Add Codecov integration for ocp-secrets-management-console

[anandkuma77]

Summary

Adds Codecov coverage reporting to the ocp-secrets-management-console repository.

Changes

• Add coverage image build (images/ci/Dockerfile.coverage)
• Add unit-with-coverage postsubmit test with Codecov upload
• Update presubmit jobs to include coverage Dockerfile in sparse checkout

Required Secret Configuration

This PR requires the OpenShift CI team to add the Codecov token secret:

Secret Name: ocp-secrets-management-console-codecov-token
Namespace: test-credentials
Token Value: 272c7f0e-33d8-43b4-92d8-ea35201c9efc

The secret should be created as:

apiVersion: v1
kind: Secret
metadata:
  name: ocp-secrets-management-console-codecov-token
  namespace: test-credentials
type: Opaque
stringData:
  token: 272c7f0e-33d8-43b4-92d8-ea35201c9efc

Related

• Repository PR: Add Codecov integration for code coverage reporting ocp-secrets-management-console#25 (merged)
• Pattern reference: OAPE-693:adds coverage test for the external-secrets-operator using Codecov #77684
• Example repo: https://github.com/openshift/external-secrets-operator

Testing

After merge and secret configuration:

1. Coverage will be collected on every merge to main
2. Reports will be uploaded to https://codecov.io/gh/openshift/ocp-secrets-management-console
3. PR comments will show coverage changes

cc @openshift/test-platform for secret configuration

Summary by CodeRabbit

This PR adds Codecov integration to the OpenShift CI infrastructure for the ocp-secrets-management-console repository to enable automated code coverage reporting.

The changes update the CI configuration in ci-operator/config/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main.yaml to implement code coverage collection and reporting:

1. New Coverage Image Build Target: Adds a container image build configuration using images/ci/Dockerfile.coverage to produce the ocp-secrets-management-console-coverage image for use in the CI pipeline.

2. New unit-with-coverage Postsubmit Job: Introduces a postsubmit test that automatically runs on every merge to the main branch and:

   • Executes unit tests with yarn coverage to collect coverage metrics
   • Includes a collect-coverage post-test step that downloads the official Codecov uploader and authenticates using a Kubernetes secret mounted at runtime
   • Uploads coverage reports to Codecov with a 15-minute timeout

3. Credential Configuration: The job references a Kubernetes secret named ocp-secrets-management-console-codecov-token in the test-credentials namespace. This secret must be manually created by the OpenShift CI team with the Codecov authentication token.

Once the secret is configured and the changes are merged, the integration will automatically collect code coverage metrics on each commit to main and publish them to https://codecov.io/gh/openshift/ocp-secrets-management-console, including coverage change comments on pull requests.

[coderabbitai]

Walkthrough

The CI pipeline config for ocp-secrets-management-console gains a new image build target (ocp-secrets-management-console-coverage) using images/ci/Dockerfile.coverage, and a new unit-with-coverage postsubmit test that runs yarn coverage and uploads results to Codecov using a secret token.

Changes

Coverage CI Pipeline Addition

Layer / File(s)	Summary
Coverage image build and postsubmit test config ci-operator/config/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main.yaml	Adds an image build entry for ocp-secrets-management-console-coverage pointing to images/ci/Dockerfile.coverage. Adds a unit-with-coverage postsubmit test with two steps: collect-coverage (best-effort, downloads and runs the Codecov uploader with a token mounted from ocp-secrets-management-console-codecov-token) and test (runs yarn coverage in the src container with CPU resource requests).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	The Codecov token is exposed as a command-line argument (--token=...) which can be captured in logs if tracing is enabled. Sensitive tokens should be passed via environment variables instead.	Change ./codecov upload-process --token=$(cat /var/run/secrets/codecov/token) to use an environment variable: export CODECOV_TOKEN=$(cat /var/run/secrets/codecov/token) && ./codecov upload-process

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main change: adding Codecov integration for the ocp-secrets-management-console, which is the primary objective of this PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The custom check for stable Ginkgo test names is not applicable. This PR modifies only a YAML CI configuration file, not any Ginkgo test files (.go files with It(), Describe(), etc.). No test defin...
Test Structure And Quality	✅ Passed	The PR modifies only CI/CD configuration (YAML), not Ginkgo test code. The custom check requires reviewing Ginkgo test quality, which is not applicable here.
Microshift Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests (It, Describe, Context, When). It only modifies CI/CD configuration to add coverage collection. The check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR modifies only CI configuration YAML files and does not add any Ginkgo e2e tests. The custom check for SNO compatibility only applies when new tests are added.
Topology-Aware Scheduling Compatibility	✅ Passed	The PR modifies only a CI pipeline configuration file, not deployment manifests, operator code, or controllers. No Kubernetes scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	PR modifies only CI configuration (YAML) with no Go test code. OTE Binary Stdout Contract applies to Go-based test binaries; this PR adds Codecov integration running shell/JavaScript commands, not...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR does not add Ginkgo e2e tests; it modifies CI configuration for unit test coverage reporting. Custom check requires Ginkgo e2e tests to be added and is not applicable here.
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons found in any modified files.
Container-Privileges	✅ Passed	No privileged settings found in PR changes. The configuration does not set privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPrivilegeEscalation, or runAs directives.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: anandkuma77

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/ocp-secrets-management-console/OWNERS [anandkuma77]
• ci-operator/jobs/openshift/ocp-secrets-management-console/OWNERS [anandkuma77]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@anandkuma77: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-ocp-secrets-management-console-main-images	openshift/ocp-secrets-management-console	presubmit	Ci-operator config changed
pull-ci-openshift-ocp-secrets-management-console-main-operator-unit	openshift/ocp-secrets-management-console	presubmit	Ci-operator config changed
pull-ci-openshift-ocp-secrets-management-console-main-unit	openshift/ocp-secrets-management-console	presubmit	Ci-operator config changed

Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

@anandkuma77: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

ci-operator/config/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main.yaml (1)

15-16: Remove or clarify the unused coverage image build.

The ocp-secrets-management-console-coverage image is defined (lines 15–16) but never referenced by any test step. Both the test and collect-coverage steps in the unit-with-coverage test use from: src, not the coverage image. If coverage tools are not being used from this image, remove the image build to avoid unnecessary CI overhead. If the image is intended for external use (promotion), add promotion configuration or clarify its purpose in documentation.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main.yaml`
around lines 15 - 16, The `ocp-secrets-management-console-coverage` image is
defined but unused—neither the `test` nor `collect-coverage` steps reference it
(they both use `from: src`). Either remove this unused image build definition
entirely to eliminate unnecessary CI overhead, or if the image is intended for
external promotion or consumption, add explicit promotion configuration and
documentation clarifying its purpose. Verify that no other steps depend on this
image before removing it.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main.yaml`:
- Around line 38-40: The current Codecov uploader binary is downloaded and
executed without any integrity verification, creating a supply chain security
risk. After the curl command downloads the codecov binary, add verification of
its integrity before making it executable and running the upload-process
command. Implement either GPG signature verification (if GPG tools are available
in the container) or at minimum verify the SHA256 checksum against Codecov's
published checksums to ensure the binary has not been tampered with or
compromised.
- Line 40: The codecov upload-process command currently passes the token via the
--token command-line argument, which can be captured in logs if tracing is
enabled, exposing the sensitive credential. Instead of passing the token as a
CLI argument with --token=$(cat /var/run/secrets/codecov/token), set the
CODECOV_TOKEN environment variable to the token value and remove the --token
parameter from the upload-process command invocation. This leverages the Codecov
CLI's built-in support for reading the token from the CODECOV_TOKEN environment
variable, keeping the credential out of the command invocation itself.

---

Nitpick comments:
In
`@ci-operator/config/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main.yaml`:
- Around line 15-16: The `ocp-secrets-management-console-coverage` image is
defined but unused—neither the `test` nor `collect-coverage` steps reference it
(they both use `from: src`). Either remove this unused image build definition
entirely to eliminate unnecessary CI overhead, or if the image is intended for
external promotion or consumption, add explicit promotion configuration and
documentation clarifying its purpose. Verify that no other steps depend on this
image before removing it.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 4eede9d2-8b24-4cee-b7e5-503c0e03d959

📥 Commits

Reviewing files that changed from the base of the PR and between b3e0d71 and ab7a27a.

⛔ Files ignored due to path filters (2)

• ci-operator/jobs/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main-postsubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (1)

• ci-operator/config/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

How to verify Codecov uploader integrity with checksum or GPG signature?

💡 Result:

To ensure the integrity of the Codecov CLI or uploader binary, it is highly recommended to perform both GPG signature and SHA256 checksum verification [1][2]. The verification process consists of two primary steps: verifying the digital signature of the checksum file using Codecov's PGP key, and then verifying the binary's checksum against that file [1][2]. Verification Steps: 1. Import Codecov's PGP public key: This is a one-time step. You can import the public key from a trusted source, such as Keybase or directly from Codecov's servers [3][1][4]. Example command: curl https://keybase.io/codecovsecops/pgp_keys.asc | gpg --no-default-keyring --keyring trustedkeys.gpg --import [3] The Codecov PGP public key details are: Key ID: ED779869 [1][2] Key Fingerprint: 2703 4E7F DB85 0E0B BC2C 62FF 806B B28A ED77 9869 [1][2] 2. Download the required files: For your specific operating system and architecture, download the uploader binary, its corresponding SHA256SUM file, and the SHA256SUM.sig signature file [1][2]. Example (Linux): curl -Os https://cli.codecov.io/latest/linux/codecov curl -Os https://cli.codecov.io/latest/linux/codecov.SHA256SUM curl -Os https://cli.codecov.io/latest/linux/codecov.SHA256SUM.sig [3] 3. Verify the signature: Use GPG to verify that the SHA256SUM file was legitimately signed by Codecov [1][2]. Example: gpg --verify codecov.SHA256SUM.sig codecov.SHA256SUM [1] 4. Verify the binary checksum: Once the signature is verified, confirm that the binary matches the checksum provided in the SHA256SUM file [1][2]. Example: shasum -a 256 -c codecov.SHA256SUM [3][1] Official documentation provides these instructions for various environments, including Linux, macOS, and Alpine [3][1][2]. Always ensure you are downloading from the official Codecov domains (e.g., cli.codecov.io or uploader.codecov.io) [3][1][2].

Citations:

• 1: https://docs.codecov.com/docs/codecov-uploader
• 2: https://docs.codecov.com/v5.0/docs/codecov-uploader
• 3: https://docs.codecov.com/docs/the-codecov-cli
• 4: https://docs.codecov.com/v4.6/docs/codecov-uploader

---

Add integrity verification for the Codecov uploader binary.

Downloading and executing an unsigned binary directly from the internet is a supply chain security risk. The Codecov uploader was compromised in a 2021 supply chain attack. Codecov provides GPG signatures and checksums for verification.

🛡️ Suggested fix with integrity verification

      commands: |
        curl -Os https://uploader.codecov.io/latest/linux/codecov
+       curl -Os https://uploader.codecov.io/latest/linux/codecov.SHA256SUM
+       curl -Os https://uploader.codecov.io/latest/linux/codecov.SHA256SUM.sig
+       curl https://keybase.io/codecovsecops/pgp_keys.asc | gpg --no-default-keyring --keyring trustedkeys.gpg --import
+       gpgv codecov.SHA256SUM.sig codecov.SHA256SUM
+       shasum -a 256 -c codecov.SHA256SUM
        chmod +x codecov
        ./codecov upload-process --token=$(cat /var/run/secrets/codecov/token)

Alternatively, if GPG tooling is unavailable in the container, at minimum verify the SHA256 checksum.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main.yaml`
around lines 38 - 40, The current Codecov uploader binary is downloaded and
executed without any integrity verification, creating a supply chain security
risk. After the curl command downloads the codecov binary, add verification of
its integrity before making it executable and running the upload-process
command. Implement either GPG signature verification (if GPG tools are available
in the container) or at minimum verify the SHA256 checksum against Codecov's
published checksums to ensure the binary has not been tampered with or
compromised.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

