2026-03-30 11:33:34 +01:00
name : 'Upload Code Coverage'
description : 'Upload a Cobertura XML coverage report to GitHub code coverage API'
inputs :
file :
description : 'Path to the Cobertura XML coverage report'
required : true
language :
description : 'Linguist language name (e.g. "Java", "Go", "Python")'
required : true
label :
description : 'Label for the coverage report (e.g. "code-coverage/jacoco")'
required : true
token :
description : 'GitHub token with security-events:write permission'
required : false
default : ${{ github.token }}
runs :
using : composite
steps :
- name : Upload coverage report
shell : bash
env :
GH_TOKEN : ${{ inputs.token }}
INPUT_FILE : ${{ inputs.file }}
INPUT_LANGUAGE : ${{ inputs.language }}
INPUT_LABEL : ${{ inputs.label }}
run : |
set -euo pipefail
if [ ! -f "$INPUT_FILE" ]; then
echo "::error::Coverage file not found: $INPUT_FILE"
exit 1
fi
# Resolve the commit SHA and ref. On pull_request events, github.sha
# and github.ref point to the merge commit — use the PR head instead.
if [ "${{ github.event_name }}" = "pull_request" ] || [ "${{ github.event_name }}" = "pull_request_target" ]; then
COMMIT_OID="${{ github.event.pull_request.head.sha }}"
REF="refs/heads/${{ github.event.pull_request.head.ref }}"
PR_NUMBER="${{ github.event.pull_request.number }}"
else
COMMIT_OID="${{ github.sha }}"
REF="${{ github.ref }}"
# For push events, check if this branch has an open PR.
PR_NUMBER=$(gh pr list \
--repo "${{ github.repository }}" \
--head "${{ github.ref_name }}" \
--state open \
--json number \
--jq '.[0].number // empty' 2>/dev/null || true)
fi
# Gzip and base64-encode the report. We write to files and use jq
# --rawfile to avoid hitting the OS argument length limit on large
# coverage reports.
gzip -c "$INPUT_FILE" | base64 -w 0 > __coverage_b64.txt
jq -n \
--arg commit_oid "$COMMIT_OID" \
--arg ref "$REF" \
--rawfile coverage_report __coverage_b64.txt \
--arg language_name "$INPUT_LANGUAGE" \
--arg label "$INPUT_LABEL" \
'{commit_oid: $commit_oid, ref: $ref, coverage_report: $coverage_report, language_name: $language_name, label: $label}' \
> __body.json
if [ -n "${PR_NUMBER:-}" ]; then
jq --argjson pr_number "$PR_NUMBER" \
'. + {pull_request_number: $pr_number}' __body.json > __body_tmp.json \
&& mv __body_tmp.json __body.json
fi
2026-03-30 11:36:35 +01:00
UPLOAD_OUTPUT=$(gh api --method PUT "/repos/${{ github.repository }}/code-coverage/report" \
--input __body.json 2>&1) || {
if echo "$UPLOAD_OUTPUT" | grep -qi "not authorized"; then
echo "::error::Coverage upload returned 403 Forbidden. Ensure the calling job has 'security-events: write' permission. See https://github.com/code-quality-org/upload-code-coverage-action#permissions"
else
echo "::error::Coverage upload failed: $UPLOAD_OUTPUT"
fi
rm -f __coverage_b64.txt __body.json
exit 1
}
2026-03-30 11:33:34 +01:00
rm -f __coverage_b64.txt __body.json