The action handles everything else automatically: gzip/base64 encoding, resolving the correct commit SHA and ref, detecting PR number (from both `pull_request` and `push` events), and calling the upload API.
## Inputs
| Input | Required | Description |
|-------|----------|-------------|
| `file` | Yes | Path to the Cobertura XML coverage report |
| `language` | Yes | Linguist language name (e.g. `Java`, `Go`, `Python`) |
| `label` | Yes | Label for the report (e.g. `code-coverage/jacoco`) |
| `token` | No | GitHub token (defaults to `github.token`) |
## Permissions
The calling workflow or job must grant `security-events: write`. The action cannot declare this itself.
```yaml
permissions:
contents:read
# Required for coverage upload. Will be reduced to code-quality:write
# once that permission scope is available (github/code-scanning#22168).
security-events:write
```
For push-only workflows where the action looks up PR numbers via `gh pr list`, also add `pull-requests: read`.
## Event handling
The action auto-detects the event type and resolves the correct values:
- **`pull_request` / `pull_request_target`**: Uses the PR head SHA and ref (not the merge commit), and includes the PR number.
- **`push`**: Uses `github.sha` and `github.ref`, and looks up whether the branch has an open PR via `gh pr list`.
This means it works with both patterns — workflows triggered by `pull_request` and push-only workflows that serve PRs via branch pushes.
- **Fork PRs are not supported.** Pull requests from forks don't have write access to the base repository, so the action cannot upload coverage. When a fork PR is detected, the action exits gracefully with a notice — it won't fail your CI.
- **Merge queue runs are skipped.** Coverage should be uploaded for PRs and the default branch, making merge queue uploads unnecessary. The action logs a warning and exits successfully.