Automate coverage reporting

[panarch]

Summary

• add coverage workflow using cargo-llvm-cov for pushes and pull requests
• publish PR coverage artifacts to gluesql.github.io via GitHub App token

Testing

• not run (workflow definition only)

Summary by CodeRabbit

• New Features

  • Automatically generates code coverage on pushes and pull requests.
  • Publishes compressed coverage reports to the project website with timestamped versions.
  • Adds a pull request comment with a direct link to the hosted coverage report.
  • Makes coverage files available as downloadable workflow artifacts.

• Chores

  • Introduces CI workflows to produce, archive, and publish coverage reports.
  • Updates automation to handle tokens, timestamps, and conditional publication across branches and PRs.

[coderabbitai]

Walkthrough

Adds two GitHub Actions workflows: one to generate and archive LCOV coverage artifacts on pushes/PRs, and another to publish the artifact to gluesql.github.io and comment on PRs with a link. The publish workflow can be triggered by the coverage workflow’s completion or manually.

Changes

Cohort / File(s)	Summary of Changes
Coverage generation workflow \.github/workflows/coverage.yml	New workflow "Coverage" to run cargo-llvm-cov, produce LCOV (coverage/lcov.info), compress to .xz, set timestamp, optionally publish to gluesql.github.io for main pushes, and upload as an artifact.
Coverage publishing workflow \.github/workflows/publish-coverage.yml	New workflow "Publish Coverage" triggered by Coverage completion or manual dispatch. Downloads artifact, timestamps, pushes to gluesql.github.io under structured path, and posts/updates a PR comment linking to the hosted report.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub Actions
  participant Repo as gluesql/glues
  participant Cov as Coverage WF
  participant Art as Artifact Store
  participant Pages as gluesql.github.io (gh-pages)

  Dev->>Repo: Push / PR to main
  GH->>Cov: Trigger "Coverage"
  Cov->>Repo: Checkout
  Cov->>Cov: cargo llvm-cov (workspace) -> lcov.info
  Cov->>Cov: Compress lcov.info -> lcov.info.xz (timestamp)
  Cov->>Art: Upload artifact (coverage)
  alt push to main on gluesql/glues
    Cov->>Pages: Clone gh-pages, commit lcov.info.xz under coverage/glues/main
    Cov->>Pages: Push with GitHub App token
  end

Loading

sequenceDiagram
  autonumber
  participant GH as GitHub Actions
  participant Pub as Publish Coverage WF
  participant Art as Artifact Store
  participant Pages as gluesql.github.io (gh-pages)
  participant PR as Pull Request

  GH->>Pub: Trigger on workflow_run(Completion of Coverage) or manual_dispatch
  Pub->>Art: Download artifact (default: coverage)
  Pub->>Pub: Determine RUN_ID, PR_NUMBER, COMMIT_SHA, TIMESTAMP
  Pub->>Pages: Clone gh-pages, add file under coverage/glues/pr/<PR>/<TIMESTAMP>.<SHA>.lcov.info.xz
  Pub->>Pages: Commit & push via GitHub App token
  Pub->>PR: Create/Update comment with report URL (gluesql.org/coverage/?path=...)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

I hop through YAML fields at night,
Stitching stats in xz light—
LCOV moons, timestamped skies,
Pages bloom where coverage lies.
A carrot link for PR’s view—
“Click me!” says the bunny, true.
Thump-thump: reports for you.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "Automate coverage reporting" succinctly and accurately summarizes the primary change in this changeset — adding GitHub Actions workflows to generate and publish code coverage reports for pushes and PRs — and is concise and clear enough for a reviewer scanning history to understand the intent.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch coverage-ci-reporting

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (8)

.github/workflows/coverage.yml (4)

54-65: Avoid push races to gh-pages (rebase before commit).

Add a rebase pull before staging to reduce non-fast-forward failures.

