Skip to content

Add GitHub coverage reporting workflow#702

Open
arussell-nvidia wants to merge 6 commits into
mainfrom
codex/cxr-3577-github-coverage
Open

Add GitHub coverage reporting workflow#702
arussell-nvidia wants to merge 6 commits into
mainfrom
codex/cxr-3577-github-coverage

Conversation

@arussell-nvidia

@arussell-nvidia arussell-nvidia commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Description

Adds GitHub-native coverage reporting to the existing Build Ubuntu workflow. The Ubuntu Debug / x64 / Python 3.11 CTest matrix entry now builds with coverage flags, runs the existing CTest path, publishes totals to the GitHub Actions step summary, and uploads text, Cobertura XML, and HTML coverage artifacts.

This PR is intentionally scoped to coverage reporting only.

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Testing

  • git diff --check
  • GitHub Actions CI for this PR

Checklist

  • I have read and understood the contribution guidelines
  • I have run the linter and formatter with SKIP=check-copyright-year pre-commit run --all-files
  • I have made corresponding changes to the documentation
  • I have added tests that prove my fix/feature works (or explained why not): this adds CI coverage reporting; the existing Ubuntu Debug / x64 / Python 3.11 CTest entry runs and publishes coverage artifacts.
  • I have signed off all my commits (git commit -s) per the DCO

Signed-off-by: Andrew Russell <arussell@nvidia.com>
@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

A new GitHub Actions Coverage workflow is added at .github/workflows/coverage.yml. It triggers on pushes to main and release/*.*.x branches, on pull requests, and via manual dispatch. A concurrency policy cancels in-progress runs for PRs while letting branch runs finish. The single Ubuntu job checks out the code, installs uv and Apt build dependencies, configures a CMake Debug build with coverage compiler/linker flags and several features disabled, compiles, and runs CTest. gcovr then generates text, Cobertura XML, and HTML reports. A Markdown summary is written to GITHUB_STEP_SUMMARY and all outputs are uploaded as the isaacteleop-coverage artifact with a 14-day retention window using if: always().

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main change: adding a GitHub Actions workflow for coverage reporting.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/cxr-3577-github-coverage

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
.github/workflows/coverage.yml (1)

27-30: 🔒 Security & Privacy | 🔵 Trivial

Disable persisted checkout credentials.
coverage.yml doesn’t use git after checkout, so add persist-credentials: false to avoid leaving the workflow token in local git config.

Suggested fix
     - name: Checkout code
       uses: actions/checkout@v6
       with:
         fetch-depth: 0
+        persist-credentials: false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/coverage.yml around lines 27 - 30, Add
persist-credentials: false to the actions/checkout step in coverage.yml so the
workflow does not store the token in local git config. Update the existing
Checkout code step only; the change belongs in the checkout configuration
alongside fetch-depth, with no other workflow behavior altered.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/coverage.yml:
- Line 113: The coverage artifact upload is configured to only warn when files
are missing, which can hide broken coverage generation and still pass the
workflow. Update the artifact upload step in the coverage workflow to fail the
job when expected coverage files are absent by changing the existing
if-no-files-found setting on the upload action, keeping the rest of the coverage
job unchanged.
- Line 28: The workflow currently uses mutable GitHub Actions tags for
actions/checkout and actions/upload-artifact, so update both references to
immutable commit SHAs to lock the versions. Locate the uses entries for
actions/checkout and actions/upload-artifact in the coverage workflow and
replace the tag refs with the pinned SHA equivalents while keeping the same
action behavior.

---

Nitpick comments:
In @.github/workflows/coverage.yml:
- Around line 27-30: Add persist-credentials: false to the actions/checkout step
in coverage.yml so the workflow does not store the token in local git config.
Update the existing Checkout code step only; the change belongs in the checkout
configuration alongside fetch-depth, with no other workflow behavior altered.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f7e45d5e-e9a8-4d97-aef2-b2660eb24239

📥 Commits

Reviewing files that changed from the base of the PR and between 3276b5c and 3a39221.

📒 Files selected for processing (1)
  • .github/workflows/coverage.yml

Comment thread .github/workflows/coverage.yml Outdated

steps:
- name: Checkout code
uses: actions/checkout@v6

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the workflow with line numbers
sed -n '1,220p' .github/workflows/coverage.yml | cat -n

Repository: NVIDIA/IsaacTeleop

Length of output: 4648


🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '1,220p' .github/workflows/coverage.yml | cat -n

Repository: NVIDIA/IsaacTeleop

Length of output: 4648


🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '1,220p' .github/workflows/coverage.yml | cat -n

Repository: NVIDIA/IsaacTeleop

Length of output: 4648


🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '1,220p' .github/workflows/coverage.yml | cat -n

Repository: NVIDIA/IsaacTeleop

Length of output: 4648


🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '1,220p' .github/workflows/coverage.yml | cat -n

Repository: NVIDIA/IsaacTeleop

Length of output: 4648


🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '1,220p' .github/workflows/coverage.yml | cat -n

Repository: NVIDIA/IsaacTeleop

Length of output: 4648


Pin the GitHub Actions refs to commit SHAs. actions/checkout@v6 and actions/upload-artifact@v6 are mutable tag refs; lock both to immutable SHAs to reduce supply-chain risk. (Lines 28, 105)

🧰 Tools
🪛 zizmor (1.26.1)

[error] 28-28: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/coverage.yml at line 28, The workflow currently uses
mutable GitHub Actions tags for actions/checkout and actions/upload-artifact, so
update both references to immutable commit SHAs to lock the versions. Locate the
uses entries for actions/checkout and actions/upload-artifact in the coverage
workflow and replace the tag refs with the pinned SHA equivalents while keeping
the same action behavior.

Source: Linters/SAST tools

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 2dc9c2e: pinned actions/checkout and actions/upload-artifact to the resolved v6 commit SHAs, and added persist-credentials: false to checkout since this workflow does not push back to the repo.

Comment thread .github/workflows/coverage.yml Outdated
coverage/totals.txt
coverage/coverage.xml
coverage/html
if-no-files-found: warn

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Fail the job when expected coverage artifacts are missing.

Line 113 uses warn, which can mask a broken coverage output path and still report a successful run.

Suggested fix
-        if-no-files-found: warn
+        if-no-files-found: error

Based on learnings: “if the expected output files are not produced, fail the run instead of silently succeeding.”

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if-no-files-found: warn
if-no-files-found: error
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/coverage.yml at line 113, The coverage artifact upload is
configured to only warn when files are missing, which can hide broken coverage
generation and still pass the workflow. Update the artifact upload step in the
coverage workflow to fail the job when expected coverage files are absent by
changing the existing if-no-files-found setting on the upload action, keeping
the rest of the coverage job unchanged.

Source: Learnings

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 2dc9c2e: changed if-no-files-found to error, and renamed the XML artifact to coverage/cobertura.xml so a report generation/path issue fails loudly.

@jiwenc-nv

Copy link
Copy Markdown
Collaborator

@aristarkhovNV can you help take a look? Thanks!

Comment thread .github/workflows/coverage.yml Outdated
with:
name: isaacteleop-coverage
path: |
coverage/summary.txt

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just to confirm: is this the same coverage report format that NVIDIA's internal tooling expects?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed: the workflow generates Cobertura XML with gcovr --xml-pretty and now publishes it explicitly as coverage/cobertura.xml, alongside the HTML and text summaries in the isaacteleop-coverage artifact. If NVIDIA internal tooling expects a different filename/path in addition to Cobertura XML, I can add that too.

Signed-off-by: Andrew Russell <arussell@nvidia.com>

@qingsi-at-nv qingsi-at-nv left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR and the generated coverage report looks reasonable to me: https://github.com/NVIDIA/IsaacTeleop/actions/runs/28116596678/job/83257560203?pr=702. Defer to @aristarkhovNV and @jiwenc-nv for any second opinion before merging.

Comment thread .github/workflows/coverage.yml Outdated

- name: Upload coverage artifact
if: ${{ always() }}
# actions/upload-artifact@v6

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: could add a comment that this pins to the 6.0.3 release of actions/checkout.

@qingsi-at-nv qingsi-at-nv left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please update the PR description as discussed.

