Skip to content

fix(ci): close the fork-PR codecov/patch silent-pass gap#2273

Merged
JSONbored merged 2 commits into
mainfrom
claude/peaceful-lamarr-1862b7
Jul 1, 2026
Merged

fix(ci): close the fork-PR codecov/patch silent-pass gap#2273
JSONbored merged 2 commits into
mainfrom
claude/peaceful-lamarr-1862b7

Conversation

@JSONbored

Copy link
Copy Markdown
Owner

Summary

  • Fork PRs never uploaded a coverage report to Codecov at all: the token-gated upload steps explicitly excluded forks (no secrets available) with no replacement, so codecov/patch had nothing to compare against for that commit and fell back to Codecov's if_not_found: success default — a green "0.00%, not affected" check that never enforced the 99% patch bar on contributor code.
  • Replaces the excluded fork path with codecov-action's tokenless upload for public repos: a single, synchronous, same-job upload that derives branch/commit/PR from the trusted GitHub Actions run environment instead of a token. No separate workflow, no artifact staging, no fork-authored data to trust.
  • Verify coverage report exists now applies to forks too (it used to explicitly skip them), so a missing/empty lcov report fails the job loudly before either upload path runs.
  • Net simpler than before: removes the .github/workflows/codecov-fork-upload.yml workflow entirely (was added earlier today in ci(coverage): upload fork-PR coverage to Codecov via workflow_run #2009) along with the artifact-stash steps it depended on.

Why

Discovered while investigating a report that fork PRs were showing codecov/patch: successful, 0.00%, coverage not affected regardless of actual diff coverage — i.e. contributors were not actually being held to the patch-coverage gate. Root cause: no report ever reached Codecov for fork commits, and Codecov's documented default (if_not_found: success) passes a missing report rather than failing it. The correct fix is making sure a report always lands for fork PRs that touch backend code, not loosening if_not_found (that would instead break every legitimate non-backend PR, which by design never uploads a report either).

A related, in-flight PR against metagraphed (#2499) landed the same tokenless-upload pattern for that repo; this mirrors it for gittensory.

Scope

  • The PR title follows type(scope): short summary Conventional Commit format.
  • This PR is focused (CI workflow only) and does not mix unrelated backend, UI, MCP, docs, dependency, and deploy changes.
  • This follows CONTRIBUTING.md and does not reintroduce GitHub Pages, VitePress, site/, or CNAME.
  • No issue linked — this is a self-contained CI-config fix discovered and validated in this session; small enough that the summary explains the rationale.

Validation

  • git diff --check
  • npm run actionlint
  • npm run typecheck
  • npm run test:coverage locally (no src/** lines changed by this PR, so there is no patch-coverage obligation; added/updated test/unit/codecov-policy.test.ts assertions covering the new workflow structure)
  • npm run test:workers
  • npm run build:mcp
  • npm run test:mcp-pack
  • npm run ui:openapi:check
  • npm run ui:lint
  • npm run ui:typecheck
  • npm run ui:build
  • npm audit --audit-level=moderate
  • New/changed behavior (the fork tokenless upload path, and the broadened "Verify coverage report exists" condition) has structural tests in test/unit/codecov-policy.test.ts

Safety

  • No secrets, wallet details, hotkeys, coldkeys, user PATs, private keys, raw trust scores, private rankings, or private maintainer evidence are exposed.
  • Public GitHub text stays sanitized, low-noise, and does not imply compensation guarantees or optimization tactics.
  • Auth, cookie, CORS, GitHub App, Cloudflare, or session changes include negative-path tests. — N/A, no auth/session/CORS change.
  • API/OpenAPI/MCP behavior is updated and tested where needed. — N/A, no API/OpenAPI/MCP change.
  • UI changes use live API data or real empty/error/loading states. — N/A, no UI change.
  • Visible UI changes include a UI Evidence section. — N/A, CI-only change, no visible UI change.
  • Public docs/changelogs updated. — N/A, no user-facing behavior change; changelog is release-prep-only.

Notes

  • This is a CI-workflow-only change (.github/workflows/ci.yml, test/unit/codecov-policy.test.ts); it touches a guarded path (.github/workflows/**), so it may be held for owner review per the gate's crucial-path rule rather than auto-merged — that's expected for this kind of change.

Fork PRs never had a coverage report land at all: the token-gated upload
steps excluded them with no replacement, so codecov/patch had nothing to
compare against and fell back to Codecov's if_not_found: success default —
a green "0.00%, not affected" check that never actually enforced the patch
bar on contributor code.

Replace the excluded fork path with codecov-action's tokenless upload for
public repos: a single, synchronous, same-job upload that derives
branch/commit/PR from the trusted GitHub Actions run environment instead
of a token or fork-writable metadata.
@dosubot dosubot Bot added the size:XS label Jul 1, 2026
@gittensory-orb

gittensory-orb Bot commented Jul 1, 2026

Copy link
Copy Markdown

Warning

🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨

⏸️ Gittensory review result - manual review recommended

Review updated: 2026-07-01 11:00:29 UTC

3 files · 1 AI reviewer · 1 blocker · readiness 86/100 · CI green · blocked

⏸️ Suggested Action - Manual Review

  • AI reviewers agree on a likely critical defect: .github/workflows/ci.yml:154 must pass override_branch, override_commit, and override_pr on the fork tokenless coverage upload just like the trusted upload at .github/workflows/ci.yml:143, otherwise Codecov can associate the report with the wrong pull_request ref/commit and leave codecov/patch unenforced for the contributor commit this PR is trying to gate. — Resolve the flagged defect, or override if the AI reviewers are mistaken, then re-run the gate.

Review summary
The change correctly makes the coverage existence check apply to fork PRs and removes the stale artifact handoff workflow, but the new fork upload path drops the explicit PR attribution that the previous trusted and out-of-band paths used. On pull_request runs, relying on Codecov's defaults is too ambiguous for this gate because the workflow checks out the head SHA while the GitHub event context still has PR/merge-ref semantics; the fork coverage upload must be pinned to the PR head metadata the same way the token path is. The tests assert tokenless/no-token behavior, but they do not protect the critical branch/commit/PR attribution contract.

Blockers

  • .github/workflows/ci.yml:154 must pass override_branch, override_commit, and override_pr on the fork tokenless coverage upload just like the trusted upload at .github/workflows/ci.yml:143, otherwise Codecov can associate the report with the wrong pull_request ref/commit and leave codecov/patch unenforced for the contributor commit this PR is trying to gate.
Nits — 5 non-blocking
  • test/unit/codecov-policy.test.ts:96 should assert the fork coverage upload preserves override_branch, override_commit, and override_pr so this regression cannot come back.
  • test/unit/codecov-policy.test.ts:108 should also assert the fork test-results upload uses the same PR attribution fields for consistency with the trusted test-results upload path.
  • In .github/workflows/ci.yml:158 add override_branch: ${{ github.event.pull_request.head.ref }}, override_commit: ${{ github.event.pull_request.head.sha }}, and override_pr: ${{ github.event.pull_request.number }} to the fork coverage upload.
  • In .github/workflows/ci.yml:174 add the same override_* values to the fork test-results upload so coverage and annotations land on the same PR commit.
  • In test/unit/codecov-policy.test.ts, mirror the trusted-path assertions for the fork tokenless path, minus the token assertion.

Concerns raised — review before merging

  • .github/workflows/ci.yml:154 must pass override_branch, override_commit, and override_pr on the fork tokenless coverage upload just like the trusted upload at .github/workflows/ci.yml:143, otherwise Codecov can associate the report with the wrong pull_request ref/commit and leave codecov/patch unenforced for the contributor commit this PR is trying to gate.
Signal Result Evidence
Code review ❌ 1 blocker 1 reviewer
Linked issue ⚠️ Missing No linked issue or no-issue rationale found.
Related work ✅ No active overlap found No same-issue or scoped active PR overlap found.
Change scope ✅ 20/20 Low review scope from cached public metadata (size label size:XS; no linked issue context).
Validation posture ✅ 25/25 PR body includes validation/test evidence.
Contributor workload ✅ 10/10 Author activity: 67 registered-repo PR(s), 57 merged, 514 issue(s).
Contributor context ✅ Confirmed Gittensor contributor JSONbored; Gittensor profile; 67 PR(s), 514 issue(s).
Gate result ❌ Blocking Repo-configured hard blocker found.
Review context
  • Author: JSONbored
  • Role context: owner (maintainer lane)
  • Public audience mode: oss maintainer
  • Lane context: Repository registration is not available in the local Gittensory cache.
  • Public profile languages: not available
  • Official Gittensor activity: 67 PR(s), 514 issue(s).
  • PR-specific overlap: none found.
Contributor next steps
  • Treat this as maintainer-lane context rather than normal contributor-lane activity.
  • Explain no-issue PR.
  • Triage stale or unlinked PRs.
  • No action.
  • Link the issue being solved, or explicitly explain why this is a no-issue PR.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@gittensory-orb gittensory-orb Bot added gittensor Gittensor contributor context gittensor:bug Gittensor-scored bug fix — scores a 0.5x multiplier. labels Jul 1, 2026
@JSONbored JSONbored self-assigned this Jul 1, 2026
The gate's own AI review flagged this: GITHUB_SHA is the ephemeral
auto-merge commit for pull_request events, and codecov-cli's fallback to
recover the real head sha assumes HEAD is that 2-parent merge commit. Our
checkout step deliberately checks out github.event.pull_request.head.sha
directly (so tests run the contributor's actual commit, not a synthetic
merge), so HEAD has one parent and that recovery can't fire — the
tokenless upload would have attached to a sha GitHub's PR checks list has
no reason to ever display. Pass the same explicit override_branch/
override_commit/override_pr the trusted upload already uses.
@JSONbored JSONbored merged commit d02fbb9 into main Jul 1, 2026
8 checks passed
@JSONbored JSONbored deleted the claude/peaceful-lamarr-1862b7 branch July 1, 2026 11:06
@github-project-automation github-project-automation Bot moved this from Todo to Done in gittensory - v1 roadmap Jul 1, 2026
@codecov

codecov Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.71%. Comparing base (836e8e9) to head (6fc38b4).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #2273   +/-   ##
=======================================
  Coverage   95.71%   95.71%           
=======================================
  Files         222      222           
  Lines       24653    24653           
  Branches     8945     8945           
=======================================
  Hits        23597    23597           
  Misses        433      433           
  Partials      623      623           
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gittensor:bug Gittensor-scored bug fix — scores a 0.5x multiplier. gittensor Gittensor contributor context

Projects

No open projects
Status: Done

Development

Successfully merging this pull request may close these issues.

1 participant