fix: replace custom test aggregation with proven GitHub Action

- Replace custom aggregate_test_results.py script with EnricoMi/publish-unit-test-result-action@v2
- Remove 164 lines of custom XML parsing code that had security issues
- Eliminate semgrep/bandit warnings from defusedxml usage
- Use mature, well-tested action (716 stars) that handles JUnit XML natively
- Provides better test reporting: PR comments, check summaries, job summaries
- Remove custom test-report-aggregate Makefile target
- Simplify workflow from custom script to 4-line action configuration
- Zero security vulnerabilities, zero maintenance overhead

Author: fgogolli

.github/workflows/advanced-metrics.yml

@@ -1,5 +1,9 @@
 name: Advanced Metrics Badges
 
+permissions:
+  contents: read
+  actions: read
+
 on:
   push:
     branches: [ main ]

.github/workflows/changelog-validation.yml

@@ -14,6 +14,8 @@ jobs:
   get-config:
     name: Get Configuration
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       default-python-version: ${{ steps.config.outputs.default-python-version }}
     steps:

.github/workflows/ci-tests.yml

@@ -90,9 +90,11 @@ jobs:
     runs-on: ubuntu-latest
     needs: [config, setup-cache, tests]
     if: always()
-    continue-on-error: true  # TODO: Remove once test report generation is stable
     permissions:
       contents: read
+      issues: read
+      checks: write
+      pull-requests: write
 
     steps:
     - name: Checkout code
@@ -109,24 +111,22 @@ jobs:
       with:
         path: test-results/
 
-    - name: Generate test report
-      run: make test-report
-
-    - name: Upload test report
-      uses: actions/upload-artifact@v4
+    - name: Publish Test Results
+      uses: EnricoMi/publish-unit-test-result-action@v2
       if: always()
+      continue-on-error: true
       with:
-        name: reports-test-${{ github.run_number }}
-        retention-days: 30
-        path: |
-          test-results-combined.xml
-          coverage-combined.xml
-          htmlcov/
+        files: "test-results/**/*.xml"
+        check_name: "Test Results Summary"
+        comment_mode: "always"
+        job_summary: true
+        action_fail: false
+        fail_on: "nothing"
 
     - name: Upload coverage to Codecov
       uses: codecov/codecov-action@v5
       if: always()
       with:
-        files: coverage-combined.xml
+        files: test-results/**/*coverage*.xml
         flags: unit
         name: unit-tests

.github/workflows/health-monitoring.yml

@@ -8,6 +8,8 @@ on:
 jobs:
   config:
     name: Configuration
+    permissions:
+      contents: read
     uses: ./.github/workflows/shared-config.yml
 
   health-check: