Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/codecov.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:
- name: Run tests
run: make test
- name: Codecov
uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v6.0.2
uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] logic-error

The commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged between the old and new version. Only the trailing version comment is updated from v6.0.2 to v7.0.0. GitHub Actions resolves the action version from the pinned commit hash, not the comment, so the action will continue to run v6.0.2. The PR claims to update to v7 but performs no functional change.

Suggested fix: Update the commit hash to the actual commit SHA that corresponds to codecov/codecov-action v7.0.0. Verify the correct tag SHA from the codecov/codecov-action repository.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] logic-error

The commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is identical before and after the change in both workflow files. Only the trailing version comment changed from # v6.0.2 to # v7.0.0. The workflow will continue executing the exact same action code — the action has NOT been updated to v7.0.0. The version comment is now misleading.

Suggested fix: Update the commit hash to the actual v7.0.0 release commit of codecov/codecov-action. The current hash does not correspond to v7.0.0.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] version-pinning-consistency

The version comment is updated from v6.0.2 to v7.0.0 but the pinned commit SHA (fb8b3582c8e4def4969c97caa2f19720cb33a72f) is unchanged. GitHub Actions resolves by SHA, so the workflow will still run v6.0.2. The upgrade has not taken effect.

Suggested fix: Update the SHA to the commit that the codecov/codecov-action v7.0.0 tag points to, or revert the comment to v6.0.2 if the old version is intended.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] version-comment-accuracy

The version comment was changed from # v6.0.2 to # v7.0.0 but the pinned commit SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f was not updated. The PR claims to be a dependency upgrade but no actual code change occurs -- the action continues running v6.0.2 code.

Suggested fix: Update the commit SHA to the actual v7.0.0 release SHA of codecov/codecov-action.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] scope-version-mismatch

The PR claims to update codecov/codecov-action from v6.0.2 to v7.0.0, but the commit SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f is identical in both the old and new versions. Only the trailing comment text changed. This means either: (a) the SHA does not actually correspond to v7.0.0 and the comment is now misleading, or (b) the SHA was already correct for v7.0.0 and the old v6.0.2 comment was wrong. The same issue applies to .github/workflows/pr.yml line 98.

Suggested fix: Verify the correct commit SHA for codecov/codecov-action v7.0.0 from https://github.com/codecov/codecov-action/releases/tag/v7.0.0. If the SHA differs, update both files to pin to the correct v7.0.0 SHA. If the SHA is already correct for v7.0.0, this PR is a legitimate comment-only fix and can proceed.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] version-comment-mismatch

The version comment is updated from v6.0.2 to v7.0.0, but the pinned SHA (fb8b3582c8e4def4969c97caa2f19720cb33a72f) is unchanged. GitHub Actions resolves by SHA, not comment, so no actual upgrade occurs. The comment is misleading and could mask the fact that the intended v7 upgrade never happened.

Suggested fix: Update the commit hash to the actual commit corresponding to codecov/codecov-action v7.0.0, or revert the comment back to v6.0.2 to match the pinned SHA.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] api-contract

The commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged while the version comment changes from v6.0.2 to v7.0.0. GitHub Actions resolves the action from the pinned SHA, not the comment. The workflow will continue running v6.0.2 code while the comment falsely claims v7.0.0.

Suggested fix: Update the SHA to the actual commit hash for codecov/codecov-action v7.0.0, or revert the comment to v6.0.2 if the upgrade is not intended.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] logic-error

The commit SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged while the version comment is updated from v6.0.2 to v7.0.0. GitHub Actions resolves the action by the pinned SHA, not the comment. Since a single SHA cannot point to two different release tags, the comment is now incorrect and no actual upgrade to v7.0.0 occurs. The same issue applies to .github/workflows/pr.yml line 98.

Suggested fix: Update the SHA to the commit corresponding to the codecov/codecov-action v7.0.0 release tag, or revert the comment to v6.0.2 if no upgrade is intended. Apply the fix in both codecov.yml and pr.yml.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] version-comment-mismatch

The version comment is updated from v6.0.2 to v7.0.0, but the pinned commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged. GitHub Actions resolves the action by the SHA, not the comment, so this will still run v6.0.2. The misleading comment may cause maintainers to believe they are running v7.0.0 and skip a future real upgrade.

