[Bug]: coverage report fails to upload on PR

[tsteven4]

Bug description

GitHub prevents PRs from forks from accessing secrets by default , so I think #856 introduced this bug.

aqtinstall/.github/workflows/check.yml

Lines 46 to 50 in f35c542

	- name: Send coverage to codacy
	run: |
	java -jar ci/codacy-coverage-reporter-assembly.jar report -l Python -t ${PROJECT_TOKEN} -r cobertura.xml
	env:
	PROJECT_TOKEN: ${{ secrets.CODACY_PROJECT_TOKEN }}

Expected behavior

Action "Check tox tests, lint and types" pass.

aqt and python version

v3.1.12

Operating System

Windows

Relevant log output

2024-12-18 00:41:00.138Z  info [ReportRules] Generated coverage report: /tmp/codacy-coverage-7901395783529718860.json (29.68 kB)  - (ReportRules.scala:308)
2024-12-18 00:41:00.138Z  info [ReportRules] Uploading coverage data...  - (ReportRules.scala:309)
2024-12-18 00:41:11.366Z  warn [ReportRules] Failed to upload coverage report /home/runner/work/aqtinstall/aqtinstall/cobertura.xml: Request URL not found. Check if the API Token you are using and the API base URL are valid.  - (ReportRules.scala:59)
2024-12-18 00:41:11.366Z error [CodacyCoverageReporter] No coverage data was sent  - (CodacyCoverageReporter.scala:28)

Code of Conduct

• I agree to follow this project's Code of Conduct

[tsteven4]

To only load coverage reports for the master branch:

diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index 626a059..90e7b72 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -44,6 +44,7 @@ jobs:
         distribution: 'temurin'
         java-version: '21'
     - name: Send coverage to codacy
+      if: ( github.event_name == 'push' ) && ( github.ref == 'refs/heads/master' )
       run: |
         java -jar ci/codacy-coverage-reporter-assembly.jar report -l Python -t ${PROJECT_TOKEN} -r cobertura.xml
       env:

[miurahr]

It may be a problem for the PR that raised from other than me, because of secret handling.
I would like to limit a coverage reporter in master branch.

[tsteven4]

Adding that one line I cited should do that.

[miurahr]

From https://stackoverflow.com/questions/76746551/how-to-use-github-actions-environment-secrets-in-open-source-pull-request-ci-wor the issue is related to the fact pull_request from forked repository.

on:
  push:
    branches:
      - 'master'
  pull_request_target:

I would like to change a trigger condition.

[tsteven4]

#859 doesn't upload coverage except when you push to master, e.g. from merging a pull request, but it runs all the other steps. We use that to conditionally skip steps in our workflows in gpsbabel:
https://github.com/GPSBabel/gpsbabel/blob/a460fb574ec2f9d5308a7b3b7d94caaf64f2e2ac/.github/workflows/ubuntu.yml#L125-L133

I think using on pull-request_target is going to allow access to secrets with actions run on the PR, and thus "Send coverage to codacy" step would run and succeed when a pull request is submitted.

[tsteven4]

So if you just want "to limit a coverage reporter in master branch." then #859 is appropriate.

On the other hand, if you want to trust your secrets to PRs from forks, and have coverage for PRs before they are merged, then the on pull_request_target method is appropriate. see the warning at https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target

[miurahr]

Ok, I can limit codacy reporter to master branch.
It is also better to set if condition for setup-java

    - uses: actions/setup-java@v4
      if: ( github.event_name == 'push' ) && ( github.ref == 'refs/heads/master' )
      with:
        distribution: 'temurin'
        java-version: '21'