coverage_report, language_name: $language_name, label: $label, pull_request_number: $pr_number}' \
            > __body.json
        else
          # ref-based upload: provide ref, omit pull_request_number
          jq -n \
            --arg commit_oid "$COMMIT_OID" \
            --arg ref "$REF" \
            --rawfile coverage_report __coverage_b64.txt \
            --arg language_name "$INPUT_LANGUAGE" \
            --arg label "$INPUT_LABEL" \
            '{commit_oid: $commit_oid, ref: $ref, coverage_report: $coverage_report, language_name: $language_name, label: $label}' \
            > __body.json
        fi

        UPLOAD_OUTPUT=$(gh api --method PUT "/repos/${{ github.repository }}/code-coverage/report" \
          --input __body.json 2>&1) || {
          if echo "$UPLOAD_OUTPUT" | grep -qi "not authorized"; then
            echo "::error::Coverage upload returned 403 Forbidden. Ensure the calling job has 'security-events: write' permission. See https://github.com/actions/upload-code-coverage#permissions"
          else
            echo "::error::Coverage upload failed: $UPLOAD_OUTPUT"
          fi
          rm -f __coverage_b64.txt __body.json
          exit 1
        }

        rm -f __coverage_b64.txt __body.json