Extract codecov upload into a separate workflow

[ahmedxgouda]

Proposed change

Resolves #4667

Extracted codecov upload into a separate workflow

Checklist

• Required: I followed the contributing workflow
• Required: I verified that my code works as intended and resolves the issue as described
• Required: I ran make check-test locally: all warnings addressed, tests passed
• I used AI for code, documentation, tests, or communication related to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: e3fb2a0a-cb23-479c-aea9-2bb7f78e74f0

📥 Commits

Reviewing files that changed from the base of the PR and between f0d3f6a and df64c69.

📒 Files selected for processing (2)

• .github/workflows/run-backend-tests.yaml
• .github/workflows/upload-coverage-to-codecov.yaml

---

Summary by CodeRabbit

• Chores
  • Refactored CI/CD infrastructure by introducing a reusable workflow for coverage reporting to improve maintainability of the backend testing pipeline.
  • Enhanced the coverage upload process with stricter permission controls and improved failure handling for more reliable test coverage reporting.

Walkthrough

Extracts Codecov coverage upload into a reusable GitHub Actions workflow (upload-coverage-to-codecov) and updates run-backend-tests.yaml to call that workflow with artifact and coverage path/flag inputs instead of performing inline download/upload steps.

Changes

Codecov Coverage Upload Refactoring

Layer / File(s)	Summary
Reusable Codecov upload workflow .github/workflows/upload-coverage-to-codecov.yaml	New reusable workflow (workflow_call) defines required inputs for artifact_name, artifact_path, coverage_path, optional coverage_flags (default ''), sets minimal permissions, checks out the repo, downloads the named artifact to the provided path, and uploads the specified coverage file to Codecov with use_oidc: true and fail_ci_if_error: true; job timeout 5 minutes.
Backend test workflow integration .github/workflows/run-backend-tests.yaml	Replaces inline artifact download and codecov/codecov-action invocation with a uses: ./.github/workflows/upload-coverage-to-codecov.yaml call, passing artifact_name: coverage-xml, artifact_path: backend, coverage_path: backend/coverage.xml, and coverage_flags: backend; reduces job permissions to contents: read and id-token: write.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• OWASP/Nest#3452: Overlaps with earlier addition of inline Codecov upload steps that this change extracts into a reusable workflow.
• OWASP/Nest#4635: Related restructuring of backend tests workflow coverage upload logic that this PR delegates to a reusable workflow.

Suggested labels

backend

Suggested reviewers

• arkid15r
• kasya

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: extracting codecov upload into a separate workflow, which directly aligns with the primary objective of the changeset.
Description check	✅ Passed	The description references issue #4667 and explains the change (extracting codecov upload into a separate workflow), which relates directly to the changeset modifications.
Linked Issues check	✅ Passed	The PR fully implements the requirement from issue #4667 to extract codecov into a separate, reusable workflow with configurable inputs (artifact_name, artifact_path, coverage_path, coverage_flags).
Out of Scope Changes check	✅ Passed	All changes are directly related to the stated objective: extracting codecov upload into a reusable workflow by modifying the main workflow and creating a new reusable workflow file.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/upload-coverage-to-codecov.yaml:
- Around line 33-38: Add a repository checkout step before uploading coverage so
Codecov can map reports to source and read .codecov.yml: insert a step named
like "Checkout repository" using actions/checkout@v4 (or `@v3`) prior to the
Codecov upload (and before the "Download coverage artifact" step if upload
happens after it), and set fetch-depth: 0 to ensure full commit history and
branch/PR context is available.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: af377cbd-b1c8-4925-ad44-0f1555a39ef7

📥 Commits

Reviewing files that changed from the base of the PR and between f9ac93a and f1eb3fc.

📒 Files selected for processing (2)

• .github/workflows/run-backend-tests.yaml
• .github/workflows/upload-coverage-to-codecov.yaml

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.92%. Comparing base (f9ac93a) to head (df64c69).

Additional details and impacted files

@@                     Coverage Diff                     @@
##           feature/ci-cd-optimization    #4668   +/-   ##
===========================================================
  Coverage                       98.92%   98.92%           
===========================================================
  Files                             528      528           
  Lines                           16968    16968           
  Branches                         2364     2364           
===========================================================
  Hits                            16785    16785           
  Misses                             98       98           
  Partials                           85       85           

Flag	Coverage Δ
backend	99.50% <ø> (ø)
frontend	97.28% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f9ac93a...df64c69. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/upload-coverage-to-codecov.yaml">

<violation number="1" location=".github/workflows/upload-coverage-to-codecov.yaml:35">
P1: The added checkout step is missing `contents: read` permission for `GITHUB_TOKEN`, which can break this workflow at runtime.</violation>
</file>

_{Tip: Review your code locally with the cubic CLI to iterate faster.}

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

❌ The last analysis has failed.

See analysis details on SonarQube Cloud

[cubic-dev-ai]

0 issues found across 2 files (changes from recent commits).

[arkid15r]

LGTM