Add GitHub coverage reporting workflow

[arussell-nvidia]

Description

Adds a GitHub-native coverage workflow. The workflow runs a lean Ubuntu Debug CTest build, generates native coverage with gcovr, publishes totals to the GitHub Actions step summary, and uploads text, Cobertura XML, and HTML coverage artifacts.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Testing

• SKIP=check-copyright-year pre-commit run --all-files

Checklist

• I have read and understood the contribution guidelines
• I have run the linter and formatter with SKIP=check-copyright-year pre-commit run --all-files
• I have made corresponding changes to the documentation
• I have added tests that prove my fix/feature works (or explained why not): this adds CI coverage reporting; the workflow itself runs CTest and publishes coverage artifacts.
• I have signed off all my commits (git commit -s) per the DCO

Summary by CodeRabbit

• Chores
  • Added an automated coverage check to run on pull requests, pushes to supported branches, and manual triggers.
  • Coverage results are now generated in multiple formats, shown in the GitHub run summary, and saved as downloadable artifacts.
  • Pull request runs will cancel older in-progress coverage jobs to keep checks faster and reduce duplicate builds.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new GitHub Actions Coverage workflow is added at .github/workflows/coverage.yml. It triggers on pushes to main and release/*.*.x branches, on pull requests, and via manual dispatch. A concurrency policy cancels in-progress runs for PRs while letting branch runs finish. The single Ubuntu job checks out the code, installs uv and Apt build dependencies, configures a CMake Debug build with coverage compiler/linker flags and several features disabled, compiles, and runs CTest. gcovr then generates text, Cobertura XML, and HTML reports. A Markdown summary is written to GITHUB_STEP_SUMMARY and all outputs are uploaded as the isaacteleop-coverage artifact with a 14-day retention window using if: always().

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding a GitHub Actions workflow for coverage reporting.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/cxr-3577-github-coverage

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/coverage.yml (1)

27-30: 🔒 Security & Privacy | 🔵 Trivial

Disable persisted checkout credentials.
coverage.yml doesn’t use git after checkout, so add persist-credentials: false to avoid leaving the workflow token in local git config.

Suggested fix

     - name: Checkout code
       uses: actions/checkout@v6
       with:
         fetch-depth: 0
+        persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/coverage.yml around lines 27 - 30, Add
persist-credentials: false to the actions/checkout step in coverage.yml so the
workflow does not store the token in local git config. Update the existing
Checkout code step only; the change belongs in the checkout configuration
alongside fetch-depth, with no other workflow behavior altered.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/coverage.yml:
- Line 113: The coverage artifact upload is configured to only warn when files
are missing, which can hide broken coverage generation and still pass the
workflow. Update the artifact upload step in the coverage workflow to fail the
job when expected coverage files are absent by changing the existing
if-no-files-found setting on the upload action, keeping the rest of the coverage
job unchanged.
- Line 28: The workflow currently uses mutable GitHub Actions tags for
actions/checkout and actions/upload-artifact, so update both references to
immutable commit SHAs to lock the versions. Locate the uses entries for
actions/checkout and actions/upload-artifact in the coverage workflow and
replace the tag refs with the pinned SHA equivalents while keeping the same
action behavior.

---

Nitpick comments:
In @.github/workflows/coverage.yml:
- Around line 27-30: Add persist-credentials: false to the actions/checkout step
in coverage.yml so the workflow does not store the token in local git config.
Update the existing Checkout code step only; the change belongs in the checkout
configuration alongside fetch-depth, with no other workflow behavior altered.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f7e45d5e-e9a8-4d97-aef2-b2660eb24239

📥 Commits

Reviewing files that changed from the base of the PR and between 3276b5c and 3a39221.

📒 Files selected for processing (1)

• .github/workflows/coverage.yml

[coderabbitai]

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the workflow with line numbers
sed -n '1,220p' .github/workflows/coverage.yml | cat -n

Repository: NVIDIA/IsaacTeleop

Length of output: 4648

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '1,220p' .github/workflows/coverage.yml | cat -n

Repository: NVIDIA/IsaacTeleop

Length of output: 4648

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '1,220p' .github/workflows/coverage.yml | cat -n

Repository: NVIDIA/IsaacTeleop

Length of output: 4648

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '1,220p' .github/workflows/coverage.yml | cat -n

Repository: NVIDIA/IsaacTeleop

Length of output: 4648

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '1,220p' .github/workflows/coverage.yml | cat -n

Repository: NVIDIA/IsaacTeleop

Length of output: 4648

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '1,220p' .github/workflows/coverage.yml | cat -n

Repository: NVIDIA/IsaacTeleop

Length of output: 4648

---

Pin the GitHub Actions refs to commit SHAs. actions/checkout@v6 and actions/upload-artifact@v6 are mutable tag refs; lock both to immutable SHAs to reduce supply-chain risk. (Lines 28, 105)

🧰 Tools

🪛 zizmor (1.26.1)

[error] 28-28: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/coverage.yml at line 28, The workflow currently uses
mutable GitHub Actions tags for actions/checkout and actions/upload-artifact, so
update both references to immutable commit SHAs to lock the versions. Locate the
uses entries for actions/checkout and actions/upload-artifact in the coverage
workflow and replace the tag refs with the pinned SHA equivalents while keeping
the same action behavior.

Source: Linters/SAST tools

[arussell-nvidia]

Fixed in 2dc9c2e: pinned actions/checkout and actions/upload-artifact to the resolved v6 commit SHAs, and added persist-credentials: false to checkout since this workflow does not push back to the repo.

[coderabbitai]

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Fail the job when expected coverage artifacts are missing.

Line 113 uses warn, which can mask a broken coverage output path and still report a successful run.

Suggested fix

-        if-no-files-found: warn
+        if-no-files-found: error

Based on learnings: “if the expected output files are not produced, fail the run instead of silently succeeding.”

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if-no-files-found: warn
	if-no-files-found: error

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/coverage.yml at line 113, The coverage artifact upload is
configured to only warn when files are missing, which can hide broken coverage
generation and still pass the workflow. Update the artifact upload step in the
coverage workflow to fail the job when expected coverage files are absent by
changing the existing if-no-files-found setting on the upload action, keeping
the rest of the coverage job unchanged.

Source: Learnings

[arussell-nvidia]

Fixed in 2dc9c2e: changed if-no-files-found to error, and renamed the XML artifact to coverage/cobertura.xml so a report generation/path issue fails loudly.

[jiwenc-nv]

@aristarkhovNV can you help take a look? Thanks!

[jiwenc-nv]

just to confirm: is this the same coverage report format that NVIDIA's internal tooling expects?

[arussell-nvidia]

Confirmed: the workflow generates Cobertura XML with gcovr --xml-pretty and now publishes it explicitly as coverage/cobertura.xml, alongside the HTML and text summaries in the isaacteleop-coverage artifact. If NVIDIA internal tooling expects a different filename/path in addition to Cobertura XML, I can add that too.

[qingsi-at-nv]

PR and the generated coverage report looks reasonable to me: https://github.com/NVIDIA/IsaacTeleop/actions/runs/28116596678/job/83257560203?pr=702. Defer to @aristarkhovNV and @jiwenc-nv for any second opinion before merging.

[qingsi-at-nv]

nit: could add a comment that this pins to the 6.0.3 release of actions/checkout.

[qingsi-at-nv]

Please update the PR description as discussed.

[aristarkhovNV]

We already run ctest as part of the existing Ubuntu build. I'd suggest just adding coverage report there instead of adding a whole another Build & test workflow which is 90% identical to the existing one.