From 5bbb1c9c198af09d163ab7e0139c26f23bbb3897 Mon Sep 17 00:00:00 2001
From: kdacosta0 <kristian.dacosta.menezes@gmail.com>
Date: Thu, 7 May 2026 15:07:13 +0200
Subject: [PATCH] ci: enable codecov coverage checks with patch and project
 thresholds [SECURESIGN-4375]

Implements SECURESIGN-4375

Assisted-by: Claude Code
---
 .github/workflows/code-coverage.yml | 50 +++++++++++++++++++++++++++++
 .gitignore                          |  1 +
 codecov.yml                         | 10 ++++++
 3 files changed, 61 insertions(+)
 create mode 100644 .github/workflows/code-coverage.yml
 create mode 100644 codecov.yml

diff --git a/.github/workflows/code-coverage.yml b/.github/workflows/code-coverage.yml
new file mode 100644
index 00000000..6ebab01d
--- /dev/null
+++ b/.github/workflows/code-coverage.yml
@@ -0,0 +1,50 @@
+# Copyright 2024 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Code Coverage
+
+on:
+  pull_request:
+    branches: [main]
+    types: [opened, synchronize]
+  push:
+    branches: [main]
+
+permissions: {}
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  coverage:
+    name: Upload code coverage
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
+    - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      with:
+        go-version-file: go.mod
+    - name: Run tests with coverage
+      run: go test -v -coverprofile=coverage.out ./...
+    - name: Upload coverage to Codecov
+      uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6
+      with:
+        files: coverage.out
+        token: ${{ secrets.CODECOV_TOKEN }}
+        fail_ci_if_error: true
diff --git a/.gitignore b/.gitignore
index 80cadf40..c19b0593 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,3 +6,4 @@
 __pycache__/
 dist/
 html/
+coverage.out
diff --git a/codecov.yml b/codecov.yml
new file mode 100644
index 00000000..2b5b0e4c
--- /dev/null
+++ b/codecov.yml
@@ -0,0 +1,10 @@
+coverage:
+  status:
+    patch:
+      default:
+        target: 70%
+        threshold: 5%
+    project:
+      default:
+        target: auto
+        informational: true