Fix workflow-dispatch action triggering of code-coverage

[knoepfel]

I've been having trouble running the code-coverage via workflow_dispatch on main (see https://github.com/Framework-R-D/phlex/actions/runs/28241141170/job/83669733668).

Diagnosis by Claude Sonnet 4.6

coverage-upload was missing setup in its needs list and was missing ref: and repository: in its checkout step. Without those, on a workflow_dispatch run where main advances between the coverage job starting and the coverage-upload job starting (which happened in PR #668), the upload job checks out a different commit than the one coverage was actually measured on. Codecov then tries to upload for that wrong commit SHA, which it has no record of, producing a 404.

• CI / coverage workflow
  • Updated .github/workflows/coverage.yaml so coverage-upload now waits on both setup and coverage.
  • Made the Codecov checkout step explicit by passing the ref and repository values from needs.setup.outputs, ensuring the upload job checks out the same commit/repo used to generate coverage.
  • This prevents mismatched checkouts on main and avoids Codecov 404s for unknown commit SHAs when main advances between jobs.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: e471ac2b-7210-4543-a13e-d663b6345112

📥 Commits

Reviewing files that changed from the base of the PR and between 41c3534 and 2bf1485.

📒 Files selected for processing (1)

• .github/workflows/coverage.yaml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• Framework-R-D/action-configure-cmake (auto-detected)
• Framework-R-D/action-post-clang-tidy-results (auto-detected)
• Framework-R-D/action-run-change-detection (auto-detected)
• Framework-R-D/action-workflow-setup (auto-detected)
• Framework-R-D/action-complete-pr-comment (auto-detected)
• Framework-R-D/action-handle-fix-commit (auto-detected)

📜 Recent review details

⏰ Context from checks skipped due to timeout. (1)

• GitHub Check: Analyze actions with CodeQL

⚠️ CI failures not shown inline (6)

GitHub Actions: knoepfel checking YAML files / yaml-check: knoepfel checking YAML files

Conclusion: failure

View job details

##[group]Run REPO_NAME="${REPO##*/}"
 �[36;1mREPO_NAME="${REPO##*/}"�[0m
 �[36;1mif [ "success" = "success" ]; then�[0m
 �[36;1m  echo "✅ YAML check passed."�[0m
 �[36;1melse�[0m
 �[36;1m  echo "::error::YAML check failed."�[0m

---

GitHub Actions: knoepfel checking YAML files / 0_yaml-check.txt: knoepfel checking YAML files

Conclusion: failure

View job details

##[group]Run REPO_NAME="${REPO##*/}"
 �[36;1mREPO_NAME="${REPO##*/}"�[0m
 �[36;1mif [ "success" = "success" ]; then�[0m
 �[36;1m  echo "✅ YAML check passed."�[0m
 �[36;1melse�[0m
 �[36;1m  echo "::error::YAML check failed."�[0m

---

GitHub Actions: knoepfel checking Python code / 0_scripts-test.txt: knoepfel checking Python code

Conclusion: failure

View job details

_new_alert_returns_zero_and_writes_comment PASSED [ 23%]
 scripts/test/test_check_codeql_alerts.py::TestMainSarifMode::test_absent_alert_returns_zero_and_writes_comment PASSED [ 24%]
 scripts/test/test_check_codeql_alerts.py::TestMainSarifMode::test_no_alerts_returns_zero_no_comment PASSED [ 24%]
 scripts/test/test_check_codeql_alerts.py::TestMainSarifMode::test_below_threshold_alert_not_reported PASSED [ 24%]
 scripts/test/test_check_codeql_alerts.py::TestMainSarifMode::test_missing_sarif_exits_nonzero PASSED [ 24%]
 scripts/test/test_check_codeql_alerts.py::TestMainSarifMode::test_github_output_written PASSED [ 24%]
 scripts/test/test_check_codeql_alerts.py::TestMainSarifMode::test_github_output_false_when_no_alerts PASSED [ 25%]
 scripts/test/test_check_codeql_alerts.py::TestMainSarifMode::test_directory_of_sarif_files PASSED [ 25%]
 scripts/test/test_check_codeql_alerts.py::TestMainSarifMode::test_sarif_mode_pr_ref_produces_filtered_url PASSED [ 25%]
 scripts/test/test_check_codeql_alerts.py::TestMainSarifMode::test_non_integer_pr_ref_no_filtered_url PASSED [ 25%]
 scripts/test/test_check_codeql_alerts.py::TestMainApiMode::test_api_mode_new_alert PASSED [ 25%]
 scripts/test/test_check_codeql_alerts.py::TestMainApiMode::test_api_mode_min_level_filtering PASSED [ 26%]
 scripts/test/test_check_codeql_alerts.py::TestMainApiMode::test_api_mode_github_api_error_exits_2 PASSED [ 26%]
 scripts/test/test_check_codeql_alerts.py::TestMainApiMode::test_api_mode_missing_github_repository_exits_2 PASSED [ 26%]
 scripts/test/test_check_codeql_alerts.py::TestMainApiMode::test_api_mode_skipped_when_sarif_has_baseline PASSED [ 26%]
 scripts/test/test_check_codeql_alerts.py::TestMainApiModeWithPrRef::test_api_mode_pr_ref_produces_filtered_url PASSED [ 27%]
 scripts/test/test_check_codeql_alerts.py::TestMainEntrypoint::test_entrypoint_no_alerts_exits_zero PASSED [ 27%]
 scripts/test/test_clang_tidy_check_summary.py::TestLoadDiagnostics::test_reads_from_file PASSED [ 27%]
 script...

---

GitHub Actions: knoepfel checking Python code / python-check: knoepfel checking Python code

Conclusion: failure

View job details

##[group]Run REPO_NAME="${REPO##*/}"
 �[36;1mREPO_NAME="${REPO##*/}"�[0m
 �[36;1mif [ "success" = 'success' ] && [ "success" = 'success' ]; then�[0m
 �[36;1m  echo "✅ Python checks passed."�[0m
 �[36;1melse�[0m
 �[36;1m  echo "::error::Python checks failed. Comment '@${REPO_NAME}bot python-fix' on the PR to attempt auto-fix."�[0m

---

GitHub Actions: knoepfel checking Python code / 1_python-check.txt: knoepfel checking Python code

Conclusion: failure

View job details

##[group]Run REPO_NAME="${REPO##*/}"
 �[36;1mREPO_NAME="${REPO##*/}"�[0m
 �[36;1mif [ "success" = 'success' ] && [ "success" = 'success' ]; then�[0m
 �[36;1m  echo "✅ Python checks passed."�[0m
 �[36;1melse�[0m
 �[36;1m  echo "::error::Python checks failed. Comment '@${REPO_NAME}bot python-fix' on the PR to attempt auto-fix."�[0m

---

GitHub Actions: knoepfel checking Python code / scripts-test: knoepfel checking Python code

Conclusion: failure

View job details

##[group]Run codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f
 with:
   files: coverage-scripts.xml
   flags: scripts
   name: phlex-scripts-coverage
   fail_ci_if_error: false
   verbose: true
   root_dir: phlex-src
   disable_file_fixes: false
   disable_search: false
   disable_safe_directory: false
   disable_telem: false
   dry_run: false
   git_service: github
   gcov_executable: gcov
   handle_no_reports_found: false
   recurse_submodules: false
   run_command: upload-coverage
   skip_validation: false
   use_legacy_upload_endpoint: false
   use_oidc: false
   use_pypi: false
   version: latest
 env:
   CODECOV_***REDACTED*** /home/runner/work/_temp/uv-python-dir
   UV_CACHE_DIR: /home/runner/work/_temp/setup-uv-cache
 ##[endgroup]
 ##[group]Run missing_deps=""
 �[36;1mmissing_deps=""�[0m
 �[36;1m�[0m
 �[36;1m# Check for always-required commands�[0m
 �[36;1mfor cmd in bash git curl; do�[0m
 �[36;1m  if ! command -v "$cmd" >/dev/null 2>&1; then�[0m
 �[36;1m    missing_deps="$missing_deps $cmd"�[0m
 �[36;1m  fi�[0m
 �[36;1mdone�[0m
 �[36;1m�[0m
 �[36;1m# Check for gpg only if validation is not being skipped�[0m
 �[36;1mif [ "$INPUT_SKIP_VALIDATION" != "true" ]; then�[0m
 �[36;1m  if ! command -v gpg >/dev/null 2>&1; then�[0m
 �[36;1m    missing_deps="$missing_deps gpg"�[0m
 �[36;1m  fi�[0m
 �[36;1mfi�[0m
 �[36;1m�[0m
 �[36;1m# Report missing required dependencies�[0m
 �[36;1mif [ -n "$missing_deps" ]; then�[0m
 �[36;1m  echo "Error: The following required dependencies are missing:$missing_deps"�[0m
 �[36;1m  echo "Please install these dependencies before using this action."�[0m
 �[36;1m  exit 1�[0m
 �[36;1mfi�[0m
 �[36;1m�[0m
 �[36;1mecho "All required system dependencies are available."�[0m
 shell: /usr/bin/sh -e {0}
 env:
   CODECOV_***REDACTED*** /home/runner/work/_temp/uv-python-dir
   UV_CACHE_DIR: /home/runner/work/_temp/setup-uv-cache
   INPUT_SKIP_VALIDATION: false
 ##[endgroup]
 All required system dependencies are available.
 ##[grou...

🧰 Additional context used

🔀 Multi-repo context Framework-R-D/action-workflow-setup, Framework-R-D/action-configure-cmake, Framework-R-D/action-post-clang-tidy-results, Framework-R-D/action-run-change-detection, Framework-R-D/action-complete-pr-comment, Framework-R-D/action-handle-fix-commit

Linked repositories findings

Framework-R-D/action-workflow-setup

• .github/workflows/ci.yaml:58-60, 81-83, 104-106, 125-127 — this workflow already uses explicit ref: ${{ needs.setup.outputs.ref }} and repository: ${{ needs.setup.outputs.repo }} on multiple checkout steps. That matches the PR’s fix pattern and suggests the coverage workflow should follow the same setup-derived checkout contract to avoid checking out a drifting commit. [::Framework-R-D/action-workflow-setup::]
• action.yaml:70, 81, 131-137 — the action itself exposes/propagates ref, base-ref, head-ref, and repo-style outputs that downstream workflows consume. This reinforces that checkout jobs in this repo are expected to pin to setup-derived refs rather than relying on defaults. [::Framework-R-D/action-workflow-setup::]

Framework-R-D/action-configure-cmake

• No matches for coverage-upload, codecov, or setup-derived checkout inputs in searched workflow/docs files. No direct cross-repo consumer found. [::Framework-R-D/action-configure-cmake::]

Framework-R-D/action-post-clang-tidy-results

• No matches for coverage-upload, codecov, or setup-derived checkout inputs in searched workflow/docs files. No direct cross-repo consumer found. [::Framework-R-D/action-post-clang-tidy-results::]

Framework-R-D/action-run-change-detection

• No matches for coverage-upload, codecov, or setup-derived checkout inputs in searched workflow/docs files. No direct cross-repo consumer found. [::Framework-R-D/action-run-change-detection::]

Framework-R-D/action-complete-pr-comment

• No matches for coverage-upload, codecov, or setup-derived checkout inputs in searched workflow/docs files. No direct cross-repo consumer found. [::Framework-R-D/action-complete-pr-comment::]

Framework-R-D/action-handle-fix-commit

• No matches for coverage-upload, codecov, or setup-derived checkout inputs in searched workflow/docs files. No direct cross-repo consumer found. [::Framework-R-D/action-handle-fix-commit::]

🔇 Additional comments (1)

.github/workflows/coverage.yaml (1)

377-390: LGTM!

---

📝 Walkthrough

Walkthrough

The coverage upload workflow now depends on both setup and coverage, and the Codecov mapping checkout explicitly uses the ref and repository values from setup outputs.