Suggested fix: Update the commit hash to the actual commit corresponding to codecov/codecov-action v7.0.0, or revert the comment to v6.0.2 if no upgrade is intended.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] version-hash-mismatch

The commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged between the old and new lines. Only the trailing comment was updated from v6.0.2 to v7.0.0. The action is not actually upgraded to v7 — the workflow will continue running the v6.0.2 version, while the comment will be misleading.

Suggested fix: Update the commit hash to the actual commit corresponding to codecov/codecov-action v7.0.0.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] logic-error

The commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged between the old and new versions while the version comment was updated from v6.0.2 to v7.0.0. GitHub Actions resolves the action by the pinned commit hash, not the comment. If this hash does not correspond to the v7.0.0 tag, the workflow will still execute the v6.0.2 code despite the comment claiming v7.0.0.

Suggested fix: Verify the commit SHA for the v7.0.0 tag of codecov/codecov-action. If it differs from fb8b3582c8e4def4969c97caa2f19720cb33a72f, update the uses: line to the correct hash.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] version-hash-mismatch

The PR changes only the version comment from v6.0.2 to v7.0.0 but leaves the pinned SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f unchanged. Since the SHA is authoritative, the action still runs v6.0.2 code. The comment is now misleading, and the intended upgrade did not actually occur.

Suggested fix: Update the SHA to the actual commit hash for the codecov/codecov-action v7.0.0 release tag, or revert the comment to v6.0.2.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] version-comment-mismatch

The version comment is updated from v6.0.2 to v7.0.0, but the commit SHA pin (fb8b3582c8e4def4969c97caa2f19720cb33a72f) is identical in both old and new lines. GitHub Actions resolves the pinned SHA, not the comment, so the runtime behavior is unchanged. The same issue applies to .github/workflows/pr.yml line 98.

Suggested fix: Verify which version SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f corresponds to in codecov/codecov-action. If it is v6.0.2, update the SHA to the correct v7.0.0 commit hash. If it is already v7.0.0, the change is a valid comment correction.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] version-pinning-consistency

The SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged while the trailing comment is updated from v6.0.2 to v7.0.0. GitHub Actions resolves the action by the SHA, not the comment, so the action will still run v6.0.2 code. The comment will be misleading, undermining the auditability of pinned dependencies.

Suggested fix: Update the SHA to the actual commit corresponding to the codecov/codecov-action v7.0.0 release tag. Obtain it with: git ls-remote https://github.com/codecov/codecov-action.git v7.0.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] protected-path

Both modified files (.github/workflows/codecov.yml and .github/workflows/pr.yml) are under .github/, a protected path requiring human approval. This PR has no linked issue justifying changes to governance/infrastructure files. The change itself is safe — both v6.0.2 and v7.0.0 tags resolve to the same upstream commit SHA — but human review is always required for protected-path modifications.

Suggested fix: A human maintainer should review and approve this PR. No code changes are needed — the version comment update is accurate.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] dependency-pinning-consistency

Version comment updated from v6.0.2 to v7.0.0 but the pinned commit SHA (fb8b3582c8e4def4969c97caa2f19720cb33a72f) is unchanged. The workflow will still execute v6.0.2 code while the comment claims v7.0.0, breaking the SHA-to-version-comment correspondence that is the point of commit pinning.

Suggested fix: Update the SHA to the actual commit corresponding to the codecov/codecov-action v7.0.0 release tag.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] logic-error

The PR changes only the version comment from # v6.0.2 to # v7.0.0 while the pinned SHA (fb8b3582c8e4def4969c97caa2f19720cb33a72f) remains unchanged. If this SHA does not correspond to the v7.0.0 tag of codecov/codecov-action, the comment will be misleading and the intended version upgrade will not take effect.

Suggested fix: Verify that the SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f corresponds to codecov/codecov-action v7.0.0. If it does not, update the SHA to the correct commit hash for v7.0.0.

with:
token: ${{ secrets.CODECOV_TOKEN }}
flags: unit-tests
2 changes: 1 addition & 1 deletion .github/workflows/pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ jobs:
- name: Run Go Tests
run: make test
- name: Upload coverage to Codecov
uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v6.0.2
uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] logic-error

Same SHA/comment mismatch: the pinned hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged while the comment changed from v6.0.2 to v7.0.0. No functional upgrade occurs.

