ci-pipeline-cleanup Phase 2: coverage thresholds → YAML manifest

Bundle: ci-pipeline-cleanup, Phase 2 / frozen decision 0.3. Move 9 hardcoded coverage thresholds from inline bash to a YAML manifest at .github/coverage-thresholds.yml. The load-bearing per-package context (Bundle reference, HEAD measurement, gap rationale) survives in the YAML's `why:` field instead of in inline bash comments. Adding a new gated package: one YAML entry instead of ~30 lines of bash + 50 lines of comment. Coverage check logic extracted to scripts/check-coverage-thresholds.sh so the operator can run the same check locally: bash scripts/check-coverage-thresholds.sh ci.yml dropped 557 → 417 lines (-140, total Phase 1+2: -1071, -72% from baseline 1488). Same 9 floors, same fail-on-miss semantics — pure relocation: internal/service: 70 (was: 70) internal/api/handler: 75 (was: 75) internal/domain: 40 (was: 40) internal/api/middleware: 30 (was: 30) internal/crypto: 88 (was: 88) internal/connector/issuer/local: 86 (was: 86) internal/connector/issuer/acme: 80 (was: 80) internal/connector/issuer/stepca: 80 (was: 80) internal/mcp: 85 (was: 85) Sandbox verification: - ci.yml YAML-parses cleanly - coverage-thresholds.yml YAML-parses cleanly with all 9 entries - scripts/check-coverage-thresholds.sh extracts the (pkg, floor) table correctly from the YAML
2026-06-07 13:51:36 +00:00 · 2026-04-30 20:39:30 +00:00
parent 1caedd5fd3
commit 86d92efd2b
3 changed files with 145 additions and 146 deletions
@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+# scripts/check-coverage-thresholds.sh
+#
+# Enforces per-package coverage floors declared in
+# .github/coverage-thresholds.yml against the live coverage.out.
+#
+# Per ci-pipeline-cleanup bundle Phase 2 / frozen decision 0.3.
+# Adding a new gated package: one entry in the YAML — this script
+# auto-picks it up. Lowering a floor REQUIRES corresponding code-side
+# test work — never lower the gate to make CI green.
+
+set -e
+
+if [ ! -f coverage.out ]; then
+  echo "::error::coverage.out not found — run 'go test -cover -coverprofile=coverage.out' first"
+  exit 1
+fi
+
+if [ ! -f .github/coverage-thresholds.yml ]; then
+  echo "::error::.github/coverage-thresholds.yml not found"
+  exit 1
+fi
+
+echo "=== Coverage Report ==="
+go tool cover -func=coverage.out | tail -1
+echo ""
+
+# Extract the pkg → floor table from the YAML.
+python3 - <<'PY' > /tmp/cov-thresholds.tsv
+import yaml
+d = yaml.safe_load(open('.github/coverage-thresholds.yml'))
+for pkg, entry in d.items():
+    print(f"{pkg}\t{entry['floor']}")
+PY
+
+fail=0
+while IFS=$'\t' read -r pkg floor; do
+  cov=$(go tool cover -func=coverage.out \
+          | grep "$pkg" \
+          | awk '{print $NF}' \
+          | sed 's/%//' \
+          | awk '{sum+=$1; n++} END {if(n>0) printf "%.1f", sum/n; else print "0"}')
+  printf "%-50s %5s%% (floor: %s%%)\n" "$pkg" "$cov" "$floor"
+  if [ "$(echo "$cov < $floor" | bc -l)" -eq 1 ]; then
+    # Pull the why: text out of the YAML for this package.
+    why=$(python3 -c "
+import yaml, sys
+d = yaml.safe_load(open('.github/coverage-thresholds.yml'))
+print(d.get(sys.argv[1], {}).get('why', '').strip())
+" "$pkg")
+    echo "::error::$pkg coverage $cov% is below floor $floor%"
+    echo "Why this floor exists:"
+    echo "$why" | sed 's/^/  /'
+    echo "Add tests; do not lower the gate."
+    fail=1
+  fi
+done < /tmp/cov-thresholds.tsv
+
+[ $fail -eq 0 ] || exit 1
+echo ""
+echo "All coverage thresholds passed."