Added unit-test codecov upload

[AdamSaleh]

What type of PR is this?
/kind enhancement

What does this PR do / why we need it:
We should be tracking our code coverage, this should enable it in such away that it won't cause test to fail if upload fails.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign varshab1210 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[psturc]

should we also specify the flag "unit-tests" so we can distinguish between test types in a future once we start uploading e2e test coverage too?

e.g.

./codecov upload-process \
  --token "${CODECOV_TOKEN}" \
  --flag unit-tests \
  --file coverage.out

see the jira ticket for more details

[AdamSaleh]

Hm, fair point. Will add.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Enhanced continuous integration pipeline to automatically report unit test code coverage metrics.

Walkthrough

The PR modifies the OpenShift CI presubmit unit test script to upload coverage reports to codecov.io after make test completes. It safely handles missing credential tokens and ensures upload failures do not fail the CI build.

Changes

Codecov integration in unit test CI

Layer / File(s)	Summary
Codecov CLI download and upload scripts/openshiftci-presubmit-unittests.sh	After unit tests complete, script conditionally downloads Codecov CLI and uploads coverage using a mounted token file at /var/run/codecov-token/CODECOV_TOKEN, gracefully handling missing tokens and upload failures without affecting the overall build.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding codecov upload functionality for unit tests.
Description check	✅ Passed	The description directly relates to the changeset, explaining the purpose of adding codecov upload to track code coverage without failing tests.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/openshiftci-presubmit-unittests.sh`:
- Around line 39-41: Replace the unpinned fetch of the Codecov CLI (the curl of
https://cli.codecov.io/latest/linux/codecov and subsequent chmod +x and
execution via CODECOV_TOKEN="$(cat "${CODECOV_TOKEN_FILE}")" ./codecov
upload-process) with a pinned-version workflow: define a CODECOV_CLI_VERSION,
download the matching release binary URL (not "latest") and its published
checksum/signature, verify the downloaded binary against the checksum or
signature before marking executable, and fail the job if verification fails;
keep the same upload invocation (./codecov upload-process --flag unit-tests
--file cover.out) after verification. Ensure the script exits non-zero on
checksum/signature mismatch so the untrusted binary is never executed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 7f9af1b9-747c-450d-967a-db51fa652e80

📥 Commits

Reviewing files that changed from the base of the PR and between aacca24 and 66f634e.

📒 Files selected for processing (1)

• scripts/openshiftci-presubmit-unittests.sh

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the relevant section of the script with line numbers
nl -ba scripts/openshiftci-presubmit-unittests.sh | sed -n '1,120p' | sed -n '25,80p'

# Grab just the lines around the reported snippet for precise context
nl -ba scripts/openshiftci-presubmit-unittests.sh | sed -n '30,60p'

# Search for other references to Codecov CLI pinning / checksums / signatures
rg -n "cli\.codecov\.io|codecov(\.sha256|\.asc)?|sha256sum|gpg|cosign|signature|CODECOV_VERSION" -S .

# Check if Makefile mentions cover.out generation (for completeness)
rg -n "cover\.out|unit-tests" Makefile scripts -S || true

Repository: redhat-developer/gitops-operator

Length of output: 119

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="scripts/openshiftci-presubmit-unittests.sh"

# Show lines 25-60 with line numbers (using awk since nl isn't available)
awk '{printf "%d\t%s\n", NR, $0}' "$FILE" | sed -n '25,60p'

# Wider context (in case the file is small / surrounding lines matter)
awk '{printf "%d\t%s\n", NR, $0}' "$FILE" | sed -n '1,120p'

# Search for Codecov CLI pinning / checksum / signature verification patterns across repo
rg -n "cli\.codecov\.io|codecov(\.sha256|\.asc)?|sha256sum|shasum|gpg|gpgv|cosign|signature|CODECOV_VERSION|CODECOV_SHA256" -S .

# Search for cover.out generation references (to confirm the unit test artifact context)
rg -n "cover\.out|upload-process --flag unit-tests|unit-tests" -S Makefile scripts .github . || true

Repository: redhat-developer/gitops-operator

Length of output: 8468

---

Pin and verify the Codecov CLI before execution.

curl -OSs ... https://cli.codecov.io/latest/linux/codecov downloads an unpinned “latest” binary and executes it after chmod +x, which is a supply-chain and reproducibility risk even though upload failures are non-blocking.

Suggested hardening

-  curl -OSs --fail-with-body https://cli.codecov.io/latest/linux/codecov
-  chmod +x codecov
-  CODECOV_TOKEN="$(cat "${CODECOV_TOKEN_FILE}")" ./codecov upload-process --flag unit-tests --file cover.out
+  CODECOV_VERSION="<pinned-version>"
+  curl -fsSL --fail-with-body "https://cli.codecov.io/${CODECOV_VERSION}/linux/codecov" -o codecov
+  # Verify checksum/signature from a trusted source before execution
+  # sha256sum -c codecov.sha256
+  chmod +x codecov
+  CODECOV_TOKEN="$(cat "${CODECOV_TOKEN_FILE}")" ./codecov upload-process --flag unit-tests --file cover.out

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	curl -OSs --fail-with-body https://cli.codecov.io/latest/linux/codecov
	chmod +x codecov
	CODECOV_TOKEN="$(cat "${CODECOV_TOKEN_FILE}")" ./codecov upload-process --flag unit-tests --file cover.out
	CODECOV_VERSION="<pinned-version>"
	curl -fsSL --fail-with-body "https://cli.codecov.io/${CODECOV_VERSION}/linux/codecov" -o codecov
	# Verify checksum/signature from a trusted source before execution
	# sha256sum -c codecov.sha256
	chmod +x codecov
	CODECOV_TOKEN="$(cat "${CODECOV_TOKEN_FILE}")" ./codecov upload-process --flag unit-tests --file cover.out

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/openshiftci-presubmit-unittests.sh` around lines 39 - 41, Replace the
unpinned fetch of the Codecov CLI (the curl of
https://cli.codecov.io/latest/linux/codecov and subsequent chmod +x and
execution via CODECOV_TOKEN="$(cat "${CODECOV_TOKEN_FILE}")" ./codecov
upload-process) with a pinned-version workflow: define a CODECOV_CLI_VERSION,
download the matching release binary URL (not "latest") and its published
checksum/signature, verify the downloaded binary against the checksum or
signature before marking executable, and fail the job if verification fails;
keep the same upload invocation (./codecov upload-process --flag unit-tests
--file cover.out) after verification. Ensure the script exits non-zero on
checksum/signature mismatch so the untrusted binary is never executed.

[openshift-ci]

@AdamSaleh: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/v4.14-ci-index-gitops-operator-bundle	66f634e	link	true	/test v4.14-ci-index-gitops-operator-bundle

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.