@aristarkhovNV

Copy link
Copy Markdown
Collaborator

We already run ctest as part of the existing Ubuntu build. I'd suggest just adding coverage report there instead of adding a whole another Build & test workflow which is 90% identical to the existing one.

@arussell-nvidia

Copy link
Copy Markdown
Contributor Author

Addressed the workflow-duplication review feedback in 0a5b443c:

  • removed the standalone Coverage workflow
  • integrated coverage generation into the existing Build Ubuntu workflow's Debug/x64/Python 3.11 CTest matrix entry
  • kept the existing build/test matrix as the source of truth
  • added docs/source/references/ci_healthiness.rst with the coverage artifact description, path toward 85% coverage, and OSS dependency reporting plan

Expected coverage artifact: isaacteleop-coverage-ubuntu-debug with text, Cobertura XML, and HTML reports. CI is running on the updated branch now.

@arussell-nvidia

Copy link
Copy Markdown
Contributor Author

Added a follow-up commit for the OSS dependency reporting half of the CI healthiness baseline.

What changed:

  • Added an OSS Dependency Report workflow that publishes a non-blocking isaacteleop-oss-dependency-report artifact.
  • Added a stdlib inventory generator covering Python requirements/pyproject metadata, npm package manifests, CMake FetchContent, the DepthAI vcpkg manifest surface, and vendored license files.
  • Added a non-blocking Trivy vulnerability/license scan artifact alongside the inventory.
  • Updated docs/source/references/ci_healthiness.rst with the artifact names, current limitations, and follow-up path for build-resolved CMake/vcpkg dependencies.

Local validation: the generator ran successfully and produced 148 dependency entries; py_compile and git diff --cached --check passed. CI is restarting on the new commit.

@arussell-nvidia

Copy link
Copy Markdown
Contributor Author

Pushed a small follow-up after the first CI poll caught formatting-only failures:

  • fixed the RST bullet indentation that broke Build Docs
  • applied the ruff-format wrapping expected by pre-commit

Local validation after the fix: OSS inventory generation still reports 148 entries, py_compile passes, and git diff --check passes. CI is restarting on 9eb93cb2.

@qingsi-at-nv

Copy link
Copy Markdown
Contributor

@arussell-nvidia could you keep this PR scope to adding the coverage test? It lgtm after your merged with the existing workflow, but the additional code to add OSS scanning should be done separately. Also the coverage improvement proposal does not belong to the repo document.

@arussell-nvidia

Copy link
Copy Markdown
Contributor Author

CI is now green on 9eb93cb2 after the formatting follow-up.

Re-review summary:

  • Coverage generation is integrated into the existing Build Ubuntu Debug/x64/Python 3.11 CTest matrix entry instead of a standalone duplicate workflow.
  • The isaacteleop-coverage-ubuntu-debug artifact is produced with text, Cobertura XML, and HTML outputs. The current baseline artifact reports 18.0% line coverage and 11.0% branch coverage.
  • The OSS Dependency Report workflow is passing and produces the dependency inventory plus non-blocking scan output artifacts.
  • Build Docs and pre-commit are passing after the RST/formatting fix.

Ready for another review pass when you have time.

Signed-off-by: Andrew Russell <arussell@nvidia.com>
@arussell-nvidia arussell-nvidia force-pushed the codex/cxr-3577-github-coverage branch from 7aaff4e to ca50d47 Compare July 1, 2026 22:55
@arussell-nvidia

Copy link
Copy Markdown
Contributor Author

Addressed in ca50d472:

  • kept this PR scoped to coverage reporting only
  • removed the OSS dependency reporting workflow and inventory generator from this branch
  • trimmed the repo docs to describe only the coverage artifact
  • moved coverage-improvement planning out of the repository documentation

CI is restarting on the updated branch.

@arussell-nvidia

Copy link
Copy Markdown
Contributor Author

CI on ca50d47 is now green after the scope cleanup. This PR is coverage-only: coverage generation remains in the existing Build Ubuntu Debug / x64 / Python 3.11 CTest matrix entry and publishes isaacteleop-coverage-ubuntu-debug. The latest coverage artifact from run 28553138603 reports lines 18.0% (1510 / 8405) and branches 11.0% (1250 / 11413). No OSS/dependency reporting changes remain in this PR. Ready for re-review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants