sapcc · majewsky · Aug 22, 2025 · Aug 20, 2025
@@ -35,6 +35,23 @@ jobs:
           go-version: 1.24.6
       - name: Build all binaries
         run: make build-all
+  code_coverage:
+    name: Code coverage report
+    needs:
+      - test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v5
+      - name: Post coverage report
+        uses: fgrosse/go-coverage-report@v1.2.0
+        with:
+          coverage-artifact-name: code-coverage
+          coverage-file-name: cover.out
+    permissions:
+      actions: read
+      contents: read
+      pull-requests: write
   test:
     name: Test
     needs:
@@ -50,10 +67,8 @@ jobs:
           go-version: 1.24.6
       - name: Run tests and generate coverage report
         run: make build/cover.out
-      - name: Upload coverage report to Coveralls
-        env:
-          COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GIT_BRANCH: ${{ github.head_ref }}
-        run: |
-          go install github.com/mattn/goveralls@latest
-          goveralls -service=github -coverprofile=build/cover.out
+      - name: Archive code coverage results
+        uses: actions/upload-artifact@v4
+        with:
+          name: code-coverage
+          path: build/cover.out
@@ -18,7 +18,6 @@ golangciLint:
 githubWorkflow:
   ci:
     enabled: true
-    coveralls: true
   global:
     defaultBranch: main # only defined here so that the "Run go-makefile-maker" Action knows it
 

@@ -17,8 +17,9 @@ var DefaultGitHubEnterpriseRunsOn = map[string]string{
 var SugarRunsOn = []string{"self-hosted"}
 
 const (
-	CheckoutAction = "actions/checkout@v5"
-	SetupGoAction  = "actions/setup-go@v5"
+	CheckoutAction       = "actions/checkout@v5"
+	SetupGoAction        = "actions/setup-go@v5"
+	UploadArtifactAction = "actions/upload-artifact@v4"
 
 	DockerLoginAction     = "docker/login-action@v3"
 	DockerMetadataAction  = "docker/metadata-action@v5"
@@ -30,9 +31,10 @@ const (
 	CodeqlAnalyzeAction   = "github/codeql-action/analyze@v3"
 	CodeqlAutobuildAction = "github/codeql-action/autobuild@v3"
 
-	DownloadSyftAction = "anchore/sbom-action/download-syft@v0.20.5"
-	GolangciLintAction = "golangci/golangci-lint-action@v8"
-	GoreleaserAction   = "goreleaser/goreleaser-action@v6"
-	MisspellAction     = "reviewdog/action-misspell@v1"
-	ReuseAction        = "fsfe/reuse-action@v5"
+	DownloadSyftAction     = "anchore/sbom-action/download-syft@v0.20"
+	GoCoverageReportAction = "fgrosse/go-coverage-report@v1.2.0"
+	GolangciLintAction     = "golangci/golangci-lint-action@v8"
+	GoreleaserAction       = "goreleaser/goreleaser-action@v6"
+	MisspellAction         = "reviewdog/action-misspell@v1"
+	ReuseAction            = "fsfe/reuse-action@v5"
 )
@@ -59,6 +59,7 @@ type permissions struct {
 	Checks         githubTokenScope `yaml:"checks,omitempty"`
 	Contents       githubTokenScope `yaml:"contents,omitempty"`
 	Packages       githubTokenScope `yaml:"packages,omitempty"`
+	PullRequests   githubTokenScope `yaml:"pull-requests,omitempty"`
 	SecurityEvents githubTokenScope `yaml:"security-events,omitempty"`
 }
 
@@ -119,6 +120,11 @@ type job struct {
 
 	// A map of <service_id> to their configuration(s).
 	Services map[string]jobService `yaml:"services,omitempty"`
+
+	// Permissions modify the default permissions granted to the GITHUB_TOKEN. If you
+	// specify the access for any of the scopes, all of those that are not specified are
+	// set to 'none'.
+	Permissions permissions `yaml:"permissions,omitempty"`
 }
 
 type JobStrategy struct {

@@ -19,6 +19,7 @@ func ciWorkflow(cfg core.Configuration, sr golang.ScanResult) {
 
 	w := newWorkflow("CI", ghwCfg.Global.DefaultBranch, ignorePaths)
 	w.On.WorkflowDispatch.manualTrigger = true
+	w.On.Push.Branches = []string{ghwCfg.Global.DefaultBranch}
 
 	if w.deleteIf(ghwCfg.CI.Enabled) {
 		return
@@ -52,36 +53,36 @@ func ciWorkflow(cfg core.Configuration, sr golang.ScanResult) {
 		Run:  makeMultilineYAMLString(testCmd),
 	})
 
-	if ghwCfg.CI.Coveralls && !ghwCfg.IsSelfHostedRunner {
-		multipleOS := len(ghwCfg.CI.RunsOn) > 1
-		env := map[string]string{
-			"GIT_BRANCH":      "${{ github.head_ref }}",
-			"COVERALLS_TOKEN": "${{ secrets.GITHUB_TOKEN }}",
-		}
-		installGoveralls := "go install github.com/mattn/goveralls@latest"
-		cmd := "goveralls -service=github -coverprofile=build/cover.out"
-		if multipleOS {
-			cmd += ` -parallel -flagname="Unit-${{ matrix.os }}"`
-		}
-		testJob.addStep(jobStep{
-			Name: "Upload coverage report to Coveralls",
-			Run:  makeMultilineYAMLString([]string{installGoveralls, cmd}),
-			Env:  env,
-		})
+	// see https://github.com/fgrosse/go-coverage-report#usage
+	coverageArtifactName := "code-coverage"
+	testJob.addStep(jobStep{
+		Name: "Archive code coverage results",
+		Uses: core.UploadArtifactAction,
+		With: map[string]any{
+			"name": coverageArtifactName,
+			"path": "build/cover.out",
+		},
+	})
 
-		if multipleOS {
-			// 04. Tell Coveralls to merge coverage results.
-			finishJob := baseJobWithGo("Finish", cfg)
-			finishJob.Needs = []string{"test"} // this is the <job_id> for the test job
-			finishJob.addStep(jobStep{
-				Name: "Coveralls post build webhook",
-				Run:  makeMultilineYAMLString([]string{installGoveralls, "goveralls -parallel-finish"}),
-				Env:  env,
-			})
-			w.Jobs["finish"] = finishJob
-		}
-	}
 	w.Jobs["test"] = testJob
 
+	// see https://github.com/fgrosse/go-coverage-report#usage
+	codeCov := baseJob("Code coverage report", cfg.GitHubWorkflow)
+	codeCov.Needs = []string{"test"}
+	codeCov.Permissions = permissions{
+		Contents:     "read",
+		Actions:      "read",
+		PullRequests: "write",
+	}
+	codeCov.addStep(jobStep{
+		Name: "Post coverage report",
+		Uses: core.GoCoverageReportAction,
+		With: map[string]any{
+			"coverage-artifact-name": coverageArtifactName,
+			"coverage-file-name":     "cover.out",
+		},
+	})
+	w.Jobs["code_coverage"] = codeCov
+
 	writeWorkflowToFile(w)
 }
@@ -112,6 +112,9 @@ func main() {
 	// Render GitHub workflows
 	if cfg.GitHubWorkflow != nil {
 		logg.Debug("rendering GitHub Actions workflows")
+		if cfg.GitHubWorkflow.CI.Coveralls {
+			logg.Fatal("Coveralls support has been removed, please remove it from your Makefile.maker.yaml")
+		}
 		ghworkflow.Render(cfg, sr)
 	}