Skip to content

ci: add weekly coverage run against main branch [PLT-103678]#552

Open
Sarath1018 wants to merge 3 commits into
mainfrom
ci/weekly-main-coverage
Open

ci: add weekly coverage run against main branch [PLT-103678]#552
Sarath1018 wants to merge 3 commits into
mainfrom
ci/weekly-main-coverage

Conversation

@Sarath1018

Copy link
Copy Markdown
Collaborator

What

Coverage and the SonarCloud scan were gated on github.base_ref == 'main', so they only ran on PRs targeting main — never against main itself. This adds a scheduled weekly coverage run on main.

How

To avoid duplicating the ~50-line integration-test secret mapping across two workflows, the coverage pipeline is extracted into a reusable workflow:

  • .github/workflows/coverage.yml (new) — on: workflow_call. Holds the full pipeline: install → typecheck → unit coverage → build → integration .env generation (the secrets block) → integration coverage → SonarCloud scan → summaries. Single source of truth for the env-variable mapping.
  • .github/workflows/weekly-coverage.yml (new) — runs Mondays 06:00 UTC (cron: '0 6 * * 1') + manual workflow_dispatch, calling coverage.yml with secrets: inherit. Scheduled runs check out the default branch (main), so SonarCloud performs main-branch analysis.
  • .github/workflows/pr-checks.ymltest-and-build now calls coverage.yml via secrets: inherit; test-packages matrix job unchanged.

Notes

  • Reusable workflow chosen over a composite action because composite actions can't read secrets.* directly without re-listing every secret as an input — recreating the duplication.
  • The Sonar fork guard now also allows the non-PR scheduled event: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false.
  • SonarCloud will start showing main-branch quality-gate results where it previously only saw PR analyses.

🤖 Generated with Claude Code

Coverage and the SonarCloud scan were gated on `github.base_ref == 'main'`,
so they only ran on PRs targeting main and never against main itself.

Extract the coverage pipeline (unit + integration + SonarCloud) into a
reusable workflow (coverage.yml, on: workflow_call) so the integration-test
secret mapping lives in exactly one place. pr-checks.yml now calls it via
`secrets: inherit`, and a new weekly-coverage.yml calls the same workflow on a
Monday cron, giving SonarCloud main-branch coverage analysis.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Sarath1018 Sarath1018 requested a review from a team June 25, 2026 05:32
@Sarath1018 Sarath1018 changed the title ci: add weekly coverage run against main branch ci: add weekly coverage run against main branch [PLT-103678] Jun 25, 2026
TASKS_TEST_USER_ID=${{ steps.config.outputs.tasks_test_user_id }}
EOF

- name: Run Integration Tests

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The integration-test steps (setup, .env creation, and this run step) have no if: guard in the reusable workflow. The original pr-checks.yml gated every integration-test step with if: github.base_ref == 'main', so integration tests only ran on PRs targeting main. Now that pr-checks.yml calls this reusable workflow unconditionally, integration tests will run on every PR regardless of target branch.

If this is intentional (always run integration tests on all PRs), no change needed — but worth confirming. If you want to preserve the original selective behavior, accept a boolean input and gate the three integration steps on it:

# in workflow_call inputs:
      run_integration:
        description: Whether to run integration tests and SonarCloud
        type: boolean
        required: false
        default: true
# on each integration step:
        if: inputs.run_integration

Then in pr-checks.yml:

    with:
      ref_label: ${{ github.base_ref }}
      run_integration: ${{ github.base_ref == 'main' }}

permissions:
contents: read

jobs:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Without a concurrency group, a manual workflow_dispatch trigger can overlap with the scheduled Monday run, wasting API quota and potentially causing credential conflicts. Consider adding before jobs::

Suggested change
jobs:
concurrency:
group: weekly-coverage
cancel-in-progress: false
jobs:

cancel-in-progress: false preserves already-running complete coverage passes rather than killing them mid-flight.

@claude

claude Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Review summary

Two findings from this run:

1. Integration tests now run on all PRs (coverage.yml:102).
The original pr-checks.yml gated integration-test steps with if: github.base_ref == 'main'. The reusable coverage.yml has no such guard, so every PR — regardless of target branch — now triggers the full integration suite. If intentional, no change needed; if not, a run_integration: boolean input would restore the selective behavior.

2. No concurrency group in weekly-coverage.yml (weekly-coverage.yml:14).
A manual workflow_dispatch can overlap with the Monday schedule. Adding concurrency: { group: weekly-coverage, cancel-in-progress: false } before jobs: prevents parallel runs without killing an in-flight coverage pass.

🤖 Generated with Claude Code

Prevents a manual workflow_dispatch from overlapping the scheduled Monday run
against the same dev tenant's integration data. Uses cancel-in-progress: false
so an in-flight coverage pass is allowed to finish.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@claude

claude Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

✅ No issues found. Checked for bugs and CLAUDE.md compliance.

A job that uses a reusable workflow reports its check as
`test-and-build / coverage`, which the main ruleset's required
`test-and-build` context does not match — blocking every PR that lacks the
new workflow.

Split into a `coverage` job (the reusable call) and a thin `test-and-build`
gate job that needs it and fails if it didn't succeed. This preserves the
flat `test-and-build` check name required by the ruleset while keeping the
integration-test secret mapping defined only once.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@claude

claude Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

✅ No issues found. Checked for bugs and CLAUDE.md compliance.

@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant