feat(build): add code coverage reporting to Pester workflow#230
Merged
WilliamBerryiii merged 5 commits intomainfrom Jan 22, 2026
Merged
feat(build): add code coverage reporting to Pester workflow#230WilliamBerryiii merged 5 commits intomainfrom
WilliamBerryiii merged 5 commits intomainfrom
Conversation
- add code-coverage input and Codecov upload to pester-tests.yml - enable OIDC auth with id-token permission for Codecov v5.5.2 - fix coverage path resolution in pester.config.ps1 - apply duck typing fix for PowerShell class type collision 📊 - Generated by Copilot
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF Scorecard
Scanned Files
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds comprehensive code coverage reporting to the Pester test workflow using Codecov integration. The implementation introduces a configurable code-coverage input parameter, enables OIDC authentication for secure upload, and provides informational threshold checking. Key changes include fixing coverage path resolution in the Pester configuration and applying a duck typing workaround to resolve PowerShell class instrumentation conflicts.
Changes:
- Add code coverage collection with Codecov OIDC integration to Pester workflow
- Fix coverage path resolution using explicit Get-ChildItem instead of glob patterns
- Apply duck typing fix to prevent class type collision during Pester instrumentation
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| .github/workflows/pester-tests.yml | Adds code-coverage input, OIDC permissions, Codecov upload step, and threshold check logic |
| .github/workflows/pr-validation.yml | Enables code coverage and id-token permission for PR validation, runs all tests instead of changed-files-only |
| scripts/tests/pester.config.ps1 | Replaces glob patterns with Get-ChildItem for explicit coverage path resolution |
| scripts/security/Test-DependencyPinning.ps1 | Removes ComplianceReport type annotation to avoid Pester coverage instrumentation issues |
5 tasks
- remove invalid inputs context from workflow-level permissions - add id-token: write to job-level permissions for OIDC - simplify coverage threshold check to use Pester output - add -File parameter to Get-ChildItem in pester.config.ps1 🐛 - Generated by Copilot
Welcome to Codecov 🎉Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests. Thanks for integrating Codecov - We've got you covered ☂️ |
katriendg
approved these changes
Jan 22, 2026
- improve id-token permission comment to reference enable-code-coverage input - add null guard to coverage threshold check preventing cast errors - add property validation to Export-ComplianceReport duck-typed parameter - add actionlint 1.7.10 to tool-checksums.json - update gitleaks from 8.18.2 to 8.30.0 🔧 - Generated by Copilot
🔧 - Generated by Copilot
Comment on lines
+540
to
+546
| # Validate required properties on duck-typed $Report parameter (ComplianceReport schema) | ||
| $requiredProperties = @('ComplianceScore', 'Violations', 'TotalDependencies', 'UnpinnedDependencies', 'Metadata') | ||
| foreach ($prop in $requiredProperties) { | ||
| if ($null -eq $Report.PSObject.Properties[$prop]) { | ||
| throw "Report object missing required property: $prop" | ||
| } | ||
| } |
There was a problem hiding this comment.
The new duck-typed $Report validation only checks a subset of properties, but the function later uses additional fields (e.g., Timestamp, ScanPath, ScannedFiles, PinnedDependencies, Summary). As written, an invalid report object can pass validation and then fail later with less clear errors. Expand the required property list (or validate per $Format) to cover all properties the function accesses.
WilliamBerryiii
pushed a commit
that referenced
this pull request
Jan 28, 2026
🤖 I have created a release *beep* *boop* --- ## [2.0.0](hve-core-v1.1.0...hve-core-v2.0.0) (2026-01-28) ### ⚠ BREAKING CHANGES * **agents:** add Task Reviewer and expand RPI to 4-phase workflow ([#277](#277)) ### ✨ Features * **agents:** add hve-core-installer agent to extension package ([#297](#297)) ([c0e48c6](c0e48c6)) * **agents:** add Task Reviewer and expand RPI to 4-phase workflow ([#277](#277)) ([ae76cab](ae76cab)) * **build:** add code coverage reporting to Pester workflow ([#230](#230)) ([a34822a](a34822a)) * **docs:** add GOVERNANCE.md for OSSF Silver Badge compliance ([#235](#235)) ([b0e752c](b0e752c)) * **docs:** add ROADMAP.md for OSSF Silver badge compliance ([#238](#238)) ([4a41c16](4a41c16)) * **mcp:** add MCP server configuration guidance and installer enhancements ([#225](#225)) ([0bce418](0bce418)) * **scripts:** add YAML linting with actionlint ([#234](#234)) ([d9301f9](d9301f9)) * **security:** add OpenSSF Scorecard workflow and badge ([#271](#271)) ([7c6d788](7c6d788)) * **skills:** add video-to-gif conversion skill with FFmpeg two-pass optimization ([#247](#247)) ([8d65c42](8d65c42)) * **tests:** add Pester tests for LintingHelpers and Validate-MarkdownFrontmatter ([#197](#197), [#198](#198)) ([#205](#205)) ([51ae563](51ae563)) ### 🐛 Bug Fixes * **build:** detect table formatting changes via git diff ([#261](#261)) ([985eee0](985eee0)) * **build:** disable MD024 lint rule in CHANGELOG for release-please ([#220](#220)) ([971df94](971df94)) * **build:** quote shell variables and group redirects in workflow files ([#299](#299)) ([3372509](3372509)) * **build:** resolve scorecard badge and workflow security issues ([#301](#301)) ([aeaed13](aeaed13)) * **extension:** remove frontmatter from README and exclude from markdown linting ([#223](#223)) ([4272529](4272529)) * **instructions:** quote applyTo glob pattern for YAML compatibility ([#216](#216)) ([085199c](085199c)) * **scripts:** add FooterExcludePaths parameter to frontmatter validation ([#334](#334)) ([64db98d](64db98d)) * **scripts:** add GHSA word and logs/ exclusion to cspell config ([#214](#214)) ([5c99b3f](5c99b3f)) * **scripts:** correct type assertions in Invoke-YamlLint.Tests.ps1 ([#332](#332)) ([af7050d](af7050d)) * **scripts:** eliminate false positives in dependency pinning npm pattern ([#273](#273)) ([ccbdfa3](ccbdfa3)) * **security:** add artifact attestation for signed releases ([#257](#257)) ([c52d6e2](c52d6e2)) * standardize markdown footers and complete frontmatter ([#217](#217)) ([b4e7556](b4e7556)) ### 📚 Documentation * add OpenSSF Best Practices Passing badge to README ([#239](#239)) ([91bc529](91bc529)) * **architecture:** add architecture documentation and value proposition ([#252](#252)) ([0e4b02f](0e4b02f)) * **contributing:** add testing requirements for OSSF compliance ([#254](#254)) ([4db1a18](4db1a18)) * **docs:** add enterprise status badges to README header ([#270](#270)) ([ccb68a4](ccb68a4)) * **security:** add security assurance case and threat model for OSSF Silver ([#259](#259)) ([a390e26](a390e26)) ### ♻️ Refactoring * **application:** wrap execution with try blocks, ensure proper … ([#296](#296)) ([35c4417](35c4417)) * **scripts:** extract frontmatter validation to testable module ([#293](#293)) ([4e8707e](4e8707e)) * **scripts:** extract pure functions for Pester testability ([#221](#221)) ([d40e742](d40e742)) ### 🔧 Maintenance * **deps-dev:** bump cspell from 9.4.0 to 9.6.0 in the npm-dependencies group ([#208](#208)) ([855914b](855914b)) * **deps-dev:** bump cspell from 9.6.0 to 9.6.1 in the npm-dependencies group ([#294](#294)) ([1e45ad6](1e45ad6)) * **deps:** bump actions/setup-node from 6.1.0 to 6.2.0 in the github-actions group ([#209](#209)) ([c4c69e2](c4c69e2)) * **deps:** bump the github-actions group with 4 updates ([#295](#295)) ([d8337b8](d8337b8)) * remove step-security/harden-runner from workflows ([#246](#246)) ([c5708d8](c5708d8)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: hve-core-release-please[bot] <254602402+hve-core-release-please[bot]@users.noreply.github.com>
This was referenced Jan 28, 2026
This was referenced Feb 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Add code coverage reporting to the Pester test workflow with Codecov integration. The implementation enables optional coverage collection during PR validation, uploads results to Codecov using OIDC authentication, and provides an informational threshold check with an 18% baseline.
code-coverageinput parameter topester-tests.ymlreusable workflowid-token: writepermission for Codecov v5.5.20561704f0f02c16a585d4c7555e57fa2e44cf909)pester.config.ps1using explicitGet-ChildIteminstead of glob patternsTest-DependencyPinning.ps1to resolve PowerShell class type collision during coverage instrumentationRelated Issue(s)
Fixes #201
Type of Change
Select all that apply:
Code & Documentation:
Infrastructure & Configuration:
AI Artifacts:
prompt-builderagent and addressed all feedback.github/instructions/*.instructions.md).github/prompts/*.prompt.md).github/agents/*.agent.md)Other:
.ps1,.sh,.py)Testing
logs/coverage.xmlin JaCoCo formatChecklist
Required Checks
Required Automated Checks
The following validation commands must pass before merging:
npm run lint:mdnpm run spell-checknpm run lint:frontmatternpm run lint:md-linksnpm run lint:psSecurity Considerations
Additional Notes
Export-ComplianceReportavoids Pester's coverage instrumentation redefining PowerShell classes, which caused type identity conflicts📊 - Generated by Copilot