ci: migrate coverage gating from Codecov to GitHub Actions

[yurishkuro]

Problem

Codecov's PR status check suffers from two reliability issues:

1. Rate-limit failures — Codecov intermittently returns 429 errors during busy periods, blocking PRs even when coverage is healthy.
2. Latency — results lag behind CI completion because Codecov's processing pipeline runs asynchronously.

Coverage gating now runs entirely within GitHub Actions, producing a Coverage Gate check run at the same time as the existing Metrics Comparison check run.

Codecov uploads are retained for long-term historical trending and per-flag breakdown views; only the gating responsibility is moved.

Design

Full design rationale: docs/adr/004-migrating-coverage-gating-to-github-actions.md

Fan-in pattern — The new ci-summary-report.yml workflow (renamed from ci-compare-metrics.yml) triggers on "CI Orchestrator" completion via workflow_run. This fires only after all three stages (lint, unit tests, E2E) finish, ensuring all coverage-* artifacts are available. It also grants write permissions needed to post PR comments from fork PRs.

Single job, two flows — The same summary-report job handles both PR analysis and main-branch baseline saves:

• PR runs: download artifacts → compare metrics → merge & gate coverage → post sticky PR comment → create check runs
• Main pushes: merge & measure coverage → save baseline to actions/cache

Coverage policy — Two independent gates applied to the filtered merged profile:

1. Absolute floor: total coverage ≥ 95%
2. No regression: coverage must not drop vs the main baseline

The merged profile is filtered using the ignore: patterns read at runtime from .codecov.yml (generated protobuf files, mocks, integration test infrastructure). Without this filtering go tool cover -func on merged profiles yields ~42% because it counts all instrumented packages including generated code; after filtering the number is ~95.6%, consistent with Codecov's project-level figure.

Infrastructure validation — verify-metrics-snapshot now always uploads a diff artifact on PRs (an empty stub when there are no metric changes, actual diffs when there are). The fan-in performs a 1-to-1 check: for every metrics_snapshot_* artifact there must be a corresponding diff_metrics_snapshot_* artifact. A missing diff means the action never ran — an infra failure — reported as a separate error distinct from metric regressions.

Changes

New files

• scripts/e2e/filter_coverage.py — reads the ignore: list from .codecov.yml and filters a Go coverage profile, keeping both tools in sync from a single source of truth.
• docs/adr/004-migrating-coverage-gating-to-github-actions.md — ADR documenting the design.
• .github/workflows/ci-summary-report.yml — fan-in workflow replacing ci-compare-metrics.yml; handles metrics comparison, coverage gating, PR comment, and check run creation.

Modified: upload-codecov action

• Renamed flags input to flag (singular; all callers pass exactly one value).
• Coverage files are staged and uploaded as a coverage-<flag> artifact before the Codecov retry step, so the artifact is preserved even if Codecov rate-limits.
• Set fail_ci_if_error: false on the Codecov upload (artifact is already saved; Codecov failure is non-fatal).

Modified: verify-metrics-snapshot action

• Always creates an empty diff file stub before the compare step.
• Always uploads the diff artifact on PRs (condition changed from has_diff == 'true' to github.ref_name != 'main'), enabling 1-to-1 presence checking in the fan-in.

Modified: scripts/e2e/metrics_summary.sh

• 1-to-1 infra check: reports INFRA_ERRORS output if any metrics_snapshot_* dir lacks a corresponding diff_* dir.
• Zero non-empty diff files is treated as a clean result ("✅ No metric changes detected"), not an error; empty diff stubs are skipped during processing.
• Summary report footer includes both CI artifact link and Summary Report log link.

Modified: 11 E2E caller workflows + ci-unit-tests.yml

• flags: → flag: in every upload-codecov call site.

Modified: internal/tools/

• Added github.com/wadey/gocovmerge blank import in tools.go and install-coverage-tools Make target in Tools.mk.

Test plan

• Trigger CI on a PR with no code changes — Metrics Comparison shows ✅ no changes, Coverage Gate shows ✅ coverage ~95%
• Confirm the sticky PR comment contains both a metrics section and a coverage section
• Confirm both check runs include links to CI artifacts and Summary Report logs
• Push to main — verify the coverage baseline is saved to actions/cache
• Open a subsequent PR — verify the regression gate compares against the saved baseline
• Simulate a missing diff artifact (skip one E2E job) — verify INFRA_ERRORS fires and the Metrics Comparison check shows failure
• Confirm Codecov uploads still succeed and per-flag coverage is visible in the Codecov UI

AI Usage in this PR (choose one)

See AI Usage Policy.

• None: No AI tools were used in creating this PR
• Light: AI provided minor assistance (formatting, simple suggestions)
• Moderate: AI helped with code generation or debugging specific parts
• Heavy: AI generated most or all of the code changes

[Copilot]

Pull request overview

Refactors the CI Summary Report fan-in workflow to make metrics comparison more reliable (by distinguishing infra failures from “no diffs”) and to align GitHub Actions coverage gating with Codecov’s exclusion rules.

Changes:

• Always upload a diff artifact for each metrics snapshot on PRs (empty stub when no baseline), and add fan-in checks for missing diff artifacts.
• Add a coverage-profile filter that applies .codecov.yml ignore: patterns before computing merged coverage.
• Update CI Summary Report workflow outputs/links and ADR documentation to reflect the new behavior.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
scripts/e2e/metrics_summary.sh	Adds infra detection for missing diff artifacts and skips empty diff stubs when generating summaries.
scripts/e2e/filter_coverage.py	New helper to filter Go coverage profiles using .codecov.yml exclusions.
docs/adr/004-migrating-coverage-gating-to-github-actions.md	Documents coverage filtering + rationale for aligning with Codecov.
.github/workflows/ci-summary-report.yml	Wires in coverage filtering and updates summary/check-run links; runs only when upstream CI succeeded.
.github/actions/verify-metrics-snapshot/action.yaml	Ensures diff artifacts are always uploaded on PRs via an empty stub file.

Comments suppressed due to low confidence (2)

scripts/e2e/metrics_summary.sh:63

• snapshot_name is derived from the diff file basename (diff_<inputs.snapshot>.txt), but diff artifacts are keyed by artifact_key (often includes matrix dimensions). For matrix jobs this produces repeated/ambiguous headings like summary_metrics_snapshot_cassandra for multiple different runs and makes the combined summary hard to interpret. Consider deriving the snapshot identifier from the parent artifact directory name (e.g., diff_<artifact_key>), or ensure the diff filename includes artifact_key so each summary section is uniquely attributable.

    # Extract the base name (e.g., diff_metrics_snapshot_cassandra.txt -> metrics_snapshot_cassandra)
    base_name=$(basename "$diff_file" .txt)
    snapshot_name=${base_name#diff_}
    dir=$(dirname "$diff_file")

    # Generate summary for this diff
    summary_file="$dir/summary_$snapshot_name.md"

.github/actions/verify-metrics-snapshot/action.yaml:81

• The diff artifact is named using diff_${{ inputs.artifact_key }}, but the file created/overwritten/uploaded is always diff_${{ inputs.snapshot }}.txt. For snapshots where artifact_key includes matrix dimensions, this loses that context and makes fan-in reporting ambiguous (all artifacts contain a diff_metrics_snapshot_<name>.txt). Consider naming the diff file using artifact_key as well (and updating the compare output path + upload path accordingly), so downstream summary can reliably attribute diffs to the correct matrix run.

    - name: Create diff file stub
      if: github.ref_name != 'main'
      shell: bash
      run: touch ./.metrics/diff_${{ inputs.snapshot }}.txt

    - name: Calculate diff between the snapshots
      id: compare-snapshots
      if: ${{ (github.ref_name != 'main') && (steps.download-release-snapshot.outputs.cache-matched-key != '')  }}
      continue-on-error: true
      shell: bash
      run: |
        python3 -m pip install prometheus-client
        if python3 ./scripts/e2e/compare_metrics.py --file1 ./.metrics/${{ inputs.snapshot }}.txt --file2 ./.metrics/baseline_${{ inputs.snapshot }}.txt --output ./.metrics/diff_${{ inputs.snapshot }}.txt; then
          echo "No differences found in metrics"
        else
          echo "🛑 Differences found in metrics"
          echo "has_diff=true" >> $GITHUB_OUTPUT
        fi

    # Always upload the diff artifact on PRs (even when empty / no baseline yet).
    # Presence of this artifact in the fan-in proves this action ran for the snapshot.
    - name: Upload the diff artifact
      if: github.ref_name != 'main'
      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
      with:
        name: diff_${{ inputs.artifact_key }}
        path: ./.metrics/diff_${{ inputs.snapshot }}.txt
        retention-days: 7

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.68%. Comparing base (aba37d3) to head (62acdbb).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8111      +/-   ##
==========================================
- Coverage   95.69%   95.68%   -0.02%     
==========================================
  Files         317      317              
  Lines       16734    16734              
==========================================
- Hits        16014    16012       -2     
- Misses        568      569       +1     
- Partials      152      153       +1     

