Added unit-test codecov upload

[AdamSaleh]

What type of PR is this?
/kind enhancement

What does this PR do / why we need it:
We should be tracking our code coverage, this should enable it in such away that it won't cause test to fail if upload fails.

[psturc]

should we also specify the flag "unit-tests" so we can distinguish between test types in a future once we start uploading e2e test coverage too?

e.g.

./codecov upload-process \
  --token "${CODECOV_TOKEN}" \
  --flag unit-tests \
  --file coverage.out

see the jira ticket for more details

[AdamSaleh]

Hm, fair point. Will add.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a guarded Codecov upload step to the OpenShift CI presubmit unit test script: downloads a pinned Codecov CLI, verifies its PGP signature and SHA256, and uploads cover.out using a mounted token if present; upload failures are logged but do not fail the job.

Changes

Codecov integration in unit test CI

Layer / File(s)	Summary
Codecov CLI download and upload scripts/openshiftci-presubmit-unittests.sh	After unit tests complete, script conditionally downloads Codecov CLI and uploads coverage using a mounted token file at /var/run/codecov-token/CODECOV_TOKEN, verifying the binary with PGP signature and SHA256 checksum and ensuring upload errors do not fail the CI job.

sequenceDiagram
  participant presubmit_script as presubmit_script
  participant codecov_cli as codecov_v11_2_8
  participant codecov_service as Codecov
  presubmit_script->>codecov_cli: curl download binary
  presubmit_script->>codecov_cli: verify SHA256 checksum and PGP signature
  presubmit_script->>codecov_cli: ./codecov upload-process cover.out --flag unit-tests
  codecov_cli->>codecov_service: upload coverage using token

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding Codecov upload functionality to unit tests, which aligns with the changeset.
Description check	✅ Passed	The description is directly related to the changeset, explaining the purpose (track code coverage) and implementation approach (non-fatal upload that won't fail tests).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/openshiftci-presubmit-unittests.sh`:
- Around line 39-41: Replace the unpinned fetch of the Codecov CLI (the curl of
https://cli.codecov.io/latest/linux/codecov and subsequent chmod +x and
execution via CODECOV_TOKEN="$(cat "${CODECOV_TOKEN_FILE}")" ./codecov
upload-process) with a pinned-version workflow: define a CODECOV_CLI_VERSION,
download the matching release binary URL (not "latest") and its published
checksum/signature, verify the downloaded binary against the checksum or
signature before marking executable, and fail the job if verification fails;
keep the same upload invocation (./codecov upload-process --flag unit-tests
--file cover.out) after verification. Ensure the script exits non-zero on
checksum/signature mismatch so the untrusted binary is never executed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 7f9af1b9-747c-450d-967a-db51fa652e80

📥 Commits

Reviewing files that changed from the base of the PR and between aacca24 and 66f634e.

📒 Files selected for processing (1)

• scripts/openshiftci-presubmit-unittests.sh

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

scripts/openshiftci-presubmit-unittests.sh (1)

33-44: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Prevent executing Codecov CLI when its SHA256 checksum verification fails

set +e inside the subshell means a non-zero sha256sum --check --status won’t stop the script, so chmod +x codecov and ./codecov upload-process ... can still run. Gate installation/execution on successful checksum verification.

Suggested fix

 (
   set +e
   CODECOV_TOKEN_FILE="/var/run/codecov-token/CODECOV_TOKEN"
@@
   CODECOV_VERSION="v11.2.8"
   CODECOV_SHA="8930c4bb30254a42f3d8c340706b1be340885e20c0df5160a24efa2e030e662b"
   curl -OSs --fail-with-body "https://cli.codecov.io/${CODECOV_VERSION}/linux/codecov"
-  echo "${CODECOV_SHA}  codecov" | sha256sum --check --status
+  if ! echo "${CODECOV_SHA}  codecov" | sha256sum --check --status; then
+    echo "Codecov CLI checksum verification failed; skipping upload"
+    exit 1
+  fi
   chmod +x codecov
   CODECOV_TOKEN="$(cat "${CODECOV_TOKEN_FILE}")" ./codecov upload-process --flag unit-tests --file cover.out
 ) || echo "Coverage upload to codecov.io failed, continuing"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/openshiftci-presubmit-unittests.sh` around lines 33 - 44, The script
currently ignores a failed SHA256 check because set +e allows execution to
continue; change the flow so that the sha256 verification (using CODECOV_SHA and
the sha256sum --check --status invocation) must succeed before making the
downloaded file executable and running CODECOV (chmod +x codecov and
CODECOV_TOKEN=... ./codecov upload-process). Implement a conditional or explicit
exit on failure around the sha256sum check (e.g., run the check and if it fails
exit non-zero) so that chmod +x codecov and the CODECOV_TOKEN export and
./codecov upload-process are only executed when the checksum passes.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@scripts/openshiftci-presubmit-unittests.sh`:
- Around line 33-44: The script currently ignores a failed SHA256 check because
set +e allows execution to continue; change the flow so that the sha256
verification (using CODECOV_SHA and the sha256sum --check --status invocation)
must succeed before making the downloaded file executable and running CODECOV
(chmod +x codecov and CODECOV_TOKEN=... ./codecov upload-process). Implement a
conditional or explicit exit on failure around the sha256sum check (e.g., run
the check and if it fails exit non-zero) so that chmod +x codecov and the
CODECOV_TOKEN export and ./codecov upload-process are only executed when the
checksum passes.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: c7538288-9a6e-4e98-b819-de4c5cd02ccc

📥 Commits

Reviewing files that changed from the base of the PR and between 66f634e and 3f9c477.

📒 Files selected for processing (1)

• scripts/openshiftci-presubmit-unittests.sh

[ranakan19]

Can we follow the official documentation for binary integrity check as well https://docs.codecov.com/docs/the-codecov-cli#integrity-checking-the-binary? while keeping the version pin intact
from my limited knowledge on the subject, my understanding is sha256sum does file integrity check but does verify the source of the file.

[AdamSaleh]

Good idea, ammended

[ranakan19]

Looks good

[varshab1210]

Seems like the token is not mounted, is this expected?

+ set +e
+ CODECOV_TOKEN_FILE=/var/run/codecov-token/CODECOV_TOKEN
+ [[ ! -f /var/run/codecov-token/CODECOV_TOKEN ]]
+ echo 'Codecov token not found at /var/run/codecov-token/CODECOV_TOKEN, skipping upload'
Codecov token not found at /var/run/codecov-token/CODECOV_TOKEN, skipping upload
+ exit 0

[AdamSaleh]

It works now! Had to upload it directly through bash, but it works - https://app.codecov.io/github/redhat-developer/gitops-operator/commit/a25055be57a7a7f1b49924435b35c066410b3920

[AdamSaleh]

/retest

[AdamSaleh]

/test ci/prow/unit

[AdamSaleh]

/test unit

[varshab1210]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: varshab1210

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [varshab1210]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[varshab1210]

/lgtm

[varshab1210]

/test v4.14-ci-index-gitops-operator-bundle

[AdamSaleh]

/test v4.14-kuttl-parallel

[AdamSaleh]

/test v4.19-kuttl-parallel

[AdamSaleh]

/test v4.19-kuttl-parallel

[openshift-ci]

@AdamSaleh: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/v4.14-kuttl-parallel	c05c10b	link	false	/test v4.14-kuttl-parallel
ci/prow/v4.19-kuttl-parallel	c05c10b	link	true	/test v4.19-kuttl-parallel

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

New changes are detected. LGTM label has been removed.