Skip to content

chore(deps): update codecov/codecov-action action to v7#1705

Open
red-hat-konflux[bot] wants to merge 1 commit into
mainfrom
konflux/mintmaker/main/codecov-codecov-action-7.x
Open

chore(deps): update codecov/codecov-action action to v7#1705
red-hat-konflux[bot] wants to merge 1 commit into
mainfrom
konflux/mintmaker/main/codecov-codecov-action-7.x

Conversation

@red-hat-konflux

@red-hat-konflux red-hat-konflux Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
codecov/codecov-action action major v6.0.2v7.0.0

Warning

Some dependencies could not be looked up. Check the warning logs for more information.


Release Notes

codecov/codecov-action (codecov/codecov-action)

v7.0.0

Compare Source

⚠️ Due to migration issues with keybase, we are unable to update our keys under the codecovsecurity account. We have deleted the account and are using codecovsecops with the original gpg key

What's Changed

Full Changelog: codecov/codecov-action@v6.0.1...v7.0.0


Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.


Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 17, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 2:44 PM UTC · Completed 2:51 PM UTC
Commit: 218f229 · View workflow run →

@codecov

codecov Bot commented Jun 17, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.49%. Comparing base (13a2f01) to head (1796d04).

❗ There is a different number of reports uploaded between BASE (13a2f01) and HEAD (1796d04). Click for more details.

HEAD has 2 uploads less than BASE
Flag BASE (13a2f01) HEAD (1796d04)
unit-tests 2 1
e2e-tests 1 0
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #1705      +/-   ##
==========================================
- Coverage   87.43%   81.49%   -5.95%     
==========================================
  Files          34       34              
  Lines        3566     3566              
==========================================
- Hits         3118     2906     -212     
- Misses        285      512     +227     
+ Partials      163      148      -15     
Flag Coverage Δ
e2e-tests ?
unit-tests 81.49% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.
see 12 files with indirect coverage changes


Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 13a2f01...1796d04. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 17, 2026

Copy link
Copy Markdown

Review

Findings

Medium

  • [logic-error / supply-chain] .github/workflows/codecov.yml:21 — The PR changes only the version comment from # v6.0.2 to # v7.0.0 while the pinned SHA (fb8b3582c8e4def4969c97caa2f19720cb33a72f) remains unchanged. If this SHA does not correspond to the v7.0.0 tag of codecov/codecov-action, the comment will be misleading and the intended version upgrade will not take effect.
    Remediation: Verify that the SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f corresponds to codecov/codecov-action v7.0.0. If it does not, update the SHA to the correct commit hash for v7.0.0.

  • [logic-error / supply-chain] .github/workflows/pr.yml:98 — Same issue: the PR changes only the version comment from # v6.0.2 to # v7.0.0 while the pinned SHA remains unchanged. If this SHA does not correspond to the v7.0.0 tag, the comment is misleading and the upgrade has not actually occurred.
    Remediation: Verify the SHA corresponds to v7.0.0 and update it if it does not.

Previous run

Review

Findings

High

  • [dependency-pinning-consistency] .github/workflows/codecov.yml:21 — Version comment updated from v6.0.2 to v7.0.0 but the pinned commit SHA (fb8b3582c8e4def4969c97caa2f19720cb33a72f) is unchanged. The workflow will still execute v6.0.2 code while the comment claims v7.0.0, breaking the SHA-to-version-comment correspondence that is the point of commit pinning. This is likely a Renovate misconfiguration where the comment was updated without updating the SHA.
    Remediation: Update the SHA to the actual commit corresponding to the codecov/codecov-action v7.0.0 release tag.

  • [dependency-pinning-consistency] .github/workflows/pr.yml:98 — Same SHA/comment mismatch. Version comment updated to v7.0.0 but the pinned SHA still points to v6.0.2 code.
    Remediation: Update the SHA to the actual commit corresponding to the codecov/codecov-action v7.0.0 release tag.

Medium

  • [protected-path] .github/workflows/codecov.yml, .github/workflows/pr.yml — Both modified files are under .github/, a protected path. The PR is an automated Renovate dependency update with a clear rationale, but human approval is always required for changes to governance and infrastructure files.
Previous run (2)

Review

Findings

High

  • [protected-path] .github/workflows/codecov.yml, .github/workflows/pr.yml — Both modified files are under .github/, a protected path requiring human approval. This PR has no linked issue justifying the change to governance/infrastructure files. While the change itself is a safe, automated dependency version comment update (both v6.0.2 and v7.0.0 tags resolve to the same commit SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f, verified against the upstream codecov/codecov-action repository), human review is required for all protected-path modifications.
    Remediation: A human maintainer should review and approve this PR. No code changes are needed — the version comment update is accurate.
Previous run (3)

Review

Findings

High

  • [version-pinning-consistency] .github/workflows/codecov.yml:21 — The SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged while the trailing comment is updated from v6.0.2 to v7.0.0. GitHub Actions resolves the action by the SHA, not the comment, so the action will still run whatever version that SHA points to (v6.0.2). The comment will be misleading, undermining the auditability of pinned dependencies and preventing the intended upgrade from actually taking effect.
    Remediation: Update the SHA to the actual commit corresponding to the codecov/codecov-action v7.0.0 release tag. Obtain it with: git ls-remote https://github.com/codecov/codecov-action.git v7.0.0.

  • [version-pinning-consistency] .github/workflows/pr.yml:98 — Same issue: the SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged while the comment is updated from v6.0.2 to v7.0.0. The action will not actually be upgraded to v7.
    Remediation: Update the SHA to the actual commit corresponding to the codecov/codecov-action v7.0.0 release tag.

  • [protected-path] .github/workflows/codecov.yml, .github/workflows/pr.yml — Both modified files are under .github/, a protected path that requires human approval. The PR has no linked issue providing authorization for modifying governance/infrastructure files. Human approval is required regardless of context for protected-path changes.

Previous run (4)

Review

Findings

High

  • [version-comment-mismatch] .github/workflows/codecov.yml:21, .github/workflows/pr.yml:98 — The version comment is updated from # v6.0.2 to # v7.0.0, but the commit SHA pin (fb8b3582c8e4def4969c97caa2f19720cb33a72f) is identical in both old and new lines. GitHub Actions resolves the pinned SHA, not the comment, so the runtime behavior of these workflows is unchanged by this PR. Either (a) the SHA needs to be updated to the actual v7.0.0 release commit to accomplish the stated upgrade, or (b) if the SHA already corresponds to v7.0.0 and the old v6.0.2 comment was wrong, the PR is a harmless comment correction — but this should be verified against the upstream codecov/codecov-action repository.
    Remediation: Verify which version SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f corresponds to in codecov/codecov-action. If it is v6.0.2, update the SHA to the correct v7.0.0 commit hash. If it is already v7.0.0, the change is a valid comment correction.

  • [protected-path] .github/workflows/codecov.yml, .github/workflows/pr.yml — Both modified files are under .github/, which is a protected path requiring human approval. This PR has no linked issue providing justification for modifying governance/infrastructure files. Human review is required regardless of the review outcome.

Previous run (5)

Review

Findings

High

  • [version-hash-mismatch] .github/workflows/codecov.yml:21 — The PR changes only the version comment from v6.0.2 to v7.0.0 but leaves the pinned SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f unchanged. Since the SHA is authoritative, the action still runs v6.0.2 code. The comment is now misleading, and the intended upgrade did not actually occur. This likely indicates a Renovate bot misconfiguration that failed to update the hash.
    Remediation: Update the SHA to the actual commit hash for the codecov/codecov-action v7.0.0 release tag, or revert the comment to v6.0.2.

  • [version-hash-mismatch] .github/workflows/pr.yml:98 — Same issue: the version comment was changed from v6.0.2 to v7.0.0 but the pinned SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged. The action still runs v6.0.2 code.
    Remediation: Update the SHA to the actual commit hash for the codecov/codecov-action v7.0.0 release tag, or revert the comment to v6.0.2.

  • [protected-path] .github/workflows/codecov.yml, .github/workflows/pr.yml — Both modified files are under the .github/ protected path. This PR has no linked issue providing justification for modifying governance/infrastructure files. Human approval is always required for protected-path changes.

Medium

  • [scope-integrity] The PR title and body claim an update from v6.0.2 to v7.0.0, but the diff only modifies version comments without changing the pinned SHA. This indicates the Renovate bot automation may be misconfigured for hash-pinned GitHub Actions.
    Remediation: Investigate the Renovate bot configuration to ensure it updates both the SHA and the version comment when bumping pinned GitHub Actions.
Previous run (6)

Review

Findings

High

  • [logic-error] .github/workflows/codecov.yml:21 — The commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged between the old and new versions while the version comment was updated from # v6.0.2 to # v7.0.0. GitHub Actions resolves the action by the pinned commit hash, not the comment. If this hash does not correspond to the v7.0.0 tag, the workflow will still execute the v6.0.2 code despite the comment claiming v7.0.0.
    Remediation: Verify the commit SHA for the v7.0.0 tag of codecov/codecov-action. If it differs from fb8b3582c8e4def4969c97caa2f19720cb33a72f, update the uses: line to the correct hash.

  • [logic-error] .github/workflows/pr.yml:98 — Same issue: the commit hash is unchanged while the version comment was updated from # v6.0.2 to # v7.0.0. The PR does not actually change which version of codecov-action is executed unless this SHA genuinely corresponds to the v7.0.0 tag.
    Remediation: Verify the commit SHA for the v7.0.0 tag of codecov/codecov-action. If it differs, update the hash accordingly.

Medium

  • [protected-path] .github/workflows/codecov.yml, .github/workflows/pr.yml — Both modified files are under the .github/ protected path. The PR is a bot-generated dependency update with a clear description explaining the change. Human approval is always required for protected-path changes, regardless of context.
Previous run (7)

Review

Findings

High

  • [version-hash-mismatch] .github/workflows/codecov.yml:21 — The commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged between the old and new lines. Only the trailing comment was updated from # v6.0.2 to # v7.0.0. The action is not actually upgraded to v7 — the workflow will continue running the v6.0.2 version of the action, while the comment will be misleading.
    Remediation: Update the commit hash to the actual commit corresponding to codecov/codecov-action v7.0.0.

  • [version-hash-mismatch] .github/workflows/pr.yml:98 — Same issue: the commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged while the comment was updated from # v6.0.2 to # v7.0.0. The action is not actually being upgraded.
    Remediation: Update the commit hash to the actual commit corresponding to codecov/codecov-action v7.0.0.

  • [protected-path] .github/workflows/codecov.yml, .github/workflows/pr.yml — These files are under the .github/ protected path. The PR has no linked issue and does not explain why governance/infrastructure files are being modified. Human approval is required for changes to protected paths.
    Remediation: Ensure a human reviewer approves these workflow changes.

Previous run (8)

Review

Findings

High

  • [protected-path] .github/workflows/codecov.yml, .github/workflows/pr.yml — Both modified files are under .github/, a protected path requiring human approval. This PR has no linked issue and no justification for modifying governance/infrastructure files beyond the automated bot description. Human review and approval is required for all protected-path changes.

Medium

  • [version-comment-mismatch] .github/workflows/codecov.yml:21 — The version comment is updated from v6.0.2 to v7.0.0, but the pinned commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged. GitHub Actions resolves the action by the SHA, not the comment, so this will still run v6.0.2. The misleading comment may cause maintainers to believe they are running v7.0.0 and skip a future real upgrade. Remediation: Update the commit hash to the actual commit corresponding to codecov/codecov-action@v7.0.0, or revert the comment to v6.0.2 if no upgrade is intended.

  • [version-comment-mismatch] .github/workflows/pr.yml:98 — Same issue: the version comment is updated to v7.0.0 but the pinned SHA remains fb8b3582c8e4def4969c97caa2f19720cb33a72f (v6.0.2). No actual upgrade occurs. Remediation: Update the commit hash to the actual v7.0.0 commit, or revert the comment to v6.0.2.


Labels: PR modifies GitHub Actions workflow files for dependency management

Previous run (9)

Review

Findings

High

  • [logic-error] .github/workflows/codecov.yml:21, .github/workflows/pr.yml:98 — The commit SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged while the version comment is updated from v6.0.2 to v7.0.0. GitHub Actions resolves the action by the pinned SHA, not the comment. Since a single SHA cannot point to two different release tags, the comment is now incorrect and no actual upgrade to v7.0.0 occurs. The PR title and body claim a major version upgrade, but the executed code remains at the old version.
    Remediation: Update the SHA to the commit corresponding to the codecov/codecov-action v7.0.0 release tag, or revert the comment to v6.0.2 if no upgrade is intended. Apply the fix in both codecov.yml and pr.yml.

  • [protected-path] .github/workflows/codecov.yml, .github/workflows/pr.yml — Both modified files are under .github/, a protected path requiring human approval. The PR has no linked issue justifying modifications to governance/infrastructure files. Human review is required for all protected-path changes.

Previous run (10)

Review

Findings

High

  • [api-contract] .github/workflows/codecov.yml:21 — The commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged while the version comment changes from v6.0.2 to v7.0.0. GitHub Actions resolves the action from the pinned SHA, not the comment. The workflow will continue running v6.0.2 code while the comment falsely claims v7.0.0. A future reviewer may skip a real v7 upgrade believing it was already done. Since this is a major version bump, there may also be breaking changes in v7 that have not been evaluated.
    Remediation: Update the SHA to the actual commit hash for codecov/codecov-action v7.0.0, or revert the comment to v6.0.2 if the upgrade is not intended.

  • [api-contract] .github/workflows/pr.yml:98 — Same issue: the commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged while the version comment changes from v6.0.2 to v7.0.0. The actual action executed will remain v6.0.2.
    Remediation: Update the SHA to the actual commit hash for codecov/codecov-action v7.0.0, or revert the comment to v6.0.2.

  • [protected-path] .github/workflows/codecov.yml, .github/workflows/pr.yml — Both modified files are under the .github/ protected path. The PR has no linked issue providing justification for modifying governance/infrastructure files. Human approval is required for protected-path changes.
    Remediation: Ensure a maintainer reviews and approves the CI workflow changes.

Low

  • [missing-authorization] No linked issue for this dependency update. For a major version bump (v6→v7) with potential breaking changes, an issue reference would provide better traceability.

Info

  • [architectural-alignment] The repository uses pinned SHA digests with version comments for GitHub Actions — a security best practice. This PR demonstrates the risk of version comments and SHAs diverging when automated tooling updates only the comment.
Previous run (11)

Review

Findings

High

  • [version-comment-mismatch] .github/workflows/codecov.yml:21 — The version comment is updated from v6.0.2 to v7.0.0, but the pinned SHA (fb8b3582c8e4def4969c97caa2f19720cb33a72f) is unchanged. GitHub Actions resolves by SHA, not comment, so no actual upgrade occurs. The comment is now misleading and could mask the fact that the intended v7 upgrade never happened.
    Remediation: Update the commit hash to the actual commit corresponding to codecov/codecov-action v7.0.0, or revert the comment back to v6.0.2 to match the pinned SHA.

  • [version-comment-mismatch] .github/workflows/pr.yml:98 — The version comment is updated from v6.0.2 to v7.0.0, but the pinned SHA (fb8b3582c8e4def4969c97caa2f19720cb33a72f) is unchanged. GitHub Actions resolves by SHA, not comment, so no actual upgrade occurs. The comment is misleading.
    Remediation: Update the commit hash to the actual commit corresponding to codecov/codecov-action v7.0.0, or revert the comment back to v6.0.2 to match the pinned SHA.

  • [protected-path] .github/workflows/codecov.yml, .github/workflows/pr.yml — Both modified files are under .github/, a protected path requiring human approval. The PR has no linked issue justifying modification of governance/infrastructure files.

Previous run (12)

Review

Findings

High

  • [scope-version-mismatch] .github/workflows/codecov.yml:21 — The PR claims to update codecov/codecov-action from v6.0.2 to v7.0.0, but the commit SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f is identical in both the old and new versions. Only the trailing comment text changed. This means either: (a) the SHA does not actually correspond to v7.0.0 and the comment is now misleading, or (b) the SHA was already correct for v7.0.0 and the old v6.0.2 comment was wrong. The same issue applies to .github/workflows/pr.yml line 98.
    Remediation: Verify the correct commit SHA for codecov/codecov-action v7.0.0 from https://github.com/codecov/codecov-action/releases/tag/v7.0.0. If the SHA differs, update both files to pin to the correct v7.0.0 SHA. If the SHA is already correct for v7.0.0, this PR is a legitimate comment-only fix and can proceed.

  • [protected-path] .github/workflows/codecov.yml — This PR modifies files under the protected path .github/: .github/workflows/codecov.yml and .github/workflows/pr.yml. The PR has no linked issue justifying changes to governance/infrastructure files. Human approval is required for all protected-path changes.
    Remediation: Ensure a maintainer reviews and approves the changes to .github/ workflow files.

Low

  • [major-version-bump] .github/workflows/codecov.yml — This update represents a major version bump from v6 to v7 of codecov-action, which may include breaking changes. Once the SHA mismatch is resolved, verify compatibility with the current configuration (token, flags parameters).

Info

  • [authorization-inferred] .github/workflows/codecov.yml — No linked issue for this dependency update. Authorization is inferred from the automated nature of the change (Renovate bot) and the presence of Renovate configuration.
Previous run (13)

Review

Findings

High

  • [version-comment-accuracy] .github/workflows/codecov.yml:21 — The version comment was changed from # v6.0.2 to # v7.0.0 but the pinned commit SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f was not updated. The PR claims to be a dependency upgrade (codecov/codecov-action v6.0.2 → v7.0.0) but no actual code change occurs — the action will continue running the same v6.0.2 code. Either the SHA must be updated to the real v7.0.0 release commit, or the comment should remain at v6.0.2.
    Remediation: Update the commit SHA to the actual v7.0.0 release SHA of codecov/codecov-action. Verify by checking the v7.0.0 release for the correct commit hash.

  • [version-comment-accuracy] .github/workflows/pr.yml:98 — Same issue: the pinned commit SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f was not updated while the version comment changed from # v6.0.2 to # v7.0.0. No actual dependency update occurs.
    Remediation: Update the commit SHA to the actual v7.0.0 release SHA of codecov/codecov-action.

  • [protected-path] .github/workflows/codecov.yml, .github/workflows/pr.yml — Both modified files are under .github/, a protected path requiring human approval. The PR has no linked issue explaining why these governance files are being changed. Human review is required for all protected-path changes.

Previous run (14)

Review

Findings

High

  • [version-pinning-consistency] .github/workflows/codecov.yml:21 — The version comment is updated from v6.0.2 to v7.0.0 but the pinned commit SHA (fb8b3582c8e4def4969c97caa2f19720cb33a72f) is unchanged. GitHub Actions resolves by SHA, so the workflow will still run v6.0.2. The upgrade has not taken effect.
    Remediation: Update the SHA to the commit that the codecov/codecov-action v7.0.0 tag points to, or revert the comment to v6.0.2 if the old version is intended.

  • [version-pinning-consistency] .github/workflows/pr.yml:98 — The version comment is updated from v6.0.2 to v7.0.0 but the pinned commit SHA (fb8b3582c8e4def4969c97caa2f19720cb33a72f) is unchanged. GitHub Actions resolves by SHA, so the workflow will still run v6.0.2. The upgrade has not taken effect.
    Remediation: Update the SHA to the commit that the codecov/codecov-action v7.0.0 tag points to, or revert the comment to v6.0.2 if the old version is intended.

  • [protected-path] .github/workflows/codecov.yml, .github/workflows/pr.yml — Both modified files are under .github/, a protected path. The PR has no linked issue providing justification for modifying governance/infrastructure files. Human approval is required for protected-path changes.

Previous run (15)

Review

Findings

High

  • [protected-path] .github/workflows/codecov.yml, .github/workflows/pr.yml — Both modified files are under .github/, a protected path requiring human approval. This PR has no linked issue providing authorization for the change. While the PR description (automated Renovate dependency update) makes the intent clear, protected-path changes require a linked issue or explicit justification for governance tracking. Human reviewers should verify this dependency update is desired before merging.
    Remediation: Link an authorizing issue or have a maintainer explicitly approve the protected-path change.

Info

  • [workflow-permission] .github/workflows/codecov.yml:1 — This workflow has no top-level or job-level permissions block. It runs on push to main and receives default GITHUB_TOKEN permissions. Pre-existing condition unrelated to the current diff.

  • [workflow-permission] .github/workflows/pr.yml:1 — This workflow has no top-level or job-level permissions block. It runs on pull_request and merge_group events. Pre-existing condition unrelated to the current diff.

Note: Multiple sub-agent findings about a SHA/version-comment mismatch were investigated and determined to be false positives. The challenger sub-agent verified via the GitHub API that both v6.0.2 and v7.0.0 tags of codecov/codecov-action dereference to the same commit (fb8b3582c8e4def4969c97caa2f19720cb33a72f). The upstream maintainers tagged the same commit with both versions. The PR correctly updates only the version comment.

Previous run (16)

Review

Findings

High

  • [logic-error] .github/workflows/codecov.yml:21, .github/workflows/pr.yml:98 — The commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is identical before and after the change in both files. Only the trailing version comment changed from # v6.0.2 to # v7.0.0. The workflow will continue executing the exact same action code — the action has not been updated to v7.0.0. The version comment is now misleading.
    Remediation: Update the commit hash to the actual v7.0.0 release commit of codecov/codecov-action. The current hash does not correspond to v7.0.0.

Medium

  • [protected-path] .github/workflows/codecov.yml, .github/workflows/pr.yml — Both modified files are under the .github/ protected path. The Renovate bot description provides context for the dependency update, but human approval is always required for protected-path changes regardless of context.
Previous run (17)

Review

Findings

High

  • [logic-error] .github/workflows/codecov.yml:21 — The commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged between the old and new version. Only the trailing version comment is updated from v6.0.2 to v7.0.0. GitHub Actions resolves the action version from the pinned commit hash, not the comment, so the action will continue to run v6.0.2. The PR claims to update to v7 but performs no functional change.
    Remediation: Update the commit hash to the actual commit SHA that corresponds to codecov/codecov-action v7.0.0. Verify the correct tag SHA from the codecov/codecov-action repository.

  • [logic-error] .github/workflows/pr.yml:98 — Same SHA/comment mismatch: the pinned hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged while the comment changed from v6.0.2 to v7.0.0. No functional upgrade occurs.
    Remediation: Update the commit hash to the actual commit SHA for codecov/codecov-action v7.0.0.

  • [protected-path] .github/workflows/codecov.yml, .github/workflows/pr.yml — Both modified files are under .github/, a protected path. The PR has no linked issue and the Renovate bot description does not provide justification for modifying governance/infrastructure files. Human approval is required for all protected-path changes.
    Remediation: Ensure a human reviewer explicitly approves this change.

fullsend-ai-review[bot]

This comment was marked as outdated.

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/codecov-codecov-action-7.x branch from 826b991 to 81df335 Compare June 17, 2026 22:06
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 17, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 10:07 PM UTC · Completed 10:26 PM UTC
Commit: 218f229 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/codecov-codecov-action-7.x branch from 81df335 to 0fea6c9 Compare June 18, 2026 10:43
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 18, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 10:44 AM UTC · Completed 10:51 AM UTC
Commit: 218f229 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/codecov-codecov-action-7.x branch 2 times, most recently from 1fe3f4e to 6f474e9 Compare June 18, 2026 19:33
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 18, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 7:36 PM UTC · Completed 7:42 PM UTC
Commit: 218f229 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/codecov-codecov-action-7.x branch from 6f474e9 to cd0419d Compare June 22, 2026 10:31
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 22, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 10:33 AM UTC · Completed 10:39 AM UTC
Commit: 218f229 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/codecov-codecov-action-7.x branch from cd0419d to 0a77fd7 Compare June 22, 2026 14:42
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 22, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 2:45 PM UTC · Completed 2:52 PM UTC
Commit: 7acff03 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/codecov-codecov-action-7.x branch from 0a77fd7 to 089d8fb Compare June 22, 2026 20:05
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 22, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 8:07 PM UTC · Completed 8:13 PM UTC
Commit: 0d0162a · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/codecov-codecov-action-7.x branch from 089d8fb to 17106ab Compare June 23, 2026 13:14
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 23, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:16 PM UTC · Completed 1:23 PM UTC
Commit: ec21706 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/codecov-codecov-action-7.x branch from 17106ab to 63e5c44 Compare June 23, 2026 20:56
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 23, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 8:58 PM UTC · Completed 9:04 PM UTC
Commit: ec21706 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added github_actions Pull requests that update GitHub Actions code dependencies Pull requests that update a dependency file labels Jun 24, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/codecov-codecov-action-7.x branch from 5bdcab1 to 75a9e34 Compare June 26, 2026 13:57
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 26, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 2:00 PM UTC · Completed 2:08 PM UTC
Commit: ec21706 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/codecov-codecov-action-7.x branch from 75a9e34 to 783dfd6 Compare June 26, 2026 17:44
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 26, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 5:46 PM UTC · Completed 5:53 PM UTC
Commit: ec21706 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/codecov-codecov-action-7.x branch from 783dfd6 to dff0c1e Compare June 29, 2026 11:22
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 29, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 11:25 AM UTC · Completed 11:38 AM UTC
Commit: ec21706 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/codecov-codecov-action-7.x branch from dff0c1e to 2c2d857 Compare June 29, 2026 15:31
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 29, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 3:34 PM UTC · Completed 3:41 PM UTC
Commit: ec21706 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/codecov-codecov-action-7.x branch from 2c2d857 to 00a13e6 Compare June 30, 2026 10:43
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 30, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 10:45 AM UTC · Completed 10:53 AM UTC
Commit: ec21706 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/codecov-codecov-action-7.x branch from 00a13e6 to 42d1f80 Compare June 30, 2026 16:35
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 30, 2026

Copy link
Copy Markdown

🤖 Finished Review · ❌ Failure · Started 4:38 PM UTC · Completed 4:44 PM UTC
Commit: ec21706 · View workflow run →

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/codecov-codecov-action-7.x branch from 42d1f80 to 06fa7f4 Compare July 1, 2026 14:25
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 1, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 2:28 PM UTC · Completed 2:36 PM UTC
Commit: ec21706 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/codecov-codecov-action-7.x branch from 06fa7f4 to 2e92329 Compare July 2, 2026 01:32
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 2, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:35 AM UTC · Completed 1:43 AM UTC
Commit: ec21706 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main/codecov-codecov-action-7.x branch from 2e92329 to 1796d04 Compare July 2, 2026 14:37
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 2, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 2:40 PM UTC · Completed 2:47 PM UTC
Commit: ec21706 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the review comment for full details.

run: make test
- name: Codecov
uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v6.0.2
uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] logic-error

The PR changes only the version comment from # v6.0.2 to # v7.0.0 while the pinned SHA (fb8b3582c8e4def4969c97caa2f19720cb33a72f) remains unchanged. If this SHA does not correspond to the v7.0.0 tag of codecov/codecov-action, the comment will be misleading and the intended version upgrade will not take effect.

Suggested fix: Verify that the SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f corresponds to codecov/codecov-action v7.0.0. If it does not, update the SHA to the correct commit hash for v7.0.0.

Comment thread .github/workflows/pr.yml
run: make test
- name: Upload coverage to Codecov
uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v6.0.2
uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] logic-error

Same issue as codecov.yml: the PR changes only the version comment from # v6.0.2 to # v7.0.0 while the pinned SHA (fb8b3582c8e4def4969c97caa2f19720cb33a72f) remains unchanged. If this SHA does not correspond to the v7.0.0 tag, the comment is misleading and the upgrade has not actually occurred.

Suggested fix: Verify that the SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f corresponds to codecov/codecov-action v7.0.0. If it does not, update the SHA to the correct commit hash for v7.0.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants