ci(coverage): upload reports to GitHub Code Quality

[cv]

Summary

Adds Cobertura XML generation to the existing CLI and plugin coverage jobs, then uploads those reports to GitHub Code Quality so coverage results can appear on pull requests. The upload steps reuse the existing coverage pipeline and keep fork PR uploads skipped.

Changes

• Emit Cobertura XML from the merged CLI coverage job and plugin coverage job.
• Upload CLI and plugin coverage reports with pinned actions/upload-code-coverage@v1 and distinct labels.
• Grant the PR and main coverage jobs the code-quality: write permission required by GitHub Code Quality.
• Confirmed with docs reviewer that no docs/ changes are needed for this CI-only reporting change.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• npm run docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Carlos Villela cvillela@nvidia.com

Summary by CodeRabbit

• Chores
  • Enhanced coverage reporting to produce Cobertura-format reports for both CLI and plugin test suites, improving compatibility with coverage tools and dashboards.
  • Added automated upload of CLI coverage reports (with scoped execution for non-PRs and same-repo PRs) and tightened CI workflow job permissions to follow least-privilege practices, strengthening CI security and reliability.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 6ef79dfd-8ab6-4d14-b4ef-19be7c79f168

📥 Commits

Reviewing files that changed from the base of the PR and between 81048a8 and 1577cf5.

📒 Files selected for processing (2)

• .github/actions/ci-cli-coverage-merge/action.yaml
• .github/actions/ci-plugin-coverage/action.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/actions/ci-plugin-coverage/action.yaml
• .github/actions/ci-cli-coverage-merge/action.yaml

---

📝 Walkthrough

Walkthrough

CI workflows now generate Cobertura coverage XML for CLI and plugin tests and upload those reports; job-level permissions for cli-tests and plugin-tests were made explicit in both main and PR workflows.

Changes

Cobertura Coverage Generation and Upload

Layer / File(s)	Summary
CLI coverage Cobertura generation and upload .github/actions/ci-cli-coverage-merge/action.yaml	Merge CLI coverage step configures Cobertura reporter and output directory; new upload step uses actions/upload-code-coverage to push coverage/cli/cobertura-coverage.xml with a conditional guard.
Plugin coverage Cobertura generation and upload .github/actions/ci-plugin-coverage/action.yaml	Vitest invocation extended to emit Cobertura coverage into coverage/plugin directory; existing upload step remains pointed at coverage/plugin/cobertura-coverage.xml.

Workflow Job Permission Hardening

Layer / File(s)	Summary
Job permissions across CI workflows .github/workflows/main.yaml, .github/workflows/pr.yaml	Added explicit permissions blocks to cli-tests and plugin-tests jobs in both workflows: code-quality: write, contents: read, pull-requests: read; cli-tests also sets actions: read.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I hopped through YAML, lines tidy and neat,
Cobertura blooms where test reports meet,
Uploads now sing in XML light,
Permissions set snug for CI's tight flight,
A rabbit's small cheer for coverage complete.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci(coverage): upload reports to GitHub Code Quality' accurately summarizes the main change: configuring coverage report uploads to GitHub Code Quality by updating GitHub Actions workflows and coverage configurations.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/code-quality-coverage

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: None
Optional E2E: None

Workflow run

Full advisor summary

E2E Recommendation Advisor

Failed: Could not parse JSON from advisor output; see /home/runner/work/NemoClaw/NemoClaw/artifacts/e2e-advisor/e2e-advisor-raw-output.txt

[github-actions]

Vitest E2E Scenario Recommendation

Required Vitest E2E scenarios: None
Optional Vitest E2E scenarios: None

Workflow run

Full Vitest E2E advisor summary

Vitest E2E Scenario Advisor

Failed: Could not parse JSON from advisor output; see /home/runner/work/NemoClaw/NemoClaw/artifacts/e2e-advisor/e2e-scenario-advisor-raw-output.txt

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 1 worth checking, 0 nice ideas
Top item: PR review advisor unavailable

Review findings

🛠️ Needs attention

• None.

🔎 Worth checking

• PR review advisor unavailable: The automated advisor could not complete: Could not parse JSON from PR review advisor output; see /home/runner/work/NemoClaw/NemoClaw/artifacts/pr-review-advisor/pr-review-advisor-raw-output.txt
  • Recommendation: Re-run the PR Review Advisor or perform a manual review.
  • Evidence: Could not parse JSON from PR review advisor output; see /home/runner/work/NemoClaw/NemoClaw/artifacts/pr-review-advisor/pr-review-advisor-raw-output.txt

🌱 Nice ideas

• None.

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/actions/ci-cli-coverage-merge/action.yaml:
- Around line 95-102: Update the conditional for the coverage upload steps so
they run even if earlier steps fail by adding always() while preserving the
existing fork-PR guard: in .github/actions/ci-cli-coverage-merge/action.yaml
(lines 95-102) replace the current if condition with one that wraps the existing
guard in always(), for example if: ${{ always() && (github.event_name !=
'pull_request' || github.event.pull_request.head.repo.full_name ==
github.repository) }}; do the same change in
.github/actions/ci-plugin-coverage/action.yaml (lines 35-42) — both sites
require the identical modification to the if condition so uploads run on failing
runs but still skip forked PRs.

In @.github/workflows/main.yaml:
- Around line 82-86: Remove the invalid "code-quality: write" permission entries
and replace them with the correct GitHub Actions permission required by
actions/upload-code-coverage (consult the action's README to determine whether
it needs actions: write, contents: write, or another valid scope) —
specifically: in .github/workflows/main.yaml (lines 82-86) remove code-quality:
write from the cli-tests job and add the validated permission scope; in
.github/workflows/main.yaml (lines 110-113) remove code-quality: write from the
plugin-tests job and add the validated permission scope; in
.github/workflows/pr.yaml (lines 236-240) remove code-quality: write from the
cli-tests job and add the validated permission scope; and in
.github/workflows/pr.yaml (lines 281-284) remove code-quality: write from the
plugin-tests job and add the validated permission scope.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 13c9d5d3-4e08-4a30-87be-3ec3b69a2b31

📥 Commits

Reviewing files that changed from the base of the PR and between f34ac4c and 81048a8.

📒 Files selected for processing (4)

• .github/actions/ci-cli-coverage-merge/action.yaml
• .github/actions/ci-plugin-coverage/action.yaml
• .github/workflows/main.yaml
• .github/workflows/pr.yaml