Update dependencies and add code coverage workflow#233
Merged
StuartFerguson merged 3 commits intomainfrom Mar 9, 2026
Merged
Conversation
Updated NuGet package versions across all projects, including Shared, DomainDrivenDesign, EventStore, MediatR, SecurityService.Client, TransactionProcessor.Client, and NUnit. Added a GitHub Actions workflow (codecoverage.yml) to build, run tests with coverage, merge LCOV reports, and upload results to Codacy. No application logic changes were made.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+12
to
+46
| name: "Code Coverage" | ||
| env: | ||
| ASPNETCORE_ENVIRONMENT: "Production" | ||
|
|
||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v2.3.4 | ||
|
|
||
| - name: Restore Nuget Packages | ||
| run: dotnet restore CallbackHandler.sln --source ${{ secrets.PUBLICFEEDURL }} --source ${{ secrets.PRIVATEFEED_URL }} | ||
|
|
||
| - name: Build Code | ||
| run: dotnet build CallbackHandler.sln --configuration Release | ||
|
|
||
| - name: Run Unit Tests | ||
| run: | | ||
| echo "ASPNETCORE_ENVIRONMENT are > ${ASPNETCORE_ENVIRONMENT}" | ||
| dotnet test "CallbackHandler.BusinessLogic.Tests\CallbackHandler.BusinessLogic.Tests.csproj" /p:CollectCoverage=true /p:Exclude="[xunit*]*" /p:ExcludeByAttribute="Obsolete" /p:ExcludeByAttribute="GeneratedCodeAttribute" /p:ExcludeByAttribute="CompilerGeneratedAttribute" /p:ExcludeByAttribute="ExcludeFromCodeCoverageAttribute" /p:CoverletOutput="../lcov1.info" /maxcpucount:1 /p:CoverletOutputFormat="lcov" | ||
| dotnet test "CallbackHandler.CallbackMessageAggregate.Tests\CallbackHandler.CallbackMessageAggregate.Tests.csproj" /p:CollectCoverage=true /p:Exclude="[xunit*]*" /p:ExcludeByAttribute="Obsolete" /p:ExcludeByAttribute="GeneratedCodeAttribute" /p:ExcludeByAttribute="CompilerGeneratedAttribute" /p:ExcludeByAttribute="ExcludeFromCodeCoverageAttribute" /p:CoverletOutput="../lcov2.info" /maxcpucount:1 /p:CoverletOutputFormat="lcov" | ||
| dotnet test "CallbackHandler.Tests\CallbackHandler.Tests.csproj" /p:CollectCoverage=true /p:Exclude="[xunit*]*" /p:ExcludeByAttribute="Obsolete" /p:ExcludeByAttribute="GeneratedCodeAttribute" /p:ExcludeByAttribute="CompilerGeneratedAttribute" /p:ExcludeByAttribute="ExcludeFromCodeCoverageAttribute" /p:CoverletOutput="../lcov3.info" /maxcpucount:1 /p:CoverletOutputFormat="lcov" | ||
|
|
||
| - name: Install LCOV merger | ||
| run: npm install -g lcov-result-merger | ||
|
|
||
| - name: Merge LCOV reports | ||
| run: | | ||
| mkdir -p coverage | ||
| lcov-result-merger "*.info" > lcov.info | ||
|
|
||
| - name: Upload merged coverage to Codacy | ||
| uses: codacy/codacy-coverage-reporter-action@v1 | ||
| with: | ||
| project-token: ${{ secrets.CODACY_PROJECT_TOKEN }} | ||
| coverage-reports: ./lcov.info |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fix the issue, explicitly restrict GITHUB_TOKEN permissions for this workflow to the minimum needed. The job only checks out code, restores/builds/tests, and uploads coverage to Codacy; it does not need to write to the repository or interact with issues/PRs. Therefore, setting contents: read (and nothing else) at the workflow level is sufficient and preserves existing behavior.
The best minimal fix is to add a permissions: block at the top (root) of .github/workflows/codecoverage.yml, directly under the name: line and before the on: section:
- This applies to all jobs in the workflow (currently just
codecoverage). - It limits the
GITHUB_TOKENto read-only repository contents, which is enough foractions/checkoutand does not impact the usage of secrets or external services like Codacy.
Concretely:
-
Edit
.github/workflows/codecoverage.yml. -
Insert:
permissions: contents: read
after line 1 (
name: Code Coverage) and before theon:block (line 3 onwards). -
No imports or additional methods are required; this is purely a YAML configuration change.
Suggested changeset
1
.github/workflows/codecoverage.yml
| @@ -1,4 +1,6 @@ | ||
| name: Code Coverage | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
Copilot is powered by AI and may make mistakes. Always verify output.
Replaced manual registration of IMediator and specific IRequestHandlers with AddMediatR, auto-registering all handlers from the relevant assembly. This streamlines service setup and reduces maintenance overhead.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updated NuGet package versions across all projects, including Shared, DomainDrivenDesign, EventStore, MediatR, SecurityService.Client, TransactionProcessor.Client, and NUnit. Added a GitHub Actions workflow (codecoverage.yml) to build, run tests with coverage, merge LCOV reports, and upload results to Codacy. No application logic changes were made.
closes #232
closes #231