Changes

Coverage upload workflow

Layer / File(s)	Summary
Job ordering .github/workflows/coverage.yaml	coverage-upload now requires both setup and coverage before running.
Codecov checkout .github/workflows/coverage.yaml	The Codecov mapping checkout step now uses needs.setup.outputs.ref and needs.setup.outputs.repository.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5–15 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title matches the core change: fixing the code-coverage workflow_dispatch behavior in the coverage workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[greenc-FNAL]

19 fixed, 0 new since branch point (41c3534)

✅ 19 CodeQL alerts resolved since the branch point

• ✅ Warning # 196 actions/untrusted-checkout-toctou/critical at .github/workflows/clang-tidy-fix.yaml:109:9 — Insufficient protection against execution of untrusted code on a privileged workflow (issue_comment).
• ✅ Warning # 227 actions/untrusted-checkout-toctou/high at .github/workflows/clang-format-fix.yaml:94:9 — Insufficient protection against execution of untrusted code on a privileged workflow (issue_comment).
  Insufficient protection against execution of untrusted code on a privileged workflow (issue_comment).
• ✅ Warning # 228 actions/untrusted-checkout-toctou/high at .github/workflows/python-fix.yaml:94:9 — Insufficient protection against execution of untrusted code on a privileged workflow (issue_comment).
  Insufficient protection against execution of untrusted code on a privileged workflow (issue_comment).
• ✅ Warning # 229 actions/untrusted-checkout/high at .github/workflows/clang-format-fix.yaml:94:9 — Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: issue_comment).
  Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: issue_comment).
• ✅ Warning # 230 actions/untrusted-checkout/high at .github/workflows/python-fix.yaml:94:9 — Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: issue_comment).
  Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: issue_comment).
• ✅ Warning # 231 actions/untrusted-checkout-toctou/high at .github/workflows/cmake-format-fix.yaml:94:9 — Insufficient protection against execution of untrusted code on a privileged workflow (issue_comment).
  Insufficient protection against execution of untrusted code on a privileged workflow (issue_comment).
• ✅ Warning # 232 actions/untrusted-checkout-toctou/high at .github/workflows/jsonnet-format-fix.yaml:95:9 — Insufficient protection against execution of untrusted code on a privileged workflow (issue_comment).
  Insufficient protection against execution of untrusted code on a privileged workflow (issue_comment).
• ✅ Warning # 233 actions/untrusted-checkout/high at .github/workflows/cmake-format-fix.yaml:94:9 — Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: issue_comment).
  Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: issue_comment).
• ✅ Warning # 234 actions/untrusted-checkout/high at .github/workflows/jsonnet-format-fix.yaml:95:9 — Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: issue_comment).
  Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: issue_comment).
• ✅ Warning # 235 actions/untrusted-checkout/medium at .github/workflows/clang-format-check.yaml:82:9 — Potential unsafe checkout of untrusted pull request on privileged workflow.
• ✅ Warning # 236 actions/untrusted-checkout/medium at .github/workflows/actionlint-check.yaml:86:9 — Potential unsafe checkout of untrusted pull request on privileged workflow.
• ✅ Warning # 237 actions/untrusted-checkout/medium at .github/workflows/clang-tidy-check.yaml:59:9 — Potential unsafe checkout of untrusted pull request on privileged workflow.
• ✅ Warning # 238 actions/untrusted-checkout/medium at .github/workflows/cmake-format-check.yaml:79:9 — Potential unsafe checkout of untrusted pull request on privileged workflow.
• ✅ Warning # 239 actions/untrusted-checkout/medium at .github/workflows/cmake-build.yaml:159:9 — Potential unsafe checkout of untrusted pull request on privileged workflow.
• ✅ Warning # 240 actions/untrusted-checkout/medium at .github/workflows/header-guards-check.yaml:82:9 — Potential unsafe checkout of untrusted pull request on privileged workflow.
• ✅ Warning # 241 actions/untrusted-checkout/medium at .github/workflows/jsonnet-format-check.yaml:79:9 — Potential unsafe checkout of untrusted pull request on privileged workflow.
• ✅ Warning # 242 actions/untrusted-checkout/medium at .github/workflows/markdown-check.yaml:82:9 — Potential unsafe checkout of untrusted pull request on privileged workflow.
• ✅ Warning # 243 actions/untrusted-checkout/medium at .github/workflows/python-check.yaml:84:9 — Potential unsafe checkout of untrusted pull request on privileged workflow.
• ✅ Warning # 244 actions/untrusted-checkout/medium at .github/workflows/yaml-check.yaml:76:9 — Potential unsafe checkout of untrusted pull request on privileged workflow.

Review the full CodeQL report for details.