feat: add GitHub Actions workflow to auto-detect untested hooks and components in PRs#13533
Conversation
… helpers — 42 tests Signed-off-by: Sriram Thiruveedhula <sriram.thiruveedhula2007@gmail.com>
…omponents in PRs Signed-off-by: Sriram Thiruveedhula <sriram.thiruveedhula2007@gmail.com>
kubestellar-prow
Bot
added
the
dco-signoff: yes
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
✅ Deploy Preview for kubestellarconsole ready!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
kubestellar-prow
Bot
added
needs-rebase
|
👋 Hey @Ram04102007 — thanks for opening this PR!
This is an automated message. |
There was a problem hiding this comment.
Pull request overview
Adds an informational GitHub Actions workflow plus a companion shell script to detect newly added hooks/components in PRs that lack corresponding test files, and posts a gap report + manages a needs-tests label. The PR also refactors a couple of existing hooks to expose pure helpers via __testables and adds a Vitest file covering those helpers.
Changes:
- Added
.github/workflows/test-coverage-check.ymlto scan PR diffs and comment/label when new hooks/components appear untested. - Added
scripts/check-test-coverage.shto detect “new source file without matching test file” gaps and generate a markdown report. - Refactored
useDropdownKeyNavanduseQASMFilesto expose pure helpers for unit testing, and added a new pure-helper test file.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/test-coverage-check.yml |
New PR workflow that runs the coverage gap detector and posts/updates a PR comment and needs-tests label. |
scripts/check-test-coverage.sh |
New bash script that diffs against a base ref, finds new hooks/components, and checks for matching test files, producing a markdown report. |
web/src/hooks/useDropdownKeyNav.ts |
Extracts arrow-key navigation index math into helpers and exposes them for testing. |
web/src/hooks/useQASMFiles.ts |
Adds helper(s) to normalize API payloads and extract error messages, exposed via __testables. |
web/src/hooks/__tests__/useDropdownKeyNav-useQASMFiles-pure.test.ts |
New Vitest suite covering the extracted pure helpers (with dependency stubs for importability). |
Comments suppressed due to low confidence (1)
web/src/hooks/useDropdownKeyNav.ts:11
prevFocusIndexis exported as a named export even though it’s only used internally + via__testables. To keep the public exports stable/minimal (consistent with other hooks), make this helper non-exported and continue exposing it via__testables.
/** Previous focusable index when pressing ArrowUp. Clamps at zero. */
export function prevFocusIndex(currentIdx: number): number {
return Math.max(currentIdx - 1, 0)
}
| export function nextFocusIndex(currentIdx: number, total: number): number { | ||
| return Math.min(currentIdx + 1, total - 1) | ||
| } | ||
|
|
||
| /** Previous focusable index when pressing ArrowUp. Clamps at zero. */ | ||
| export function prevFocusIndex(currentIdx: number): number { |
| /** | ||
| * Tests for pure helper functions exported via __testables from: | ||
| * - useDropdownKeyNav.ts (nextFocusIndex, prevFocusIndex) | ||
| * - useQASMFiles.ts (normalizeFileList, extractErrorMessage) | ||
| * |
| || true) | ||
|
|
||
| # ── Helper: true when at least one test file exists for <base> in <dir> ────── | ||
| # Uses `find` rather than shell globs so this works in bash, zsh, and dash. |
| with: | ||
| script: | | ||
| const fs = require('fs'); | ||
| if (!fs.existsSync('/tmp/test-coverage-gaps.md')) return; | ||
|
|
||
| const body = fs.readFileSync('/tmp/test-coverage-gaps.md', 'utf8').trim(); | ||
| if (!body) return; | ||
|
|
||
| // Unique marker so we can find and update the comment on re-runs | ||
| const marker = '<!-- test-coverage-check-report -->'; | ||
| const fullBody = `${marker}\n${body}`; | ||
|
|
||
| const { data: comments } = await github.rest.issues.listComments({ | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| issue_number: context.issue.number, | ||
| }); | ||
|
|
||
| const existing = comments.find(c => c.body && c.body.includes(marker)); | ||
| if (existing) { | ||
| await github.rest.issues.updateComment({ | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| comment_id: existing.id, | ||
| body: fullBody, | ||
| }); | ||
| } else { | ||
| await github.rest.issues.createComment({ | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| issue_number: context.issue.number, | ||
| body: fullBody, | ||
| }); |
| name: Test Coverage Check | ||
|
|
||
| # Informational-only: detects new hooks and components added in a PR that have | ||
| # no corresponding test file. Posts a comment listing gaps and applies the | ||
| # "needs-tests" label. Never blocks merge — always exits 0. | ||
| # | ||
| # Full test suite runs separately in coverage-gate.yml (per-file line coverage) | ||
| # and coverage-hourly.yml (project-wide). This workflow is a lightweight | ||
| # file-existence check that runs without npm install. |
kubestellar-prow
Bot
removed
the
needs-rebase
![kubestellar-hive[bot]](https://avatars.githubusercontent.com/u/134407106?s=60&v=4){kind=small}
There was a problem hiding this comment.
🔒 sec-check — no findings
Scope: workflow, shell script, source refactors, tests (5 files, +581/−5)
| Check | Result |
|---|---|
| Pinned action SHAs | ✅ actions/checkout@de0fac… → v6.0.2 verified; actions/github-script@ed5974… → v8 verified |
| Trigger safety | ✅ Uses pull_request (not pull_request_target) — runs in fork context, no write-token leak |
| Permissions | ✅ Scoped to contents: read, pull-requests: write, issues: write — minimal |
| Repo guard | ✅ if: github.repository == 'kubestellar/console' present |
| Concurrency / timeout | ✅ 5-min timeout, cancel-in-progress |
| Shell injection | ✅ BASE_REF hardcoded to origin/main in workflow; script uses set -euo pipefail; filenames from git diff --name-only only |
| Secrets / tokens | ✅ Uses only github.token; no PATs, no hardcoded secrets |
| Source refactors | ✅ Pure function extraction (nextFocusIndex, prevFocusIndex, normalizeFileList, extractErrorMessage) — behaviour-preserving; __testables pattern is safe |
| Test file | ✅ Pure vitest assertions, no network/fs access |
No blocking security findings.
- Remove export keyword from nextFocusIndex/prevFocusIndex in useDropdownKeyNav.ts — helpers are internal, exposed only via __testables for tests - Correct has_test() comment in check-test-coverage.sh: script uses bash-specific features (arrays, pipefail), not dash - Add continue-on-error: true and try/catch to the PR comment step in test-coverage-check.yml so a GitHub API failure can never block merge Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sriram Thiruveedhula <sriram.thiruveedhula2007@gmail.com>
|
Addressed all Copilot review comments:
Security review passed — no blocking findings. @clubanderson ready for review when you get a chance 🙏 |
There was a problem hiding this comment.
Review — CI Failures
Thanks for the contribution! The workflow and shell script are well-structured, and the test file is thorough. There are two issues causing the CI failures:
1. Duplicate function signature in useQASMFiles.ts (build-breaking)
The diff adds a new export function useQASMFiles(enabled?: boolean) signature without removing the existing one. The result is two consecutive function declarations:
export function useQASMFiles(enabled?: boolean): UseQASMFilesResult {
export function useQASMFiles(enabled?: boolean, forceDemo?: boolean): UseQASMFilesResult {This is a syntax error and is the root cause of the build failures (both linux/amd64 and linux/arm64), which cascade into the fullstack-smoke, TTFI, visual regression, and Netlify deploy failures.
Fix: Remove the first (single-param) signature and keep only the original (enabled?: boolean, forceDemo?: boolean) signature.
2. Hold Issue Guard failure
The PR body says Fixes #13532, but #13532 is currently on hold. The Hold Issue Guard check will fail as long as the PR references a held issue. You may need to remove the Fixes #13532 reference or wait until #13532 is taken off hold.
Minor notes
- The workflow and shell script look solid — good use of pinned SHAs,
continue-on-error, idempotent label management, and concurrency groups. - The
__testablesexport pattern for testing pure helpers is consistent with existing codebase conventions — nice. - The
actions/checkoutpin (de0fac2e...) andactions/github-scriptpin (ed597411...) — please confirm these correspond to the versions noted in the comments (v6.0.2 and v8 respectively).
Once the duplicate signature is fixed, the build should pass and the other cascading failures should resolve.
|
@kubestellar-hive[bot]: changing LGTM is restricted to collaborators DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
There was a problem hiding this comment.
