diff --git a/.codecov.yml b/.codecov.yml
new file mode 100644
index 000000000..2f73cbfd7
--- /dev/null
+++ b/.codecov.yml
@@ -0,0 +1,13 @@
+coverage:
+  status:
+    project:
+      default:
+        informational: true
+        target: 80%
+        threshold: 0%
+    patch:
+      default:
+        informational: true
+        target: 80%
+        threshold: 0%
+    changes: false
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 628a63a59..de53fb66d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -68,14 +68,11 @@ jobs:
                 cache: false
           - name: Run Unit Tests
             run: make unit-test
-          - name: Check Coverage
-            uses: vladopajic/go-test-coverage@dd4b1f21c4e48db0425e1187d2845404b1206919
+          - name: Upload Test Coverage
+            uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
             with:
-              config: ./.testcoverage.yaml
-              ## when token is not specified (value '') this feature is turned off
-              git-token: ${{ github.ref_name == 'main' && secrets.GITHUB_TOKEN || '' }}
-              ## name of orphaned branch where badges are stored
-              git-branch: badges
+              files: ./build/test/coverage.out
+              token: ${{ secrets.CODECOV_TOKEN }}
 
   race-condition-test:
       name: Unit tests with race condition detection
diff --git a/.testcoverage.yaml b/.testcoverage.yaml
deleted file mode 100644
index 2e26acc49..000000000
--- a/.testcoverage.yaml
+++ /dev/null
@@ -1,52 +0,0 @@
-# (mandatory)
-# Path to coverprofile file (output of `go test -coverprofile` command)
-profile: build/test/coverage.out
-
-# (optional)
-# When specified reported file paths will not contain local prefix in the output
-local-prefix: "github.com/nginx/agent/v3"
-
-# Holds coverage thresholds percentages, values should be in range [0-100]
-threshold:
-  # (optional; default 0)
-  # The minimum coverage that each file should have
-  # file: 70
-
-  # (optional; default 0)
-  # The minimum coverage that each package should have
-  package: 80
-
-  # (optional; default 0)
-  # The minimum total coverage project should have
-  total: 80
-
-# Holds regexp rules which will override thresholds for matched files or packages using their paths.
-#
-# First rule from this list that matches file or package is going to apply new threshold to it.
-# If project has multiple rules that match same path, override rules should be listed in order from
-# specific to more general rules.
-#override:
-  # Increase coverage threshold to 100% for `foo` package (default is 80, as configured above)
-#  - threshold: 100
-#    path: ^pkg/lib/foo$
-
-# Holds regexp rules which will exclude matched files or packages from coverage statistics
-exclude:
-  # Exclude files or packages matching their paths
-  paths:
-    - \.pb\.go$       # Excludes all protobuf generated files
-    - \.gen\.go       # Excludes generated files
-    - ^fake_.*\.go    # Excludes fakes
-    - ^test/.*$
-    - app.go          # app.go and main.go should be tested by integration tests.
-    - main.go
-    # ignore metadata generated files
-    - metadata/generated_.*\.go
-    # ignore wrappers around gopsutil
-    - internal/datasource/host
-    - internal/watcher/process
-    - pkg/nginxprocess
-
-# NOTES:
-# - symbol `/` in all path regexps will be replaced by
-#   current OS file path separator to properly work on Windows
diff --git a/Makefile b/Makefile
index 276c94e2d..298ccab6d 100644
--- a/Makefile
+++ b/Makefile
@@ -153,7 +153,7 @@ $(TEST_BUILD_DIR)/coverage.out:
 .PHONY: coverage
 coverage: $(TEST_BUILD_DIR)/coverage.out
 	@echo "Checking code coverage"
-	@$(GORUN) $(GOTESTCOVERAGE) --config=./.testcoverage.yaml
+	@printf "Total code coverage: " && $(GOTOOL) cover -func=$(TEST_BUILD_DIR)/coverage.out | grep 'total:' | awk '{print $$3}'
 
 build-mock-management-plane-grpc:
 	mkdir -p $(BUILD_DIR)/mock-management-plane-grpc
diff --git a/api/grpc/mpi/v1/command.pb.go b/api/grpc/mpi/v1/command.pb.go
index b5f0346f4..31e94ea7d 100644
--- a/api/grpc/mpi/v1/command.pb.go
+++ b/api/grpc/mpi/v1/command.pb.go
@@ -8,7 +8,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.9
+// 	protoc-gen-go v1.36.10
 // 	protoc        (unknown)
 // source: mpi/v1/command.proto
 
diff --git a/api/grpc/mpi/v1/common.pb.go b/api/grpc/mpi/v1/common.pb.go
index e6d06cf37..b59f47b5a 100644
--- a/api/grpc/mpi/v1/common.pb.go
+++ b/api/grpc/mpi/v1/common.pb.go
@@ -5,7 +5,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.9
+// 	protoc-gen-go v1.36.10
 // 	protoc        (unknown)
 // source: mpi/v1/common.proto
 
diff --git a/api/grpc/mpi/v1/files.pb.go b/api/grpc/mpi/v1/files.pb.go
index 47d1362b7..0223bae3a 100644
--- a/api/grpc/mpi/v1/files.pb.go
+++ b/api/grpc/mpi/v1/files.pb.go
@@ -5,7 +5,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.9
+// 	protoc-gen-go v1.36.10
 // 	protoc        (unknown)
 // source: mpi/v1/files.proto
 
diff --git a/internal/file/file_manager_service.go b/internal/file/file_manager_service.go
index fd1602e49..351e94c6c 100644
--- a/internal/file/file_manager_service.go
+++ b/internal/file/file_manager_service.go
@@ -167,6 +167,11 @@ func (fms *FileManagerService) ConfigApply(ctx context.Context,
 		return model.Error, allowedErr
 	}
 
+	permissionErr := fms.validateAndUpdateFilePermissions(ctx, fileOverview.GetFiles())
+	if permissionErr != nil {
+		return model.RollbackRequired, permissionErr
+	}
+
 	diffFiles, compareErr := fms.DetermineFileActions(
 		ctx,
 		fms.currentFilesOnDisk,