Flag	Coverage Δ
badger_v1	9.06% <ø> (ø)
badger_v2	1.04% <ø> (ø)
cassandra-4.x-v1-manual	13.26% <ø> (ø)
cassandra-4.x-v2-auto	1.03% <ø> (ø)
cassandra-4.x-v2-manual	1.03% <ø> (ø)
cassandra-5.x-v1-manual	13.26% <ø> (ø)
cassandra-5.x-v2-auto	1.03% <ø> (ø)
cassandra-5.x-v2-manual	1.03% <ø> (ø)
clickhouse	1.16% <ø> (ø)
elasticsearch-6.x-v1	16.62% <ø> (ø)
elasticsearch-7.x-v1	16.65% <ø> (ø)
elasticsearch-8.x-v1	16.80% <ø> (ø)
elasticsearch-8.x-v2	1.04% <ø> (ø)
elasticsearch-9.x-v2	1.04% <ø> (ø)
grpc_v1	7.80% <ø> (ø)
grpc_v2	1.04% <ø> (ø)
kafka-3.x-v2	1.04% <ø> (ø)
memory_v2	1.04% <ø> (ø)
opensearch-1.x-v1	16.70% <ø> (ø)
opensearch-2.x-v1	16.70% <ø> (ø)
opensearch-2.x-v2	1.04% <ø> (ø)
opensearch-3.x-v2	1.04% <ø> (ø)
query	1.04% <ø> (ø)
tailsampling-processor	0.52% <ø> (ø)
unittests	94.37% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Metrics Comparison Summary

Total changes across all snapshots: 32

Detailed changes per snapshot

summary_metrics_snapshot_elasticsearch

📊 Metrics Diff Summary

Total Changes: 0

• 🆕 Added: 0 metrics
• ❌ Removed: 0 metrics
• 🔄 Modified: 0 metrics
• 🚫 Excluded: 0 metrics

summary_metrics_snapshot_opensearch

📊 Metrics Diff Summary

Total Changes: 0

• 🆕 Added: 0 metrics
• ❌ Removed: 0 metrics
• 🔄 Modified: 0 metrics
• 🚫 Excluded: 0 metrics

summary_metrics_snapshot_clickhouse

📊 Metrics Diff Summary

Total Changes: 0

• 🆕 Added: 0 metrics
• ❌ Removed: 0 metrics
• 🔄 Modified: 0 metrics
• 🚫 Excluded: 0 metrics

summary_metrics_snapshot_grpc

📊 Metrics Diff Summary

Total Changes: 0

• 🆕 Added: 0 metrics
• ❌ Removed: 0 metrics
• 🔄 Modified: 0 metrics
• 🚫 Excluded: 0 metrics

summary_metrics_snapshot_kafka

📊 Metrics Diff Summary

Total Changes: 0

• 🆕 Added: 0 metrics
• ❌ Removed: 0 metrics
• 🔄 Modified: 0 metrics
• 🚫 Excluded: 0 metrics

summary_metrics_snapshot_memory

📊 Metrics Diff Summary

Total Changes: 0

• 🆕 Added: 0 metrics
• ❌ Removed: 0 metrics
• 🔄 Modified: 0 metrics
• 🚫 Excluded: 0 metrics

summary_metrics_snapshot_badger

📊 Metrics Diff Summary

Total Changes: 32

• 🆕 Added: 0 metrics
• ❌ Removed: 32 metrics
• 🔄 Modified: 0 metrics
• 🚫 Excluded: 0 metrics

❌ Removed Metrics

• jaeger_storage_badger_compaction_current_num_lsm (2 variants)

View diff sample

-jaeger_storage_badger_compaction_current_num_lsm{name="another_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}
-jaeger_storage_badger_compaction_current_num_lsm{name="some_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}

- `jaeger_storage_badger_get_num_memtable` (2 variants)

View diff sample

-jaeger_storage_badger_get_num_memtable{name="another_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}
-jaeger_storage_badger_get_num_memtable{name="some_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}

- `jaeger_storage_badger_get_num_user` (2 variants)

View diff sample

-jaeger_storage_badger_get_num_user{name="another_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}
-jaeger_storage_badger_get_num_user{name="some_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}

- `jaeger_storage_badger_get_with_result_num_user` (2 variants)

View diff sample

-jaeger_storage_badger_get_with_result_num_user{name="another_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}
-jaeger_storage_badger_get_with_result_num_user{name="some_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}

- `jaeger_storage_badger_iterator_num_user` (2 variants)

View diff sample

-jaeger_storage_badger_iterator_num_user{name="another_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}
-jaeger_storage_badger_iterator_num_user{name="some_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}

- `jaeger_storage_badger_put_num_user` (2 variants)

View diff sample

-jaeger_storage_badger_put_num_user{name="another_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}
-jaeger_storage_badger_put_num_user{name="some_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}

- `jaeger_storage_badger_read_bytes_lsm` (2 variants)

View diff sample

-jaeger_storage_badger_read_bytes_lsm{name="another_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}
-jaeger_storage_badger_read_bytes_lsm{name="some_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}

- `jaeger_storage_badger_read_bytes_vlog` (2 variants)

View diff sample

-jaeger_storage_badger_read_bytes_vlog{name="another_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}
-jaeger_storage_badger_read_bytes_vlog{name="some_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}

- `jaeger_storage_badger_read_num_vlog` (2 variants)

View diff sample

-jaeger_storage_badger_read_num_vlog{name="another_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}
-jaeger_storage_badger_read_num_vlog{name="some_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}

- `jaeger_storage_badger_size_bytes_lsm` (2 variants)

View diff sample

-jaeger_storage_badger_size_bytes_lsm{name="another_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}
-jaeger_storage_badger_size_bytes_lsm{name="some_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}

- `jaeger_storage_badger_size_bytes_vlog` (2 variants)

View diff sample

-jaeger_storage_badger_size_bytes_vlog{name="another_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}
-jaeger_storage_badger_size_bytes_vlog{name="some_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}

- `jaeger_storage_badger_write_bytes_l0` (2 variants)

View diff sample

-jaeger_storage_badger_write_bytes_l0{name="another_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}
-jaeger_storage_badger_write_bytes_l0{name="some_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}

- `jaeger_storage_badger_write_bytes_user` (2 variants)

View diff sample

-jaeger_storage_badger_write_bytes_user{name="another_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}
-jaeger_storage_badger_write_bytes_user{name="some_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}

- `jaeger_storage_badger_write_bytes_vlog` (2 variants)

View diff sample

-jaeger_storage_badger_write_bytes_vlog{name="another_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}
-jaeger_storage_badger_write_bytes_vlog{name="some_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}

- `jaeger_storage_badger_write_num_vlog` (2 variants)

View diff sample

-jaeger_storage_badger_write_num_vlog{name="another_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}
-jaeger_storage_badger_write_num_vlog{name="some_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}

- `jaeger_storage_badger_write_pending_num_memtable` (2 variants)

View diff sample

-jaeger_storage_badger_write_pending_num_memtable{name="another_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}
-jaeger_storage_badger_write_pending_num_memtable{name="some_store",otel_scope_name="jaeger-v2",otel_scope_schema_url="",otel_scope_version="",role="tracestore"}

➡️ View full metrics file

Code Coverage

coverage 46.4% is below required minimum 95.0%

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (2)

.github/actions/verify-metrics-snapshot/action.yaml:81

• The new diff stub + unconditional diff artifact upload can mask failures in compare_metrics.py. If a baseline exists but compare_metrics.py crashes/throws, the stub remains empty, uploads successfully, and the fan-in will skip it as an “empty diff” (treating it as no changes). Consider making compare_metrics.py return a distinct non-0/1 exit code on unexpected errors (or write an explicit error marker into the diff file) and have this composite action fail in that case so the fan-in can surface an infra error.

    - name: Create diff file stub
      if: github.ref_name != 'main'
      shell: bash
      run: touch ./.metrics/diff_${{ inputs.snapshot }}.txt

    - name: Calculate diff between the snapshots
      id: compare-snapshots
      if: ${{ (github.ref_name != 'main') && (steps.download-release-snapshot.outputs.cache-matched-key != '')  }}
      continue-on-error: true
      shell: bash
      run: |
        python3 -m pip install prometheus-client
        if python3 ./scripts/e2e/compare_metrics.py --file1 ./.metrics/${{ inputs.snapshot }}.txt --file2 ./.metrics/baseline_${{ inputs.snapshot }}.txt --output ./.metrics/diff_${{ inputs.snapshot }}.txt; then
          echo "No differences found in metrics"
        else
          echo "🛑 Differences found in metrics"
          echo "has_diff=true" >> $GITHUB_OUTPUT
        fi

    # Always upload the diff artifact on PRs (even when empty / no baseline yet).
    # Presence of this artifact in the fan-in proves this action ran for the snapshot.
    - name: Upload the diff artifact
      if: github.ref_name != 'main'
      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
      with:
        name: diff_${{ inputs.artifact_key }}
        path: ./.metrics/diff_${{ inputs.snapshot }}.txt
        retention-days: 7

.github/workflows/ci-summary-report.yml:84

• actions.listWorkflowRunArtifacts is called without pagination/per_page. GitHub’s API defaults to 30 artifacts per page; this repo’s CI run can easily exceed that (metrics snapshots + diffs + coverage artifacts), so the fan-in will silently miss artifacts and produce incorrect metrics/coverage gating. Update the github-script step to request per_page: 100 and paginate until all artifacts are fetched (or follow artifacts.data.total_count).

            // List all artifacts from the target workflow run
            const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
              owner,
              repo,
              run_id: workflowRunId,
            });

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.