Skip to content

Integration of codecov on the cert-manager-operator #79334

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
siddhibhor-56 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Integration of codecov on the cert-manager-operator #79334

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
85 changes: 85 additions & 0 deletions ...erator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ images:
- dockerfile_path: images/ci/operand.Dockerfile
from: base-rhel9
to: cert-manager
- dockerfile_path: images/ci/Dockerfile.coverage
to: cert-manager-operator-coverage
operator:
bundles:
- as: cert-manager-operator-bundle
Expand Down Expand Up @@ -85,6 +87,21 @@ tests:
version: "4.20"
skip_if_only_changed: ^(docs/|deploy/|jsonnet/)|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|PROJECT|LICENSE)$
steps:
post:
- as: collect-coverage
best_effort: true
cli: latest
commands: hack/e2e-coverage.sh collect
credentials:
- mount_path: /var/run/secrets/codecov
name: cert-manager-operator-codecov-token
namespace: test-credentials
from: src
resources:
requests:
cpu: 100m
timeout: 15m0s
- chain: gather
Comment on lines +90 to +104
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid Codecov-token uploads in presubmit e2e-operator.

This adds secret-backed coverage upload to a presubmit path while publish-e2e-coverage already uploads coverage postsubmit. Keeping upload only in postsubmit reduces secret exposure and avoids duplicate external uploads.

Suggested diff 
   steps:
-    post:
-    - as: collect-coverage
-      best_effort: true
-      cli: latest
-      commands: hack/e2e-coverage.sh collect
-      credentials:
-      - mount_path: /var/run/secrets/codecov
-        name: cert-manager-operator-codecov-token
-        namespace: test-credentials
-      from: src
-      resources:
-        requests:
-          cpu: 100m
-      timeout: 15m0s
-    - chain: gather
+    post:
+    - chain: gather
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
post:
- as: collect-coverage
best_effort: true
cli: latest
commands: hack/e2e-coverage.sh collect
credentials:
- mount_path: /var/run/secrets/codecov
name: cert-manager-operator-codecov-token
namespace: test-credentials
from: src
resources:
requests:
cpu: 100m
timeout: 15m0s
- chain: gather
post:
- chain: gather
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml`
around lines 90 - 104, The presubmit job includes a post step that uploads
coverage using a secret (the post block with the step "as: collect-coverage",
"commands: hack/e2e-coverage.sh collect", and "credentials:
cert-manager-operator-codecov-token") which should not run in presubmit; remove
or disable this "collect-coverage" post step (and its credentials mount) from
the e2e-operator presubmit configuration so only the existing
"publish-e2e-coverage" postsubmit path performs coverage uploads, leaving the
rest of the post/chain: gather steps intact.

test:
- as: install
cli: latest
Expand All @@ -99,6 +116,74 @@ tests:
resources:
requests:
cpu: 100m
- as: setup-coverage
cli: latest
commands: hack/e2e-coverage.sh setup
dependencies:
- env: COVERAGE_IMAGE
name: cert-manager-operator-coverage
from: src
resources:
requests:
cpu: 100m
- as: test
cli: latest
commands: |
E2E_GINKGO_LABEL_FILTER='"Platform: isSubsetOf {AWS,Generic} && CredentialsMode: isSubsetOf {Mint} && !TechPreview"' make test-e2e
from: src
resources:
requests:
cpu: 100m
workflow: generic-claim
- as: publish-e2e-coverage
cluster_claim:
architecture: amd64
cloud: aws
owner: openshift-ci
product: ocp
timeout: 2h0m0s
version: "4.20"
postsubmit: true
steps:
post:
- as: collect-coverage
best_effort: true
cli: latest
commands: hack/e2e-coverage.sh collect
credentials:
- mount_path: /var/run/secrets/codecov
name: cert-manager-operator-codecov-token
namespace: test-credentials
from: src
resources:
requests:
cpu: 100m
timeout: 15m0s
- chain: gather
test:
- as: install
cli: latest
commands: |
oc create namespace cert-manager-operator
operator-sdk run bundle --timeout=10m --security-context-config=restricted --install-mode=AllNamespaces -n cert-manager-operator "$OO_BUNDLE" --verbose
oc wait --for condition=Available -n cert-manager-operator deployment cert-manager-operator-controller-manager
dependencies:
- env: OO_BUNDLE
name: cert-manager-operator-bundle
from: operator-sdk
resources:
requests:
cpu: 100m
- as: setup-coverage
cli: latest
commands: hack/e2e-coverage.sh setup
dependencies:
- env: COVERAGE_IMAGE
name: cert-manager-operator-coverage
from: src
resources:
requests:
cpu: 100m
- as: test
cli: latest
commands: |
Expand Down
90 changes: 90 additions & 0 deletions ...s/openshift/cert-manager-operator/openshift-cert-manager-operator-master-postsubmits.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
postsubmits:
openshift/cert-manager-operator:
- agent: kubernetes
always_run: true
branches:
- ^master$
cluster: build01
decorate: true
decoration_config:
sparse_checkout_files:
- .ci-operator.yaml
- images/ci/Dockerfile
- images/ci/Dockerfile.coverage
- images/ci/operand.Dockerfile
labels:
ci.openshift.io/generator: prowgen
job-release: "4.20"
max_concurrency: 1
name: branch-ci-openshift-cert-manager-operator-master-publish-e2e-coverage
spec:
containers:
- args:
- --gcs-upload-secret=/secrets/gcs/service-account.json
- --hive-kubeconfig=/secrets/hive-hive-credentials/kubeconfig
- --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
- --lease-server-credentials-file=/etc/boskos/credentials
- --report-credentials-file=/etc/report/credentials
- --secret-dir=/secrets/ci-pull-credentials
- --target=publish-e2e-coverage
command:
- ci-operator
env:
- name: HTTP_SERVER_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
imagePullPolicy: Always
name: ""
ports:
- containerPort: 8080
name: http
resources:
requests:
cpu: 10m
volumeMounts:
- mountPath: /etc/boskos
name: boskos
readOnly: true
- mountPath: /secrets/ci-pull-credentials
name: ci-pull-credentials
readOnly: true
- mountPath: /secrets/gcs
name: gcs-credentials
readOnly: true
- mountPath: /secrets/hive-hive-credentials
name: hive-hive-credentials
readOnly: true
- mountPath: /secrets/manifest-tool
name: manifest-tool-local-pusher
readOnly: true
- mountPath: /etc/pull-secret
name: pull-secret
readOnly: true
- mountPath: /etc/report
name: result-aggregator
readOnly: true
serviceAccountName: ci-operator
volumes:
- name: boskos
secret:
items:
- key: credentials
path: credentials
secretName: boskos-credentials
- name: ci-pull-credentials
secret:
secretName: ci-pull-credentials
- name: hive-hive-credentials
secret:
secretName: hive-hive-credentials
- name: manifest-tool-local-pusher
secret:
secretName: manifest-tool-local-pusher
- name: pull-secret
secret:
secretName: registry-pull-credentials
- name: result-aggregator
secret:
secretName: result-aggregator
15 changes: 15 additions & 0 deletions ...bs/openshift/cert-manager-operator/openshift-cert-manager-operator-master-presubmits.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ presubmits:
sparse_checkout_files:
- .ci-operator.yaml
- images/ci/Dockerfile
- images/ci/Dockerfile.coverage
- images/ci/operand.Dockerfile
labels:
ci.openshift.io/generator: prowgen
Expand Down Expand Up @@ -71,6 +72,7 @@ presubmits:
sparse_checkout_files:
- .ci-operator.yaml
- images/ci/Dockerfile
- images/ci/Dockerfile.coverage
- images/ci/operand.Dockerfile
labels:
ci.openshift.io/generator: prowgen
Expand Down Expand Up @@ -163,6 +165,7 @@ presubmits:
sparse_checkout_files:
- .ci-operator.yaml
- images/ci/Dockerfile
- images/ci/Dockerfile.coverage
- images/ci/operand.Dockerfile
labels:
ci-operator.openshift.io/cloud: aws
Expand Down Expand Up @@ -250,6 +253,7 @@ presubmits:
sparse_checkout_files:
- .ci-operator.yaml
- images/ci/Dockerfile
- images/ci/Dockerfile.coverage
- images/ci/operand.Dockerfile
labels:
ci-operator.openshift.io/cloud: aws
Expand Down Expand Up @@ -337,6 +341,7 @@ presubmits:
sparse_checkout_files:
- .ci-operator.yaml
- images/ci/Dockerfile
- images/ci/Dockerfile.coverage
- images/ci/operand.Dockerfile
labels:
ci-operator.openshift.io/cloud: aws
Expand Down Expand Up @@ -424,6 +429,7 @@ presubmits:
sparse_checkout_files:
- .ci-operator.yaml
- images/ci/Dockerfile
- images/ci/Dockerfile.coverage
- images/ci/operand.Dockerfile
labels:
ci-operator.openshift.io/cloud: azure4
Expand Down Expand Up @@ -511,6 +517,7 @@ presubmits:
sparse_checkout_files:
- .ci-operator.yaml
- images/ci/Dockerfile
- images/ci/Dockerfile.coverage
- images/ci/operand.Dockerfile
labels:
ci-operator.openshift.io/cloud: azure4
Expand Down Expand Up @@ -598,6 +605,7 @@ presubmits:
sparse_checkout_files:
- .ci-operator.yaml
- images/ci/Dockerfile
- images/ci/Dockerfile.coverage
- images/ci/operand.Dockerfile
labels:
ci-operator.openshift.io/cloud: gcp
Expand Down Expand Up @@ -685,6 +693,7 @@ presubmits:
sparse_checkout_files:
- .ci-operator.yaml
- images/ci/Dockerfile
- images/ci/Dockerfile.coverage
- images/ci/operand.Dockerfile
labels:
ci-operator.openshift.io/cloud: gcp
Expand Down Expand Up @@ -772,6 +781,7 @@ presubmits:
sparse_checkout_files:
- .ci-operator.yaml
- images/ci/Dockerfile
- images/ci/Dockerfile.coverage
- images/ci/operand.Dockerfile
labels:
ci-operator.openshift.io/cloud: aws
Expand Down Expand Up @@ -860,6 +870,7 @@ presubmits:
sparse_checkout_files:
- .ci-operator.yaml
- images/ci/Dockerfile
- images/ci/Dockerfile.coverage
- images/ci/operand.Dockerfile
labels:
ci.openshift.io/generator: prowgen
Expand Down Expand Up @@ -944,6 +955,7 @@ presubmits:
sparse_checkout_files:
- .ci-operator.yaml
- images/ci/Dockerfile
- images/ci/Dockerfile.coverage
- images/ci/operand.Dockerfile
labels:
ci.openshift.io/generator: prowgen
Expand Down Expand Up @@ -1028,6 +1040,7 @@ presubmits:
sparse_checkout_files:
- .ci-operator.yaml
- images/ci/Dockerfile
- images/ci/Dockerfile.coverage
- images/ci/operand.Dockerfile
labels:
ci.openshift.io/generator: prowgen
Expand Down Expand Up @@ -1087,6 +1100,7 @@ presubmits:
sparse_checkout_files:
- .ci-operator.yaml
- images/ci/Dockerfile
- images/ci/Dockerfile.coverage
- images/ci/operand.Dockerfile
labels:
ci.openshift.io/generator: prowgen
Expand Down Expand Up @@ -1154,6 +1168,7 @@ presubmits:
sparse_checkout_files:
- .ci-operator.yaml
- images/ci/Dockerfile
- images/ci/Dockerfile.coverage
- images/ci/operand.Dockerfile
labels:
ci.openshift.io/generator: prowgen
Expand Down