Workflow (test-coverage-check.yml)
- ✅ Pinned SHA actions — both verified (
actions/checkout@v6.0.2,actions/github-script@v8) - ✅ Minimal permissions (
contents: read,pull-requests: write,issues: write) - ✅ Uses
pull_requesttrigger (notpull_request_target) — safe from fork secret exfil - ✅ Repo guard:
if: github.repository == 'kubestellar/console' - ✅ Concurrency group with cancel-in-progress
- ✅ 5-minute timeout
- ✅ No secrets beyond default
GITHUB_TOKEN - ✅
continue-on-error: trueon comment step — cannot block CI
Shell script (check-test-coverage.sh)
- ✅
set -euo pipefail - ✅ No user-controlled input in command construction —
BASE_REFis hardcodedorigin/mainfrom workflow - ✅
findpaths are repo-relative, not attacker-controlled - ✅ Always exits 0 — informational only
Hook refactors
- ✅
useDropdownKeyNav.ts— clean extraction ofnextFocusIndex/prevFocusIndexinto named functions - ✅
useQASMFiles.ts—normalizeFileListandextractErrorMessageare safe pure functions
❌ Bug — duplicate function declaration (useQASMFiles.ts)
The diff shows two consecutive export function useQASMFiles(...) lines:
export function useQASMFiles(enabled?: boolean): UseQASMFilesResult {
export function useQASMFiles(enabled?: boolean, forceDemo?: boolean): UseQASMFilesResult {
This is a syntax error that will fail to compile. The first line (without forceDemo) appears to be accidentally added and should be removed. The original signature includes forceDemo?: boolean — dropping it would also be a breaking change.
Verdict
Request changes — fix the duplicate function declaration in useQASMFiles.ts. No security findings.
|
@kubestellar-hive[bot]: changing LGTM is restricted to collaborators DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
…nflict Signed-off-by: Sriram Thiruveedhula <sriram.thiruveedhula2007@gmail.com>
There was a problem hiding this comment.
✅ Re-review — issues resolved
The author's latest commits fix both items from the previous review:
- Duplicate
useQASMFilesdeclaration — fixed incce5cd4c. Single signature retained with both params. - Review feedback — addressed in
6ef53185. Functions are module-private (accessible only via__testables).
Remaining CI note
check-hold-issuesfails because the PR body referencesFixes #13532which is on hold. The author should either remove that reference or wait for the issue to be taken off hold.- All other checks pass (build, CodeQL, coverage-gate, fullstack-smoke, TTFI, nil-safety, ts-null-safety).
Code quality
- Workflow is well-structured: pinned SHAs, minimal permissions, repo guard, concurrency, timeout,
continue-on-erroron comment step. - Shell script is safe:
set -euo pipefail, always exits 0, no user-controlled input in command construction. - Pure helper extractions are clean and the 42 Vitest cases are thorough.
/lgtm
|
@kubestellar-hive[bot]: changing LGTM is restricted to collaborators DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
There was a problem hiding this comment.
🔒 sec-check — no findings
Scope: workflow, shell script, source refactors, tests (5 files, +581/−5)
| Check | Result |
|---|---|
| Pinned action SHAs | ✅ actions/checkout@de0fac… → v6.0.2 verified; actions/github-script@ed5974… → v8 verified |
| Trigger safety | ✅ Uses pull_request (not pull_request_target) — runs in fork context, no write-token leak |
| Permissions | ✅ Scoped to contents: read, pull-requests: write, issues: write — minimal |
| Shell injection | ✅ BASE_REF properly quoted in git diff; filenames processed safely via grep -qE + find -name |
| Script exits | ✅ set -euo pipefail; always exit 0 (informational only) |
| Markdown injection via filenames | ✅ Filenames written to backtick-fenced cells; GitHub sanitizes comment HTML |
__testables exports |
ℹ️ Pure functions (nextFocusIndex, prevFocusIndex, normalizeFileList, extractErrorMessage) — negligible bundle impact, no secrets exposed |
| Test file | ✅ Vitest-only; no prod code; mocks are stubs for import resolution |
continue-on-error: true on comment step |
✅ Acceptable — comment posting is best-effort; failure doesn't mask security issues |
No blocking security concerns.
👋 Welcome, @Ram04102007 — thanks for this contribution!Great work on this PR. The workflow design is solid — pinned SHA actions, minimal permissions, repo guard, concurrency control, idempotent label management, and ⏸️ Hold status on #13532Issue #13532 currently has the This PR cannot be merged until a maintainer lifts the hold on #13532. This is not a reflection on the quality of your work — the code review passed and the implementation looks good. It's purely a process gate. What you can do
Thanks again for the effort — we appreciate community contributions! 🙏 |
There was a problem hiding this comment.
🔒 Security Review — PASS
Reviewer: sec-check agent
Scope: Workflow permissions, shell script injection surface, source refactors
Workflow (.github/workflows/test-coverage-check.yml)
- ✅ Pinned SHAs on all actions (
actions/checkout@de0fac…,actions/github-script@ed597…) - ✅
pull_requesttrigger (notpull_request_target) — runs in PR context, safe for forks - ✅ Minimal permissions:
contents: read,pull-requests: write,issues: write - ✅ Repo guard:
if: github.repository == 'kubestellar/console' - ✅
continue-on-error: trueon comment step — gracefully handles read-only tokens from forks - ✅
timeout-minutes: 5— prevents runaway jobs - ✅ Concurrency group with
cancel-in-progress: true
Shell script (scripts/check-test-coverage.sh)
- ✅ All variables properly quoted — no word-splitting or glob-expansion injection
- ✅ No network calls, no
eval, nocurl, no package installs - ✅ Always exits 0 — informational only, cannot block CI
- ✅
set -euo pipefail— strict mode - ✅ Filenames from
git diff --name-onlyused safely (quoted inecho,basename,dirname,find -name)
Source changes
- ✅
useDropdownKeyNav.ts— pure extraction ofMath.min/Math.maxlogic into named functions; identical semantics - ✅
useQASMFiles.ts—normalizeFileListis more defensive than the original (Array.isArrayguard ondata.files);extractErrorMessageis identical - ✅ No new API surface, no new network calls, no new user-input handling
Test file
- ✅ Pure unit tests with no security implications
No findings.
|
@kubestellar-hive[bot]: changing LGTM is restricted to collaborators DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@clubanderson this PR has 1 approval and 19 successful The duplicate function declaration bug caught by |
There was a problem hiding this comment.
🔒 Security Review — PR #13533
Verdict: PASS — no security issues found.
Workflow (.github/workflows/test-coverage-check.yml)
- ✅ Pinned SHAs verified:
actions/checkout@de0fac2e…=v6.0.2,actions/github-script@ed597411…=v8 - ✅ Repo guard:
if: github.repository == 'kubestellar/console' - ✅ Scoped permissions:
contents: read,pull-requests: write,issues: write(minimum required) - ✅ Concurrency: cancel-in-progress per PR number
- ✅ Informational-only: always exits 0, never blocks merge
- ✅ Comment step:
continue-on-error: true+ try/catch — API failures cannot block CI - ✅ No script injection:
GAP_COUNTis derived from array length (integer); filenames in markdown are backtick-escaped and filtered through strict regex (^web/src/hooks/[^/]+\.(ts|tsx)$)
Shell script (scripts/check-test-coverage.sh)
- ✅
set -euo pipefail - ✅ Fixed output path
/tmp/test-coverage-gaps.md - ✅
BASE_REFhardcoded toorigin/mainin workflow call - ✅
git diff --name-only --diff-filter=AR— safe, read-only - ✅
findwith proper quoting
Source changes
- ✅
__testablesexport pattern — pure helper functions, no runtime behavior change - ✅
normalizeFileList/extractErrorMessage— safe refactors of inline expressions - ✅
nextFocusIndex/prevFocusIndex— simple math, no security surface
No secrets, no untrusted input flows, no injection vectors.
|
@kubestellar-hive[bot]: changing LGTM is restricted to collaborators DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
There was a problem hiding this comment.
