separate the coverage and the comment posting for security access

Author: maxnorm

.github/scripts/coverage-comment.js

@@ -138,5 +138,34 @@ async function postCoverageComment(github, context) {
   console.log('Coverage comment posted successfully!');
 }
 
-module.exports = { postCoverageComment };
+/**
+ * Generate coverage report and save to file (for workflow artifacts)
+ */
+function generateCoverageFile() {
+  const file = 'lcov.info';
+
+  if (!fs.existsSync(file)) {
+    console.log('Coverage file not found.');
+    return;
+  }
+
+  const content = fs.readFileSync(file, 'utf8');
+  const metrics = parseLcovContent(content);
+
+  console.log('Coverage Metrics:');
+  console.log('- Lines:', metrics.coveredLines, '/', metrics.totalLines);
+  console.log('- Functions:', metrics.coveredFunctions, '/', metrics.totalFunctions);
+  console.log('- Branches:', metrics.coveredBranches, '/', metrics.totalBranches);
+
+  const body = generateCoverageReport(metrics);
+  fs.writeFileSync('coverage-report.md', body);
+  console.log('Coverage report saved to coverage-report.md');
+}
+
+// If run directly (not as module), generate the file
+if (require.main === module) {
+  generateCoverageFile();
+}
+
+module.exports = { postCoverageComment, generateCoverageFile };
 

.github/workflows/coverage-comment.yml

@@ -0,0 +1,73 @@
+name: Post Coverage Comment
+
+on:
+  workflow_run:
+    workflows: ["CI"]
+    types:
+      - completed
+
+permissions:
+  pull-requests: write
+  issues: write
+
+jobs:
+  comment:
+    name: Post Coverage Comment
+    runs-on: ubuntu-latest
+    if: >
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success'
+    steps:
+      - name: Download coverage data
+        uses: actions/download-artifact@v4
+        with:
+          name: coverage-data
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          run-id: ${{ github.event.workflow_run.id }}
+
+      - name: Extract PR number
+        id: pr
+        run: |
+          PR_NUMBER=$(cat coverage-data.txt | grep PR_NUMBER | cut -d'=' -f2)
+          echo "number=$PR_NUMBER" >> $GITHUB_OUTPUT
+
+      - name: Post coverage comment
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const fs = require('fs');
+            const prNumber = ${{ steps.pr.outputs.number }};
+            const body = fs.readFileSync('coverage-report.md', 'utf8');
+
+            // Check if a coverage comment already exists
+            const comments = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: prNumber
+            });
+
+            const botComment = comments.data.find(comment => 
+              comment.user.type === 'Bot' && 
+              comment.body.includes('## Coverage Report')
+            );
+
+            if (botComment) {
+              // Update existing comment
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: botComment.id,
+                body: body
+              });
+              console.log('Coverage comment updated successfully!');
+            } else {
+              // Create new comment
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: prNumber,
+                body: body
+              });
+              console.log('Coverage comment posted successfully!');
+            }

.github/workflows/coverage.yml

@@ -28,11 +28,18 @@ jobs:
           forge coverage --report summary --report lcov
           ls -la lcov.info || echo "lcov.info not found"
 
-      - name: Comment on PR
+      - name: Generate coverage report
         if: github.event_name == 'pull_request'
-        uses: actions/github-script@v7
+        run: |
+          node .github/scripts/coverage-comment.js
+          echo "PR_NUMBER=${{ github.event.pull_request.number }}" >> coverage-data.txt
+
+      - name: Upload coverage data
+        if: github.event_name == 'pull_request'
+        uses: actions/upload-artifact@v4
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const { postCoverageComment } = require('./.github/scripts/coverage-comment.js');
-            await postCoverageComment(github, context);
+          name: coverage-data
+          path: |
+            coverage-report.md
+            coverage-data.txt
+          retention-days: 1