From 8a57a63456177070ce8a109fe9c2e954deea512f Mon Sep 17 00:00:00 2001
From: Kevin Browne <kevin.browne@sage.com>
Date: Mon, 4 Mar 2024 16:21:08 +0000
Subject: [PATCH] Upload code coverage report to Code Climate in separate
 workflow

One of the jobs in the CI workflow uploads a code coverage report to
Code Climate. To so this, it needs a secret. However, CI runs
triggered by PRs from forks and Dependabot have no access to the
repository secrets, so the upload fails.

Our branch protection rules restrict changes to master to PRs that
pass CI checks, among them some Code Climate checks that depend on the
coverage report. This means that PRs from forks and from Dependabot
can never pass CI.

To work around this, add a separate workflow to upload the report,
triggered by the workflow_run event, on the successful completion of
the CI workflow. This new workflow will have access to the secrets,
even if the triggering workflow did not. It will only fetch and upload
the report.

The new workflow depends on the CI workflow having saved the coverage
report as an artefact. That change will need to be done in a separate
PR. The new workflow will run only if it's already on master, so it
needs to land before the CI workflow changes to upload the
artefact. It is expected to fail if the report artefact is not
present, but this should not fail the CI build.
---
 .github/workflows/upload_coverage.yml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 .github/workflows/upload_coverage.yml

diff --git a/.github/workflows/upload_coverage.yml b/.github/workflows/upload_coverage.yml
new file mode 100644
index 0000000..ca6d661
--- /dev/null
+++ b/.github/workflows/upload_coverage.yml
@@ -0,0 +1,27 @@
+name: Upload coverage results to Code Climate
+
+on:
+  workflow_run:
+    workflows: [CI]
+    types: [completed]
+
+jobs:
+  upload:
+    runs-on: ubuntu-latest
+
+    if: github.event.workflow_run.conclusion == 'success'
+
+    steps:
+      - name: Fetch coverage report
+        uses: actions/download-artifact@v4
+        with:
+          name: coverage-json
+          path: ${{github.workspace}}/coverage.json
+
+      - name: Upload coverage report to Code Climate
+        uses: paambaati/codeclimate-action@v5
+        with:
+          coverageLocations: |
+            ${{github.workspace}}/coverage.json:simplecov
+          env:
+            CC_TEST_REPORTER_ID: ${{secrets.CC_TEST_REPORTER_ID}}