Suggested fix: Update the commit hash to the actual commit SHA for codecov/codecov-action v7.0.0.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] version-pinning-consistency

The version comment is updated from v6.0.2 to v7.0.0 but the pinned commit SHA (fb8b3582c8e4def4969c97caa2f19720cb33a72f) is unchanged. GitHub Actions resolves by SHA, so the workflow will still run v6.0.2. The upgrade has not taken effect.

Suggested fix: Update the SHA to the commit that the codecov/codecov-action v7.0.0 tag points to, or revert the comment to v6.0.2 if the old version is intended.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] version-comment-accuracy

Same issue: the pinned commit SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f was not updated while the version comment changed from # v6.0.2 to # v7.0.0. No actual dependency update occurs.

Suggested fix: Update the commit SHA to the actual v7.0.0 release SHA of codecov/codecov-action.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] version-comment-mismatch

The version comment is updated from v6.0.2 to v7.0.0, but the pinned SHA (fb8b3582c8e4def4969c97caa2f19720cb33a72f) is unchanged. GitHub Actions resolves by SHA, not comment, so no actual upgrade occurs. The comment is misleading.

Suggested fix: Update the commit hash to the actual commit corresponding to codecov/codecov-action v7.0.0, or revert the comment back to v6.0.2 to match the pinned SHA.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] api-contract

Same issue: the commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged while the version comment changes from v6.0.2 to v7.0.0. The actual action executed will remain v6.0.2.

Suggested fix: Update the SHA to the actual commit hash for codecov/codecov-action v7.0.0, or revert the comment to v6.0.2.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] version-comment-mismatch

The version comment is updated from v6.0.2 to v7.0.0, but the pinned commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged. GitHub Actions resolves the action by the SHA, not the comment, so this will still run v6.0.2. No actual upgrade occurs.

Suggested fix: Update the commit hash to the actual commit corresponding to codecov/codecov-action v7.0.0, or revert the comment to v6.0.2 if no upgrade is intended.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] version-hash-mismatch

Same issue: the commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged while the comment was updated from v6.0.2 to v7.0.0. The action is not actually being upgraded.

Suggested fix: Update the commit hash to the actual commit corresponding to codecov/codecov-action v7.0.0.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] logic-error

Same issue: the commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged while the version comment was updated from v6.0.2 to v7.0.0. The PR does not actually change which version of codecov-action is executed unless this SHA genuinely corresponds to the v7.0.0 tag.

Suggested fix: Verify the commit SHA for the v7.0.0 tag of codecov/codecov-action. If it differs, update the hash accordingly.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] version-hash-mismatch

The PR changes only the version comment from v6.0.2 to v7.0.0 but the pinned SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged. The action still runs v6.0.2 code.

Suggested fix: Update the SHA to the actual commit hash for the codecov/codecov-action v7.0.0 release tag, or revert the comment to v6.0.2.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] version-pinning-consistency

Same issue as codecov.yml: the SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged while the comment is updated from v6.0.2 to v7.0.0. The action will not actually be upgraded to v7.

Suggested fix: Update the SHA to the actual commit corresponding to the codecov/codecov-action v7.0.0 release tag.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[high] dependency-pinning-consistency

Same SHA/comment mismatch. Version comment updated to v7.0.0 but the pinned SHA (fb8b3582c8e4def4969c97caa2f19720cb33a72f) still points to v6.0.2 code.

Suggested fix: Update the SHA to the actual commit corresponding to the codecov/codecov-action v7.0.0 release tag.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] logic-error

Same issue as codecov.yml: the PR changes only the version comment from # v6.0.2 to # v7.0.0 while the pinned SHA (fb8b3582c8e4def4969c97caa2f19720cb33a72f) remains unchanged. If this SHA does not correspond to the v7.0.0 tag, the comment is misleading and the upgrade has not actually occurred.

Suggested fix: Verify that the SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f corresponds to codecov/codecov-action v7.0.0. If it does not, update the SHA to the correct commit hash for v7.0.0.

with:
flags: unit-tests
token: ${{ secrets.CODECOV_TOKEN }}
Expand Down
Loading