From 8cdcb0eac07f06a31815a53fbc8de00d8e33bb8a Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Thu, 4 Jun 2026 09:52:52 +0800
Subject: [PATCH] feat: switch from third-party coverage tool to GitHub API

---
 .github/dependency-review-config.yaml |  3 ---
 .github/workflows/coverage.yaml       | 23 +++++++++++++++--------
 README.md                             | 15 +--------------
 3 files changed, 16 insertions(+), 25 deletions(-)

diff --git a/.github/dependency-review-config.yaml b/.github/dependency-review-config.yaml
index e6a54f0..92776d8 100644
--- a/.github/dependency-review-config.yaml
+++ b/.github/dependency-review-config.yaml
@@ -24,9 +24,6 @@ allow-licenses:
 - 'LicenseRef-scancode-google-patent-license-golang'
 
 allow-dependencies-licenses:
-# this action is GPL-3 but it is only used in CI
-# https://github.com/actions/dependency-review-action/issues/530#issuecomment-1638291806
-- pkg:githubactions/vladopajic/go-test-coverage@bcd064e5ceef1ccec5441519eb054263b6a44787
 # this package is MPL-2.0 and has a CNCF exception
 # https://github.com/cncf/foundation/blob/9b8c9173c2101c1b4aedad3caf2c0128715133f6/license-exceptions/cncf-exceptions-2022-04-12.json#L43C17-L43C47
 - pkg:golang/github.com/go-sql-driver/mysql
diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml
index c8e9a68..470e8ab 100644
--- a/.github/workflows/coverage.yaml
+++ b/.github/workflows/coverage.yaml
@@ -3,11 +3,16 @@ on:
   push:
     branches:
     - main
+  pull_request:
+    branches:
+    - main
 permissions: {}
 jobs:
   coverage:
     permissions:
-      contents: write
+      contents: read
+      code-quality: write
+      pull-requests: read # not sure if this is required
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
@@ -17,11 +22,13 @@ jobs:
     - name: Calculate coverage
       run: |
         go test -count=1 -v -covermode=atomic -coverprofile=cover.out -coverpkg=./... ./...
-    - name: Generage coverage badge
-      uses: vladopajic/go-test-coverage@a93b868a4cbcbf18dc3781650fad241f0020e609 # v2.18.8
+    - name: Convert Go coverage profile to cobertuba format
+      run: |
+        go install github.com/boumenot/gocover-cobertura@v1.5.0
+        gocover-cobertura < cover.out > cover.xml
+    - name: Upload coverage to GitHub API
+      uses: actions/upload-code-coverage@abb5995db9e0199b0e2bb9dbd136fce4cb1ec4d3 # v1.3.0
       with:
-        profile: cover.out
-        local-prefix: github.com/${{ github.repository }}
-        git-token: ${{ secrets.GITHUB_TOKEN }}
-        # orphan branch for storing badges
-        git-branch: badges
+        file: cover.xml
+        language: Go
+        label: code-coverage/go-test
diff --git a/README.md b/README.md
index 17b7bc4..f26993c 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,6 @@
 
 [![Go Reference](https://pkg.go.dev/badge/github.com/smlx/go-cli-github.svg)](https://pkg.go.dev/github.com/smlx/go-cli-github)
 [![Release](https://github.com/smlx/go-cli-github/actions/workflows/release.yaml/badge.svg)](https://github.com/smlx/go-cli-github/actions/workflows/release.yaml)
-[![coverage](https://raw.githubusercontent.com/smlx/go-cli-github/badges/.badges/main/coverage.svg)](https://github.com/smlx/go-cli-github/actions/workflows/coverage.yaml)
 [![Go Report Card](https://goreportcard.com/badge/github.com/smlx/go-cli-github)](https://goreportcard.com/report/github.com/smlx/go-cli-github)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/smlx/go-cli-github/badge)](https://securityscorecards.dev/viewer/?uri=github.com/smlx/go-cli-github)
 [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8168/badge)](https://www.bestpractices.dev/projects/8168)
@@ -23,7 +22,7 @@ It also automatically builds and tests your code using [GitHub Actions](https://
 * Test Pull Requests using `go test`.
 * Build container images from Pull Requests and push them to the GitHub container registry for manual testing and review.
 * Static code analysis using [CodeQL](https://codeql.github.com/) and [Go Report Card](https://goreportcard.com/).
-* Coverage analysis using the [go-test-coverage action](https://github.com/vladopajic/go-test-coverage).
+* Coverage analysis using the [GitHub coverage API](https://docs.github.com/en/code-security/how-tos/maintain-quality-code/set-up-code-coverage).
 * Security analysis using [OpenSSF](https://securityscorecards.dev).
 * Signed binary and container release artifacts using [artifact attestations](https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds).
 * SBOM generation for both release artifacts and container images, with image SBOMs pushed to the container registry.
@@ -54,18 +53,6 @@ Then push some code to main:
     git push -u origin main
     ```
 
-1. Create the `badges` branch for storing the README coverage badge.
-
-    ```bash
-    git checkout --orphan badges
-    git rm -rf .
-    rm -f .gitignore
-    echo 'This branch exists only to store the coverage badge in the README on `main`.' > README.md
-    git add README.md
-    git commit -m 'chore: initialize the badges branch'
-    git push origin badges
-    ```
-
 Then customize the code for your repository:
 
 1. Check out a new branch to set up the repo `git checkout -b setup main`