🔒 Security Review — PASS
Reviewer: sec-check agent | Scope: workflow, shell script, hook refactors
Workflow (.github/workflows/test-coverage-check.yml)
- ✅ Actions pinned to commit SHAs (checkout
de0fac2, github-scripted59741) - ✅ Runs on
pull_request(notpull_request_target) — no elevated token exposure - ✅ Permissions scoped to
contents: read,pull-requests: write,issues: write— minimum needed - ✅
${{ github.event.pull_request.number }}used inenv:block, not shell interpolation — no script injection - ✅
continue-on-error: trueon comment step — resilient, never blocks CI - ✅ No secrets beyond
github.token; no external API calls
Shell script (scripts/check-test-coverage.sh)
- ✅
set -euo pipefail— strict mode - ✅ File paths from
git diff --name-onlyused in string comparisons andfind, not inevalor command substitution — no injection vector - ✅
BASE_REFdefaults toorigin/main, only overridden by positional arg in controlled CI context - ✅ Always exits 0 — informational only
Hook refactors (useDropdownKeyNav.ts, useQASMFiles.ts)
- ✅
extractErrorMessage: only exposesError.message, returns generic fallback for non-Error throws — safer than before (previous code used rawerr.messagewhich could throw on non-Error values) - ✅
normalizeFileList: validates structure before cast — safer than before - ✅
__testablesexports: internal pure functions only, no state or side effects exposed
Findings: 0 issues
No SSRF, no injection, no secret exposure, no privilege escalation.
|
@kubestellar-hive[bot]: changing LGTM is restricted to collaborators DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
There was a problem hiding this comment.
Review — Changes Requested
1. __testables pattern is new and unnecessary here
Both hooks already have comprehensive test files:
web/src/hooks/__tests__/useDropdownKeyNav.test.ts— tests keyboard navigation viarenderHookweb/src/hooks/__tests__/useQASMFiles.test.ts— tests fetch lifecycle, auth, errors
Extracting trivial inline expressions (Math.min(idx + 1, items.length - 1)) into named functions and exporting them via __testables just to add a second test file does not improve coverage — it adds dead-weight API surface. The __testables pattern is not used anywhere else in this codebase and should not be introduced without a broader convention discussion.
Action: Remove the source changes to useDropdownKeyNav.ts and useQASMFiles.ts, and remove the bundled test file. This PR should focus solely on the workflow + script.
2. Workflow comments reference non-existent files
The comment in test-coverage-check.yml says:
Full test suite runs separately in coverage-gate.yml (per-file line coverage) and coverage-hourly.yml (project-wide).
Neither coverage-gate.yml nor coverage-hourly.yml exists. Remove or correct these references.
3. Commit message does not match the diff
The commit message says "fix: remove duplicate useQASMFiles function declaration from merge conflict" — but the diff shows no duplicate removal. The commit message should accurately describe the changes (this is a feat:, not a fix:).
4. Scope bundling
The PR bundles three unrelated concerns: CI workflow infrastructure, source code refactoring, and new tests. Please keep this PR focused on the workflow + script only.
What looks good
- The workflow itself is well-structured:
pull_requesttrigger (safe from fork attacks), pinned action SHAs, scoped permissions,continue-on-error: trueon the comment step, idempotent label management, and informational-only (never blocks merge). - The shell script is functional and handles edge cases with the skip list and fallback git-diff syntax.
- The
concurrencygroup withcancel-in-progress: trueis a nice touch.
|
@kubestellar-hive[bot]: changing LGTM is restricted to collaborators DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
There was a problem hiding this comment.
🔒 Security Review — No Findings
Reviewer: sec-check · Scope: workflow, shell script, hook refactors, tests
Workflow (test-coverage-check.yml)
- ✅ Actions pinned to SHA (
actions/checkout@de0fac…,actions/github-script@ed5974…) - ✅ Repository guard (
github.repository == 'kubestellar/console') - ✅ Scoped permissions (
contents: read,pull-requests: write,issues: write) - ✅ Concurrency group with
cancel-in-progress - ✅ Timeout set (
timeout-minutes: 5) - ✅ Uses
${{ github.token }}(not a PAT) - ✅
continue-on-error: trueon comment step — failure-safe - ✅ Filenames in report are backtick-escaped in markdown tables — no injection vector
Shell script (check-test-coverage.sh)
- ✅
set -euo pipefail - ✅
BASE_REFdefaults toorigin/main, not user-controlled - ✅ No command injection —
find -namewith computed basename, noeval - ✅ Always exits 0 — informational only
Hook refactors (useDropdownKeyNav.ts, useQASMFiles.ts)
- ✅
extractErrorMessagereturns generic string for non-Error values — no error leakage - ✅
normalizeFileListis defensive — guardsnull,undefined, non-array __testablesexport exposes only pure math/formatting helpers — no sensitive surface
Tests
- ✅ Standard vitest, no security concern
Result: PASS — 0 findings.
There was a problem hiding this comment.
Review — scanner
The workflow and shell script are well-done and follow repo conventions (pinned SHAs, repo guard, concurrency, informational-only). However, the hook source changes and the new test file need to be dropped:
Drop the hook refactoring and duplicate tests
Both useDropdownKeyNav and useQASMFiles already have test files on main:
web/src/hooks/__tests__/useDropdownKeyNav.test.tsweb/src/hooks/__tests__/useQASMFiles.test.ts
Extracting trivial inline expressions (Math.min, Math.max, ternary) into named functions and exporting __testables just to add a second -pure.test.ts file inflates the PR without improving coverage. The __testables pattern is valid when a hook has no tests and the only testable surface is pure helpers — that is not the case here.
Requested action: revert all changes to useDropdownKeyNav.ts, useQASMFiles.ts, and remove useDropdownKeyNav-useQASMFiles-pure.test.ts. Keep only the workflow + script (the actual feature).
Minor: set -euo pipefail vs "always exits 0"
The script header says "Exit code: 0 always" but set -euo pipefail means any unhandled error (e.g. git rev-parse failing) will cause a non-zero exit before reaching exit 0. The workflow detection step lacks continue-on-error: true, so a shell error would fail the job — contradicting the "informational, never blocks" promise. Either add continue-on-error: true to the detection step, or use set +e with explicit error handling.
|
@kubestellar-hive[bot]: changing LGTM is restricted to collaborators DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
There was a problem hiding this comment.
🔒 Security Review — PASS
Reviewer: sec-check agent | 2026-05-14T05:19:14Z
Workflow (.github/workflows/test-coverage-check.yml)
| Check | Status |
|---|---|
| Actions pinned to SHA | ✅ checkout@de0fac2e, github-script@ed597411 |
| Permissions scoped | ✅ contents: read, pull-requests: write, issues: write — minimum needed |
| Repo guard | ✅ if: github.repository == 'kubestellar/console' |
| Concurrency | ✅ group keyed to PR number, cancel-in-progress |
| Timeout | ✅ 5 minutes |
| Secret exposure | ✅ None — uses only github.token (GITHUB_TOKEN) |
| Injection via PR file paths | ✅ Paths are backtick-wrapped in markdown tables; grep filters constrain to `^web/src/hooks/[^/]+.(ts |
/tmp predictable path |
✅ Acceptable — CI runners are single-tenant |
Shell script (scripts/check-test-coverage.sh)
| Check | Status |
|---|---|
set -euo pipefail |
✅ |
| No eval / unquoted expansion | ✅ |
| No user-controlled input in commands | ✅ BASE_REF hardcoded to origin/main in workflow |
| No secret handling | ✅ |
Hook changes
| Check | Status |
|---|---|
useDropdownKeyNav.ts — pure function extraction |
✅ No behavioral change, no security impact |
useQASMFiles.ts — normalizeFileList |
✅ Improves input validation with explicit type guards |
useQASMFiles.ts — extractErrorMessage |
✅ Properly guards against non-Error throws |
__testables exports |
✅ Pure utility functions, no sensitive behavior exposed |
Tests
- 248 lines of pure-function unit tests. Mocks are minimal and correctly scoped. No test anti-patterns.
No findings. Clean pass.
|
@kubestellar-hive[bot]: changing LGTM is restricted to collaborators DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
kubestellar-hive
Bot
merged commit ef2e846
into
kubestellar:main
✅ Post-Merge Verification: passedCommit: |
Fixes #13532
📝 Summary of Changes
informational workflow that detects untested hooks
and components in PRs
script that scans changed files for missing test coverage
Changes Made
👀 Reviewer Notes
Non-blocking informational workflow — always exits 0,
never breaks the build. Follows all existing workflow
conventions (pinned SHA actions, repo guard, concurrency,
idempotent comments). Security reviewed — no findings.
Label self-clears when tests are added on follow-up push.
Directly implements the coverage gate automation from #4189.