       - name: Publish coverage to gluesql.github.io
         if: github.repository == 'gluesql/glues' && github.event_name == 'push' && github.ref == 'refs/heads/main'
         run: |
           git clone https://github.com/gluesql/gluesql.github.io.git
           cd gluesql.github.io
           git checkout gh-pages
+          git pull --rebase origin gh-pages
           mkdir -p coverage/glues/main
           cp ../coverage/lcov.info.xz coverage/glues/main/${TIMESTAMP}.${COMMIT_SHA}.lcov.info.xz
           git add coverage/glues/main/${TIMESTAMP}.${COMMIT_SHA}.lcov.info.xz
           git commit -m "Coverage: main@${COMMIT_SHA}"
           git push https://x-access-token:${{ steps.app-token.outputs.token }}@github.com/gluesql/gluesql.github.io.git

---

12-17: Add job-level concurrency to auto-cancel superseded runs.

Prevents redundant coverage runs per ref/PR.

 jobs:
   coverage:
+    concurrency:
+      group: coverage-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+      cancel-in-progress: true
     runs-on: ubuntu-latest
     env:
       COMMIT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}

---

35-39: Compression level nit: speed vs size.

-9e is expensive for marginal gains. Consider -6 (default) or -3 to save CI minutes.

-          xz -T0 -9e -c coverage/lcov.info > coverage/lcov.info.xz
+          xz -T0 -6 -c coverage/lcov.info > coverage/lcov.info.xz

---

30-34: Cache Cargo artifacts to cut CI time.

Add a simple cargo target/registry cache.

       - name: Generate coverage report
         run: |
           mkdir -p coverage
           cargo llvm-cov --workspace --lcov --output-path coverage/lcov.info
+      - name: Cache Cargo registry and target
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-cargo-

.github/workflows/publish-coverage.yml (4)

28-36: Add concurrency to prevent clobbering when multiple runs publish.

Scope by PR number for auto-cancel on newer runs.

 jobs:
   publish:
+    concurrency:
+      group: publish-coverage-${{ github.event_name == 'workflow_dispatch' && inputs.pr_number || github.event.workflow_run.pull_requests[0].number || github.run_id }}
+      cancel-in-progress: true

---

64-71: Guard against missing PR array in workflow_run payload.

Rare but possible; add a sanity check fallback to avoid empty PR_NUMBER.

       - name: Set variables for workflow_run
         if: github.event_name == 'workflow_run'
         run: |
-          echo "RUN_ID=${{ github.event.workflow_run.id }}" >> $GITHUB_ENV
-          echo "COMMIT_SHA=${{ github.event.workflow_run.head_sha }}" >> $GITHUB_ENV
-          echo "PR_NUMBER=${{ github.event.workflow_run.pull_requests[0].number }}" >> $GITHUB_ENV
+          echo "RUN_ID=${{ github.event.workflow_run.id }}" >> $GITHUB_ENV
+          echo "COMMIT_SHA=${{ github.event.workflow_run.head_sha }}" >> $GITHUB_ENV
+          echo "PR_NUMBER=${{ github.event.workflow_run.pull_requests && github.event.workflow_run.pull_requests[0] && github.event.workflow_run.pull_requests[0].number || '' }}" >> $GITHUB_ENV
           echo "ARTIFACT_NAME=coverage" >> $GITHUB_ENV

If you prefer stricter handling, fail fast when PR_NUMBER is empty and print the event JSON for debugging.

---

83-94: Add a lightweight push retry to handle concurrent updates.

Prevents transient failures when multiple jobs commit to gh-pages.

       - name: Publish coverage to gluesql.github.io
         run: |
           git clone https://github.com/gluesql/gluesql.github.io.git
           cd gluesql.github.io
           git checkout gh-pages
           git pull --rebase origin gh-pages
           mkdir -p coverage/glues/pr/${PR_NUMBER}
           cp ../coverage/lcov.info.xz coverage/glues/pr/${PR_NUMBER}/${TIMESTAMP}.${COMMIT_SHA}.lcov.info.xz
           git add coverage/glues/pr/${PR_NUMBER}/${TIMESTAMP}.${COMMIT_SHA}.lcov.info.xz
           git commit -m "Coverage: PR#${PR_NUMBER}@${COMMIT_SHA}"
-          git push https://x-access-token:${{ steps.app-token.outputs.token }}@github.com/gluesql/gluesql.github.io.git
+          for i in 1 2 3; do
+            if git push https://x-access-token:${{ steps.app-token.outputs.token }}@github.com/gluesql/gluesql.github.io.git; then
+              break
+            fi
+            git pull --rebase origin gh-pages
+            sleep $((i*2))
+          done

---

95-134: Make PR comment idempotent with a stable hidden marker.

Use a hidden HTML marker to find/update the bot comment reliably.

-            const body = [
-              '### Glues Coverage Report',
+            const marker = '<!-- glues-coverage-report -->';
+            const body = [
+              marker,
+              '### Glues Coverage Report',
               '',
               `- **Commit:** \`${process.env.COMMIT_SHA}\``,
               `- **Timestamp:** \`${process.env.TIMESTAMP}\``,
               `- **Report:** [View report](${url})`
             ].join('\n');
 ...
-            const comment = comments.find(c => c.body.startsWith('### Glues Coverage Report'));
+            const comment = comments.find(c => c.body.includes('<!-- glues-coverage-report -->'));

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e1d12e0 and e404d4f.

📒 Files selected for processing (2)

• .github/workflows/coverage.yml (1 hunks)
• .github/workflows/publish-coverage.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: coverage

[coderabbitai]

⚠️ Potential issue

Pin third-party Actions to commit SHAs (supply‑chain hardening).

Pin actions/checkout@v4, taiki-e/install-action@v2, and actions/upload-artifact@v4 to immutable commit SHAs.

Example (replace COMMIT_SHA placeholders with real SHAs):

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4@COMMIT_SHA

-      - name: Install cargo-llvm-cov
-        uses: taiki-e/install-action@v2
+      - name: Install cargo-llvm-cov
+        uses: taiki-e/install-action@v2@COMMIT_SHA

-      - name: Upload coverage artifact
-        uses: actions/upload-artifact@v4
+      - name: Upload coverage artifact
+        uses: actions/upload-artifact@v4@COMMIT_SHA

Also applies to: 25-29, 66-70

🤖 Prompt for AI Agents

.github/workflows/coverage.yml around lines 18-19 (also apply same change at
25-29 and 66-70): the workflow uses third‑party GitHub Actions by tag (e.g.,
actions/checkout@v4, taiki-e/install-action@v2, actions/upload-artifact@v4)
which should be pinned to immutable commit SHAs; replace each action tag with
the corresponding full commit SHA reference (e.g.,
actions/checkout@<COMMIT_SHA>) across the specified line ranges, updating any
uses steps to reference the exact SHA, and verify the SHAs are current by
checking the action repos and using the latest stable commit SHA for each
action.

[coderabbitai]

⚠️ Potential issue

Pin third-party Actions to commit SHAs (supply‑chain hardening).

Pin actions/create-github-app-token@v1, actions/download-artifact@v4, and actions/github-script@v7 to immutable SHAs.

-      - name: Create GitHub App token
-        uses: actions/create-github-app-token@v1
+      - name: Create GitHub App token
+        uses: actions/create-github-app-token@v1@COMMIT_SHA
...
-      - name: Download coverage artifact
-        uses: actions/download-artifact@v4
+      - name: Download coverage artifact
+        uses: actions/download-artifact@v4@COMMIT_SHA
...
-      - name: Comment coverage link on PR
-        uses: actions/github-script@v7
+      - name: Comment coverage link on PR
+        uses: actions/github-script@v7@COMMIT_SHA

Also applies to: 72-79, 95-97

🤖 Prompt for AI Agents

.github/workflows/publish-coverage.yml lines 46-55 (and also update same pattern
at 72-79 and 95-97): currently third‑party actions are referenced by floating
tags (e.g. actions/create-github-app-token@v1); replace those tag references
with the corresponding immutable commit SHAs for each action (pin to the
specific full commit SHA) to harden the supply chain. For each uses: entry
(actions/create-github-app-token, actions/download-artifact,
actions/github-script) look up the latest tested commit SHA in the upstream
action repo, replace the @vX tag with @<full-commit-sha>, and ensure the
workflow still passes CI after the change.