Codecov CLI upload-process command usage and CODECOV_TOKEN environment variable

💡 Result:

The Codecov CLI upload-process command is a convenient wrapper that executes three distinct stages in a single operation: creating a commit, creating a report, and performing the actual upload [1][2][3]. Using this command simplifies your CI workflow by replacing the need to execute these steps individually [1][3]. CODECOV_TOKEN Usage The Codecov CLI automatically searches the environment for a variable named CODECOV_TOKEN [2][3][4]. If this environment variable is correctly configured in your CI provider's secrets, the CLI will use it automatically without requiring additional flags [2][4]. If you prefer not to use an environment variable, or if you need to override it, you can pass the token manually as a command-line argument using the -t or --token flag [5][6][7]: codecovcli upload-process -t Example usage in a CI environment:./codecov --verbose upload-process --disable-search -t ${{ secrets.CODECOV_TOKEN }} -n 'job-name'-${{ github.run_id }} -F -f [5][8] Key Considerations: - Token Security: Always use your CI provider's secret management system to store the CODECOV_TOKEN rather than hardcoding it in scripts [8][9]. - Flexibility: While upload-process is a wrapper, you can still customize the command with additional options (e.g., --disable-search, --flag, --file) to suit your project's specific requirements [5][6]. - Legacy Migration: If you are migrating from the older NodeJS Binary Uploader, replacing your existing upload step with the upload-process command is the recommended approach for the Codecov CLI [5][1][3].

Citations:

• 1: https://github.com/codecov/codecov-cli/blob/main/README.md
• 2: https://github.com/codecov/codecov-cli?tab=readme-ov-file
• 3: https://pypi.org/project/codecov-cli/
• 4: https://github.com/codecov/codecov-cli
• 5: http://docs.codecov.io/docs/the-codecov-cli
• 6: https://github.com/codecov/codecov-cli/blob/main/codecovcli_commands
• 7: https://docs.codecov.com/docs/codecov-uploader
• 8: https://docs.codecov.com/docs/the-codecov-cli
• 9: https://docs.codecov.io/docs/codecov-tokens

---

🏁 Script executed:

# First, locate and read the file mentioned in the review
cat -n "ci-operator/config/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main.yaml" | sed -n '35,45p'

Repository: openshift/release

Length of output: 543

---

🏁 Script executed:

# Search for other Codecov invocations in the codebase to understand patterns
rg "codecov.*upload-process" --type yaml --type sh -A 2 -B 2

Repository: openshift/release

Length of output: 850

---

🏁 Script executed:

# Check if this invocation is in a step-registry commands script or inline in config
grep -r "upload-process.*token" --include="*.sh" --include="*.yaml"

Repository: openshift/release

Length of output: 251

---

Use CODECOV_TOKEN environment variable for safer token handling.

The upload-process command is correct. However, passing the token via --token=$(cat ...) exposes it as a command-line argument where it may be captured in logs if tracing is enabled upstream. The Codecov CLI automatically reads the CODECOV_TOKEN environment variable, which is the safer approach:

-        ./codecov upload-process --token=$(cat /var/run/secrets/codecov/token)
+        export CODECOV_TOKEN=$(cat /var/run/secrets/codecov/token)
+        ./codecov upload-process

This prevents the token from appearing in the command invocation itself.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main.yaml`
at line 40, The codecov upload-process command currently passes the token via
the --token command-line argument, which can be captured in logs if tracing is
enabled, exposing the sensitive credential. Instead of passing the token as a
CLI argument with --token=$(cat /var/run/secrets/codecov/token), set the
CODECOV_TOKEN environment variable to the token value and remove the --token
parameter from the upload-process command invocation. This leverages the Codecov
CLI's built-in support for reading the token from the CODECOV_TOKEN environment
variable, keeping the credential out of the command invocation itself.