From 9dffb287bf156aa9846cf6eca230abfa3349166a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Damir=20Jeli=C4=87?= <poljar@termina.org.uk>
Date: Fri, 17 Apr 2026 13:37:31 +0200
Subject: [PATCH] ci: Upload the coverage directly as part of the coverage
 workflow

---
 .github/workflows/coverage.yml        | 42 ++++--------
 .github/workflows/upload_coverage.yml | 99 ---------------------------
 2 files changed, 12 insertions(+), 129 deletions(-)
 delete mode 100644 .github/workflows/upload_coverage.yml

diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
index a8014888b..95c4ebc08 100644
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -26,6 +26,9 @@ jobs:
     name: Code Coverage
     needs: xtask
     runs-on: "ubuntu-latest"
+    permissions:
+      contents: read
+      id-token: write
 
     # run several docker containers with the same networking stack so the hostname 'synapse'
     # maps to the synapse container, etc.
@@ -152,35 +155,14 @@ jobs:
           HOMESERVER_URL: "http://localhost:8008"
           HOMESERVER_DOMAIN: "synapse"
 
-      # Copied with minimal adjustments, source:
-      # https://github.com/google/mdbook-i18n-helpers/blob/2168b9cea1f4f76b55426591a9bcc308a620194f/.github/workflows/test.yml
-      - name: Get PR number and commit SHA
-        run: |
-          echo "Storing PR number ${{ github.event.number }}"
-          echo "${{ github.event.number }}" > pr_number.txt
-
-          echo "Storing commit SHA ${{ github.event.pull_request.head.sha }}"
-          echo "${{ github.event.pull_request.head.sha }}" > commit_sha.txt
-
-      - name: Move the JUnit file into the root directory
-        shell: bash
-        run: |
-          mv target/nextest/ci/junit.xml ./junit.xml
-
-      # This stores the coverage report and metadata in artifacts.
-      # The actual upload to Codecov is executed by a different workflow `upload_coverage.yml`.
-      # The reason for this split is because `on.pull_request` workflows don't have access to secrets.
-      - name: Store coverage report in artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de
         with:
-          name: codecov_report
-          path: |
-            coverage.xml
-            junit.xml
-            pr_number.txt
-            commit_sha.txt
-          if-no-files-found: error
+          use_oidc: true
 
-      - run: |
-          echo 'The coverage report was stored in Github artifacts.'
-          echo 'It will be uploaded to Codecov using `upload_coverage.yml` workflow shortly.'
+      - name: Upload test results to Codecov
+        if: ${{ !cancelled() }}
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de
+        with:
+          use_oidc: true
+          report_type: "test_results"
diff --git a/.github/workflows/upload_coverage.yml b/.github/workflows/upload_coverage.yml
deleted file mode 100644
index af3ceae33..000000000
--- a/.github/workflows/upload_coverage.yml
+++ /dev/null
@@ -1,99 +0,0 @@
-# Copied with minimal adjustments, source:
-# https://github.com/google/mdbook-i18n-helpers/blob/2168b9cea1f4f76b55426591a9bcc308a620194f/.github/workflows/coverage-report.yml
-name: Upload code coverage
-
-on:
-  # This workflow is triggered after every successful execution
-  # of `coverage` workflow.
-  workflow_run:
-    workflows: ["Code Coverage"]
-    types:
-      - completed
-
-permissions: {}
-
-jobs:
-  coverage:
-    name: Upload coverage report
-    runs-on: ubuntu-latest
-    if: github.event.workflow_run.conclusion == 'success'
-    steps:
-      - name: 'Fetch coverage report from artifacts'
-        id: prepare_report
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
-        with:
-          script: |
-            var fs = require('fs');
-
-            // List artifacts of the workflow run that triggered this workflow
-            var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              run_id: context.payload.workflow_run.id,
-            });
-
-            let codecovReport = artifacts.data.artifacts.filter((artifact) => {
-              return artifact.name == "codecov_report";
-            });
-
-            if (codecovReport.length != 1) {
-              throw new Error("Unexpected number of {codecov_report} artifacts: " + codecovReport.length);
-            }
-
-            var download = await github.rest.actions.downloadArtifact({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              artifact_id: codecovReport[0].id,
-              archive_format: 'zip',
-            });
-            fs.writeFileSync('codecov_report.zip', Buffer.from(download.data));
-
-      - id: parse_previous_artifacts
-        run: |
-          unzip codecov_report.zip
-
-          echo "Detected PR is: $(<pr_number.txt)"
-          echo "Detected commit_sha is: $(<commit_sha.txt)"
-
-          # Make the params available as step output
-          echo "override_pr=$(<pr_number.txt)" >> "$GITHUB_OUTPUT"
-          echo "override_commit=$(<commit_sha.txt)" >> "$GITHUB_OUTPUT"
-
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          ref: ${{ steps.parse_previous_artifacts.outputs.override_commit || '' }}
-          path: repo_root
-          persist-credentials: false
-
-      - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
-        with:
-          token: ${{ secrets.CODECOV_UPLOAD_TOKEN }}
-          fail_ci_if_error: true
-          # Manual overrides for these parameters are needed because automatic detection
-          # in codecov-action does not work for non-`pull_request` workflows.
-          # In `main` branch push, these default to empty strings since we want to run
-          # the analysis on HEAD.
-          override_commit: ${{ steps.parse_previous_artifacts.outputs.override_commit || '' }}
-          override_pr: ${{ steps.parse_previous_artifacts.outputs.override_pr || '' }}
-          working-directory: ${{ github.workspace }}/repo_root
-          # Location where coverage report files are searched for
-          directory: ${{ github.workspace }}
-
-      - name: Upload test results to Codecov
-        uses: codecov/test-results-action@0fa95f0e1eeaafde2c782583b36b28ad0d8c77d3 # v1
-        with:
-          token: ${{ secrets.CODECOV_UPLOAD_TOKEN }}
-          fail_ci_if_error: true
-
-          # Manual overrides for these parameters are needed because automatic detection
-          # in codecov-action does not work for non-`pull_request` workflows.
-          # In `main` branch push, these default to empty strings since we want to run
-          # the analysis on HEAD.
-          override_commit: ${{ steps.parse_previous_artifacts.outputs.override_commit || '' }}
-          override_pr: ${{ steps.parse_previous_artifacts.outputs.override_pr || '' }}
-          working-directory: ${{ github.workspace }}/repo_root
-
-          # Location where coverage report files are searched for
-          directory: ${{ github.workspace }}