fix(ci): close the fork-PR codecov/patch silent-pass gap#2273
Conversation
Fork PRs never had a coverage report land at all: the token-gated upload steps excluded them with no replacement, so codecov/patch had nothing to compare against and fell back to Codecov's if_not_found: success default — a green "0.00%, not affected" check that never actually enforced the patch bar on contributor code. Replace the excluded fork path with codecov-action's tokenless upload for public repos: a single, synchronous, same-job upload that derives branch/commit/PR from the trusted GitHub Actions run environment instead of a token or fork-writable metadata.
|
Warning 🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨 ⏸️ Gittensory review result - manual review recommendedReview updated: 2026-07-01 11:00:29 UTC
⏸️ Suggested Action - Manual Review
Review summary Blockers
Nits — 5 non-blocking
Concerns raised — review before merging
Review context
Contributor next steps
Signal definitions
🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed 💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →. Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.
|
The gate's own AI review flagged this: GITHUB_SHA is the ephemeral auto-merge commit for pull_request events, and codecov-cli's fallback to recover the real head sha assumes HEAD is that 2-parent merge commit. Our checkout step deliberately checks out github.event.pull_request.head.sha directly (so tests run the contributor's actual commit, not a synthetic merge), so HEAD has one parent and that recovery can't fire — the tokenless upload would have attached to a sha GitHub's PR checks list has no reason to ever display. Pass the same explicit override_branch/ override_commit/override_pr the trusted upload already uses.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #2273 +/- ##
=======================================
Coverage 95.71% 95.71%
=======================================
Files 222 222
Lines 24653 24653
Branches 8945 8945
=======================================
Hits 23597 23597
Misses 433 433
Partials 623 623 🚀 New features to boost your workflow:
|
Summary
codecov/patchhad nothing to compare against for that commit and fell back to Codecov'sif_not_found: successdefault — a green "0.00%, not affected" check that never enforced the 99% patch bar on contributor code.codecov-action's tokenless upload for public repos: a single, synchronous, same-job upload that derives branch/commit/PR from the trusted GitHub Actions run environment instead of a token. No separate workflow, no artifact staging, no fork-authored data to trust.Verify coverage report existsnow applies to forks too (it used to explicitly skip them), so a missing/empty lcov report fails the job loudly before either upload path runs..github/workflows/codecov-fork-upload.ymlworkflow entirely (was added earlier today in ci(coverage): upload fork-PR coverage to Codecov via workflow_run #2009) along with the artifact-stash steps it depended on.Why
Discovered while investigating a report that fork PRs were showing
codecov/patch: successful, 0.00%, coverage not affectedregardless of actual diff coverage — i.e. contributors were not actually being held to the patch-coverage gate. Root cause: no report ever reached Codecov for fork commits, and Codecov's documented default (if_not_found: success) passes a missing report rather than failing it. The correct fix is making sure a report always lands for fork PRs that touch backend code, not looseningif_not_found(that would instead break every legitimate non-backend PR, which by design never uploads a report either).A related, in-flight PR against
metagraphed(#2499) landed the same tokenless-upload pattern for that repo; this mirrors it forgittensory.Scope
type(scope): short summaryConventional Commit format.CONTRIBUTING.mdand does not reintroduce GitHub Pages, VitePress,site/, orCNAME.Validation
git diff --checknpm run actionlintnpm run typechecknpm run test:coveragelocally (nosrc/**lines changed by this PR, so there is no patch-coverage obligation; added/updatedtest/unit/codecov-policy.test.tsassertions covering the new workflow structure)npm run test:workersnpm run build:mcpnpm run test:mcp-packnpm run ui:openapi:checknpm run ui:lintnpm run ui:typechecknpm run ui:buildnpm audit --audit-level=moderatetest/unit/codecov-policy.test.tsSafety
UI Evidencesection. — N/A, CI-only change, no visible UI change.Notes
.github/workflows/ci.yml,test/unit/codecov-policy.test.ts); it touches a guarded path (.github/workflows/**), so it may be held for owner review per the gate's crucial-path rule rather than auto-merged — that's expected for this kind of change.