From d4d85eb22b0172010b950ba4464542a5a333013b Mon Sep 17 00:00:00 2001
From: Adarsh Kumar Yadav <adarsh.kumar.yadav1@ibm.com>
Date: Thu, 4 Jun 2026 19:43:53 +0530
Subject: [PATCH 1/2] Add Codecov CI upload and project configuration

Upload cover.out from unit tests on pull requests and main pushes.
---
 .codecov.yml                   | 37 +++++++++++++++++++++++++++++++++
 .github/workflows/codecov.yaml | 38 ++++++++++++++++++++++++++++++++++
 site-src/contributing/index.md |  1 +
 3 files changed, 76 insertions(+)
 create mode 100644 .codecov.yml
 create mode 100644 .github/workflows/codecov.yaml

diff --git a/.codecov.yml b/.codecov.yml
new file mode 100644
index 00000000..7697f9ad
--- /dev/null
+++ b/.codecov.yml
@@ -0,0 +1,37 @@
+---
+codecov:
+  notify:
+    after_n_builds: 1
+    require_ci_to_pass: false
+
+coverage:
+  precision: 2
+  round: down
+  range: 50..75
+
+  status:
+    project:
+      default:
+        enabled: true
+        # Report coverage; do not fail PRs on small drops until we set a target.
+        threshold: null
+        if_not_found: success
+        if_no_uploads: success
+        if_ci_failed: error
+    patch:
+      default:
+        enabled: true
+        threshold: null
+        if_not_found: success
+        if_no_uploads: success
+        if_ci_failed: error
+    changes: false
+
+comment:
+  layout: "header, diff"
+  behavior: default
+  require_changes: false
+
+ignore:
+  - "**/zz_generated.*.go"
+  - "**/applyconfiguration/**"
diff --git a/.github/workflows/codecov.yaml b/.github/workflows/codecov.yaml
new file mode 100644
index 00000000..490a6fc7
--- /dev/null
+++ b/.github/workflows/codecov.yaml
@@ -0,0 +1,38 @@
+name: Codecov
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  codecov:
+    name: Upload coverage
+    runs-on: ubuntu-latest
+    steps:
+      - name: Clone the code
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+
+      - name: Setup Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+        with:
+          go-version-file: go.mod
+
+      - name: Run unit tests with coverage
+        run: |
+          go mod tidy
+          make test
+
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          files: ./cover.out
+          fail_ci_if_error: true
diff --git a/site-src/contributing/index.md b/site-src/contributing/index.md
index da59b0c3..63eb1d8b 100644
--- a/site-src/contributing/index.md
+++ b/site-src/contributing/index.md
@@ -21,6 +21,7 @@ From the repository root:
 - **Lint / vet:** `make lint`
 - **Tests:** `make test` (writes `cover.out` for coverage)
 - **Test coverage:** `make test` writes `cover.out`. Run `make test-cover` to refresh tests and emit `out/coverage.html` and `out/coverage.txt` (`go tool cover`). With `cover.out` present, `make cover-func` prints a per-function summary and `make cover-html` opens the interactive HTML report in a browser (local). Remove generated artifacts with `make cover-clean`.
+- **CI coverage:** Pull requests and pushes to `main` upload `cover.out` to [Codecov](https://codecov.io/gh/kubernetes-sigs/mcp-lifecycle-operator).
 - **Generate manifests:** `make manifests generate`
 
 After making changes, open a pull request on GitHub. Ensure CI passes and address any review feedback.

From 6c0ed14c056f3adf8747992862a8fd9f9c2bc22d Mon Sep 17 00:00:00 2001
From: Adarsh Kumar Yadav <adarsh.kumar.yadav1@ibm.com>
Date: Thu, 4 Jun 2026 19:59:25 +0530
Subject: [PATCH 2/2] Align Codecov workflow with secrets-store-csi-driver
 pattern

Add harden-runner and persist-credentials: false, rely on the Codecov
GitHub App for upload, and enforce project/patch coverage gates.
---
 .codecov.yml                   |  6 +++---
 .github/workflows/codecov.yaml | 20 ++++++++++----------
 site-src/contributing/index.md |  2 +-
 3 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/.codecov.yml b/.codecov.yml
index 7697f9ad..a308f6a2 100644
--- a/.codecov.yml
+++ b/.codecov.yml
@@ -13,15 +13,15 @@ coverage:
     project:
       default:
         enabled: true
-        # Report coverage; do not fail PRs on small drops until we set a target.
-        threshold: null
+        target: 70%
+        threshold: 1%
         if_not_found: success
         if_no_uploads: success
         if_ci_failed: error
     patch:
       default:
         enabled: true
-        threshold: null
+        target: 80%
         if_not_found: success
         if_no_uploads: success
         if_ci_failed: error
diff --git a/.github/workflows/codecov.yaml b/.github/workflows/codecov.yaml
index 490a6fc7..e78d183f 100644
--- a/.github/workflows/codecov.yaml
+++ b/.github/workflows/codecov.yaml
@@ -13,14 +13,18 @@ permissions:
 
 jobs:
   codecov:
-    name: Upload coverage
     runs-on: ubuntu-latest
     steps:
-      - name: Clone the code
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - name: Harden Runner
+        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
 
-      - name: Setup Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version-file: go.mod
 
@@ -29,10 +33,6 @@ jobs:
           go mod tidy
           make test
 
-      - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+      - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
         with:
           files: ./cover.out
-          fail_ci_if_error: true
diff --git a/site-src/contributing/index.md b/site-src/contributing/index.md
index 63eb1d8b..22ad90f5 100644
--- a/site-src/contributing/index.md
+++ b/site-src/contributing/index.md
@@ -21,7 +21,7 @@ From the repository root:
 - **Lint / vet:** `make lint`
 - **Tests:** `make test` (writes `cover.out` for coverage)
 - **Test coverage:** `make test` writes `cover.out`. Run `make test-cover` to refresh tests and emit `out/coverage.html` and `out/coverage.txt` (`go tool cover`). With `cover.out` present, `make cover-func` prints a per-function summary and `make cover-html` opens the interactive HTML report in a browser (local). Remove generated artifacts with `make cover-clean`.
-- **CI coverage:** Pull requests and pushes to `main` upload `cover.out` to [Codecov](https://codecov.io/gh/kubernetes-sigs/mcp-lifecycle-operator).
+- **CI coverage:** Pull requests and pushes to `main` upload `cover.out` to [Codecov](https://codecov.io/gh/kubernetes-sigs/mcp-lifecycle-operator). Codecov enforces a minimum project coverage of 70% (with 1% slack) and 80% coverage on changed lines in each PR.
 - **Generate manifests:** `make manifests generate`
 
 After making changes, open a pull request on GitHub. Ensure CI passes and address any review feedback.