chore: split codecov to collect and upload workflows (aws#34451)

QuantumNeuralCoder · web-flow · commit 039a3aa0be96 · 2025-05-13T23:05:23.000Z
### Issue # (if applicable) same as aws#34247 aws#34211 Closes #<issue number here>. ### Reason for this change ### Description of changes ### Describe any new or updated permissions being added Codecov is split into `collect` with lesser permissions and `upload` with escalated permissions. ### Description of how you validated changes ### Checklist - [ x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/.github/workflows/codecov-collect.yml b/.github/workflows/codecov-collect.yml
@@ -0,0 +1,35 @@
+name: Codecov Collect
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  collect:
+    name: Collect Coverage
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Node
+        uses: actions/setup-node@v4
+
+      - name: Install dependencies
+        run: yarn install
+
+      - name: Build Library
+        run: npx lerna run build --scope=aws-cdk-lib
+
+      - name: Run Core tests
+        run: cd packages/aws-cdk-lib && yarn test core
+
+      - name: Upload Coverage and PR Info
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-artifacts
+          path: |
+            packages/aws-cdk-lib/coverage/cobertura-coverage.xml
diff --git a/.github/workflows/codecov-upload.yml b/.github/workflows/codecov-upload.yml
@@ -0,0 +1,34 @@
+name: Codecov Upload
+
+on:
+  workflow_run:
+    workflows: ["Codecov Collect"]
+    types:
+      - completed
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  upload:
+    name: Upload to Codecov
+    runs-on: ubuntu-latest
+    if: >
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success'
+
+    steps:
+      - name: Download Artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: coverage-artifacts
+          path: ./coverage
+
+      - name: Upload to Codecov
+        uses: codecov/codecov-action@v5
+        with:
+          files: ./coverage/packages/aws-cdk-lib/coverage/cobertura-coverage.xml
+          fail_ci_if_error: true
+          flags: suite.unit
+          use_oidc: true
