Fix coverage badge permission errors on pull requests

[Copilot]

The coverage workflow attempts to commit the badge file on pull requests to main, which fails with permission errors since PRs run with read-only tokens.

Changes

Added github.event_name == 'push' check to three conditional steps in .github/workflows/coverage.yml:

• Extract coverage percentage (line 50)
• Create coverage badge (line 57)
• Commit coverage badge (line 77)

Badge generation and commit now only execute on direct pushes to main, not on pull requests or manual workflow dispatches.

# Before
if: github.ref == 'refs/heads/main'

# After
if: github.ref == 'refs/heads/main' && github.event_name == 'push'

Tests and coverage reports continue to run on pull requests; only the badge commit step is gated.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[BUG] Fix test coverage badge permission issues</issue_title>
<issue_description>
Context:
I am working on a GitHub repository with a protected main branch. I want my GitHub Actions workflow to generate and update a dynamic coverage badge (.github/badges/coverage.json) only when code is pushed to the main branch (not on pull requests). The badge should display the coverage percentage and use color coding (brightgreen ≥80%, yellow ≥60%, orange <60%).

Requirements:

• The workflow should run tests with coverage using pytest-cov.
• Extract the total coverage percentage from the coverage report.
• Generate a shields.io-compatible JSON badge file with the percentage and color.
• Commit and push the badge JSON to .github/badges/coverage.json only on pushes to main.
• Use conditional steps so badge generation and commit/push only happen on main branch pushes.
• The workflow should be robust and avoid infinite loops (e.g., use [skip ci] in commit messages).
• Use best practices for GitHub Actions and security.

Instructions:
Write a complete .github/workflows/coverage.yml workflow file implementing the above requirements.

• Use conditional execution for badge generation and commit/push steps.
• Include all necessary steps: checkout, setup Python, install dependencies, run tests, extract coverage, generate badge, commit/push badge.
• Add comments explaining each step.
• Use the latest recommended versions of actions.

---

Example Output (What the LLM Should Produce)

name: Coverage

on:
  push:
    branches: [ main ]
  workflow_dispatch:

jobs:
  coverage:
    runs-on: ubuntu-latest
    steps:
      # Checkout code
      - name: Checkout
        uses: actions/checkout@v5

      # Set up Python
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.12'

      # Install dependencies
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install .[dev]

      # Run tests with coverage
      - name: Run tests with coverage
        run: |
          python -m pytest --cov=balance --cov-report=term-missing

      # Extract coverage percentage (only on main branch push)
      - name: Extract coverage percentage
        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
        run: |
          COVERAGE=$(coverage report --precision=2 | grep TOTAL | awk '{print $NF}' | sed 's/%//')
          echo "COVERAGE=$COVERAGE" >> $GITHUB_ENV

      # Generate coverage badge (only on main branch push)
      - name: Create coverage badge
        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
        run: |
          mkdir -p .github/badges
          python -c "
          import os
          coverage = float(os.environ['COVERAGE'])
          color = 'brightgreen' if coverage >= 80 else 'yellow' if coverage >= 60 else 'orange'
          badge = {
              'schemaVersion': 1,
              'label': 'coverage',
              'message': f'{coverage}%',
              'color': color
          }
          import json
          with open('.github/badges/coverage.json', 'w') as f:
              json.dump(badge, f)
          "

      # Commit and push badge (only on main branch push)
      - name: Commit coverage badge
        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
        run: |
          git config --local user.email "github-actions[bot]@users.noreply.github.com"
          git config --local user.name "github-actions[bot]"
          git add .github/badges/coverage.json
          git diff --staged --quiet || git commit -m "Update coverage badge [skip ci]"
          git push

</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [BUG] Fix test coverage badge permission issues #271

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[meta-codesync]

@talgalili has imported this pull request. If you are a Meta employee, you can view this in D90920671.

[Copilot]

Pull request overview

This PR fixes permission errors in the coverage workflow that occurred when pull requests attempted to commit the coverage badge file. The workflow is modified to restrict badge generation and commit operations to direct pushes to the main branch only.

Changes:

• Added github.event_name == 'push' condition to three badge-related steps in the coverage workflow
• Coverage tests continue to run on pull requests; only badge commits are gated