Skip to content

Coverage#75

Merged
jayvdb merged 9 commits into
mainfrom
coverage
Jul 8, 2026
Merged

Coverage#75
jayvdb merged 9 commits into
mainfrom
coverage

Conversation

@jayvdb

@jayvdb jayvdb commented Jul 7, 2026

Copy link
Copy Markdown
Member

No description provided.

@deepsource-io

deepsource-io Bot commented Jul 7, 2026

Copy link
Copy Markdown

DeepSource Code Review

We reviewed changes in 5889155...71e70e5 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade   Security  

Reliability  

Complexity  

Hygiene  

Code Review Summary

Analyzer Status Updated (UTC) Details
C# Jul 8, 2026 6:48a.m. Review ↗
C & C++ Jul 8, 2026 6:48a.m. Review ↗
Docker Jul 8, 2026 6:48a.m. Review ↗
Java Jul 8, 2026 6:48a.m. Review ↗
JavaScript Jul 8, 2026 6:48a.m. Review ↗
Python Jul 8, 2026 6:48a.m. Review ↗
Rust Jul 8, 2026 6:48a.m. Review ↗
Secrets Jul 8, 2026 6:48a.m. Review ↗
Dart Jul 8, 2026 6:48a.m. Review ↗

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

@codacy-production

codacy-production Bot commented Jul 7, 2026

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics -26 complexity · 0 duplication

Metric Results
Complexity -26
Duplication 0

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

Run reviewer

TIP This summary will be updated as you push new changes.

@codecov

codecov Bot commented Jul 8, 2026

Copy link
Copy Markdown

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

ℹ️ You can also turn on project coverage checks and project coverage reporting on Pull Request comment

Thanks for integrating Codecov - We've got you covered ☂️

@jayvdb jayvdb mentioned this pull request Jul 8, 2026
@jayvdb jayvdb marked this pull request as ready for review July 8, 2026 03:06
@jayvdb jayvdb requested a review from pierre-tenedero July 8, 2026 03:06

@codacy-production codacy-production Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

While titled 'Coverage', this PR introduces significant repository-wide changes, including hardening GitHub Action linting, implementing Rego policies for input validation, and refactoring the Zig client generator to support WASM-compatible binary bodies. The implementation of the coverage pipeline itself is a major addition but contains a toolchain configuration conflict.

There are two high-priority issues that should be addressed before merging: the cargo +nightly syntax in the mise configuration will fail in the current environment, and the brittle regex used in the Zig generator's re-writer may fail across different operating systems due to line-ending and whitespace sensitivity. Additionally, the lack of automated tests for the new Rego policies and the Zig generator logic represents a regression risk for the repository's CI/CD stability.

About this PR

  • Critical logic changes in utilities/int-gen/src/zig.rs (the regex-based Zig re-writer) and new static analysis rules (Rego, ast-grep) are introduced without accompanying automated tests to verify their behavior against expected and unexpected inputs.
  • The PR title ('Coverage') and lack of description significantly underspecify the scope of this PR, which includes critical generator refactoring and new repository-wide linting rules spanning multiple languages and platforms.

Test suggestions

  • Missing recommended test scenario: Verify coverage workflow successfully uploads Rust LCOV and JUnit XML to Codecov
  • Missing recommended test scenario: Verify gha_uses Rego policy correctly identifies undeclared inputs passed to local actions
  • Missing recommended test scenario: Verify int-gen re-writer correctly identifies and reroutes inlined Zig fetch blocks using the new regex heuristic
  • Missing recommended test scenario: Verify no-concat-raw-strings ast-grep rule triggers on Rust code using concat! with r#"..."# fragments
  • Missing recommended test scenario: Verify roslynator-check successfully fails on .NET code with analyzer violations
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Missing recommended test scenario: Verify coverage workflow successfully uploads Rust LCOV and JUnit XML to Codecov
2. Missing recommended test scenario: Verify `gha_uses` Rego policy correctly identifies undeclared inputs passed to local actions
3. Missing recommended test scenario: Verify `int-gen` re-writer correctly identifies and reroutes inlined Zig fetch blocks using the new regex heuristic
4. Missing recommended test scenario: Verify `no-concat-raw-strings` ast-grep rule triggers on Rust code using `concat!` with `r#"..."#` fragments
5. Missing recommended test scenario: Verify `roslynator-check` successfully fails on .NET code with analyzer violations

TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback

uses: ./.github/actions/install-mise
with:
install-action: ${{ inputs.install-action-tools }}
install-action-tools: ${{ inputs.install-action-tools }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 HIGH RISK

Correcting this input name from install-action to install-action-tools is vital. GitHub Actions does not error on undeclared inputs, which previously caused the install-mise-tools action to skip installing cargo-llvm-cov, leading to missing coverage data.

Comment thread .mise/config.coverage.toml Outdated
Comment on lines +23 to +25
cargo +nightly llvm-cov --no-report nextest --config-file config/nextest.toml
cargo +nightly llvm-cov --no-report --doc
cargo +nightly llvm-cov report --lcov --output-path lcov.info

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 HIGH RISK

The cargo +nightly syntax is specific to rustup. Since Rust is managed via mise in this environment, this command will fail. To use nightly features for coverage, ensure the nightly toolchain is managed by mise (e.g., via a coverage-specific tool pin) and invoke it without the + prefix.

/// bodies `null`), then skips to the two captures: 1 = content-type, 2 = HTTP method. `[A-Z]+` (not `\w`) keeps
/// it ASCII so no unicode regex feature is needed. [`reroute_inline_binary_ops`] splices both into a delegation.
const INLINE_FETCH_BLOCK_PATTERN: &str =
r#"(?s)requestBody;.*?"([^"]+)".*?Method\.([A-Z]+).*?toOwnedSlice\(\),\n \};"#;

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 MEDIUM RISK

Suggestion: The INLINE_FETCH_BLOCK_PATTERN regex is sensitive to specific indentation and literal line breaks (\n), which may cause match failures on systems using CRLF line endings or if the generator output formatting changes slightly. Consider using a whitespace-insensitive pattern to make the match more robust:

Suggested change
r#"(?s)requestBody;.*?"([^"]+)".*?Method\.([A-Z]+).*?toOwnedSlice\(\),\n \};"#;
r#"(?s)requestBody;.*?\"([^\"]+)\".*?Method\.([A-Z]+).*?toOwnedSlice\(\),\s+\};"#;

See Complexity in Codacy

replace(file.path, "\\", "/") != ".mise/config.maint.toml"
some name, task in file.contents.tasks
is_string(task.run)
some m in regex.find_all_string_submatch_n(`[0-9]+\.[0-9]+\.[0-9]+`, task.run, -1)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚪ LOW RISK

Nitpick: This regex matches IPv4 addresses (e.g., 127.0.0.1), which will trigger a lint error in task run scripts. If you want to allow literal local IPs while still banning version strings, consider updating the regex to avoid matching common IP patterns.

@jayvdb jayvdb merged commit 4ac20d6 into main Jul 8, 2026
64 of 68 checks passed
@jayvdb jayvdb deleted the coverage branch July 8, 2026 11:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants