Merge pull request csala#13 from pythiac/fix-codecov-tokenless-upload

Fix codecov tokenless upload on external PRs

Author: csala

.github/workflows/tests.yml renamed to .github/workflows/ci.yml

@@ -48,15 +48,48 @@ jobs:
       run: |
         pytest --cov=mdformat_pyproject --cov-report=xml --cov-report=term-missing
 
-    - name: Upload to Codecov
+    - name: Store PR number and commit SHA
       if: matrix.os == 'ubuntu-latest' && matrix.python-version == 3.11
-      uses: codecov/codecov-action@v5
+      run: |
+        echo "Storing PR number ${{ github.event.number }}"
+        echo "${{ github.event.number }}" > pr_number.txt
+
+        echo "Storing commit SHA ${{ github.event.pull_request.head.sha }}"
+        echo "${{ github.event.pull_request.head.sha }}" > commit_sha.txt
+
+    # Workaround for codecov tokenless upload errors on external PRs
+    # Copied and ajusted from the workarounds suggested in the link below:
+    # https://github.com/codecov/feedback/issues/301#issuecomment-2009355183
+    # Triggered sub-workflow is not able to detect the original commit/PR which is available
+    # in this workflow.
+    - name: Store PR number
+      if: matrix.os == 'ubuntu-latest' && matrix.python-version == 3.11
+      uses: actions/upload-artifact@v4
+      with:
+        name: pr_number
+        path: pr_number.txt
+
+    - name: Store commit SHA
+      if: matrix.os == 'ubuntu-latest' && matrix.python-version == 3.11
+      uses: actions/upload-artifact@v4
+      with:
+        name: commit_sha
+        path: commit_sha.txt
+
+    # This stores the coverage report in artifacts. The actual upload to Codecov
+    # is executed by a different workflow `coverage-report.yml`. The reason for this
+    # split is because `on.pull_request` workflows don't have access to secrets.
+    - name: Store coverage report in artifacts
+      if: matrix.os == 'ubuntu-latest' && matrix.python-version == 3.11
+      uses: actions/upload-artifact@v4
       with:
-        fail_ci_if_error: true
-        files: ./coverage.xml
-        flags: pytests
-        name: pytests-py3.11
-        token: ${{ secrets.CODECOV_TOKEN }}
+        name: codecov_report
+        path: ./coverage.xml
+
+    - run: |
+        echo "The coverage report was stored in Github artifacts."
+        echo "It will be uploaded to Codecov using [codecov.yml] workflow shortly."
+      if: matrix.os == 'ubuntu-latest' && matrix.python-version == 3.11
 
   pre-commit-hook:
     runs-on: ubuntu-latest

.github/workflows/codecov.yml

@@ -0,0 +1,112 @@
+name: CodeCov Report Upload
+
+on:
+  # This workflow is triggered after every successfull execution
+  # of `ci` workflow.
+  workflow_run:
+    workflows: ["CI"]
+    types:
+      - completed
+
+jobs:
+  coverage:
+    name: CodeCov Report Upload
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: 'Download existing coverage report'
+        id: prepare_report
+        uses: actions/github-script@v7
+        with:
+          script: |
+            var fs = require('fs');
+
+            // List artifacts of the workflow run that triggered this workflow
+            var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: context.payload.workflow_run.id,
+            });
+
+            let codecovReport = artifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "codecov_report";
+            });
+
+            if (codecovReport.length != 1) {
+              throw new Error("Unexpected number of {codecov_report} artifacts: " + codecovReport.length);
+            }
+
+            var download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: codecovReport[0].id,
+               archive_format: 'zip',
+            });
+            fs.writeFileSync('codecov_report.zip', Buffer.from(download.data));
+
+            let prNumber = artifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "pr_number";
+            });
+
+            if (prNumber.length != 1) {
+              throw new Error("Unexpected number of {pr_number} artifacts: " + prNumber.length);
+            }
+
+            var download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: prNumber[0].id,
+               archive_format: 'zip',
+            });
+            fs.writeFileSync('pr_number.zip', Buffer.from(download.data));
+
+            let commitSha = artifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "commit_sha";
+            });
+
+            if (commitSha.length != 1) {
+              throw new Error("Unexpected number of {commit_sha} artifacts: " + commitSha.length);
+            }
+
+            var download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: commitSha[0].id,
+               archive_format: 'zip',
+            });
+            fs.writeFileSync('commit_sha.zip', Buffer.from(download.data));
+
+      - id: parse_previous_artifacts
+        run: |
+          unzip codecov_report.zip
+          unzip pr_number.zip
+          unzip commit_sha.zip
+
+          echo "Detected PR is: $(<pr_number.txt)"
+          echo "Detected commit_sha is: $(<commit_sha.txt)"
+
+          # Make the params available as step output
+          echo "override_pr=$(<pr_number.txt)" >> "$GITHUB_OUTPUT"
+          echo "override_commit=$(<commit_sha.txt)" >> "$GITHUB_OUTPUT"
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ steps.parse_previous_artifacts.outputs.override_commit || '' }}
+          path: repo_root
+
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v5
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          files: ${{ github.workspace }}/coverage.xml
+          fail_ci_if_error: true
+          # Manual overrides for these parameters are needed because automatic detection
+          # in codecov-action does not work for non-`pull_request` workflows.
+          # In `main` branch push, these default to empty strings since we want to run
+          # the analysis on HEAD.
+          override_commit: ${{ steps.parse_previous_artifacts.outputs.override_commit || '' }}
+          override_pr: ${{ steps.parse_previous_artifacts.outputs.override_pr || '' }}
+          working-directory: ${{ github.workspace }}/repo_root
+          # Location where coverage report files are searched for
+          directory: ${{ github.workspace }}

README.md

@@ -43,8 +43,8 @@ Add the following to your `.pre-commit-config.yaml`:
         - mdformat-pyproject
 ```
 
-[ci-badge]: https://github.com/csala/mdformat-pyproject/actions/workflows/tests.yml/badge.svg
-[ci-link]: https://github.com/csala/mdformat-pyproject/actions/workflows/tests.yml
+[ci-badge]: https://github.com/csala/mdformat-pyproject/actions/workflows/ci.yml/badge.svg
+[ci-link]: https://github.com/csala/mdformat-pyproject/actions/workflows/ci.yml
 [cov-badge]: https://codecov.io/gh/csala/mdformat-pyproject/branch/master/graph/badge.svg
 [cov-link]: https://codecov.io/gh/csala/mdformat-pyproject
 [mdformat]: https://github.com/executablebooks/mdformat