fix pr count gate and coverage gate and add check_artifact_exists evidence to statements JLS-54 and JLS-55

halnasri · ThomasClausnitzer · commit 00a8c8157a23 · 2026-02-27T17:05:37.000+01:00
diff --git a/.github/workflows/coverage_gate.yml b/.github/workflows/coverage_gate.yml
@@ -4,7 +4,7 @@ on:
   workflow_call:
     inputs:
       artifact_id:
-        description: "Unused, kept for consistency with parent"
+        description: "Artifact name for the coverage-gate result"
         required: true
         type: string
 
@@ -52,3 +52,18 @@ jobs:
           fi
 
           echo "Coverage is above threshold."
+
+      - name: Create coverage-gate result
+        if: always()
+        run: |
+          mkdir -p coverage_gate
+          echo "status=${{ job.status }}" > coverage_gate/result.txt
+          echo "sha=${{ github.sha }}" >> coverage_gate/result.txt
+          echo "run_id=${{ github.run_id }}" >> coverage_gate/result.txt
+
+      - name: Upload coverage-gate artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ inputs.artifact_id }}
+          path: coverage_gate/result.txt
diff --git a/.github/workflows/parent-workflow.yml b/.github/workflows/parent-workflow.yml
@@ -67,13 +67,17 @@ jobs:
   coverage_gate:
     name: Run Coverage Gate Workflow
     needs: [ubuntu]
+    if: ${{ github.event_name == 'pull_request' && github.base_ref == 'main' 
+          || github.event_name == 'schedule' }}
     uses: ./.github/workflows/coverage_gate.yml
     with:
       artifact_id: "coverage_gate-${{ github.sha }}"
 
   pr_count_gate:
     name: Run PR Count Gate Workflow
     uses: ./.github/workflows/pr_count_gate.yml
+    with:
+      artifact_id: "pr_count_gate-${{ github.sha }}"
 
   dependency_review:
     name: Run dependency_review Workflow
diff --git a/.github/workflows/pr_count_gate.yml b/.github/workflows/pr_count_gate.yml
@@ -2,36 +2,59 @@ name: PR Count Gate
 
 on:
   workflow_call:
+    inputs:
+      artifact_id:
+        required: true
+        type: string
 
 jobs:
   pr_count_gate:
     runs-on: ubuntu-latest
 
     steps:
-            - name: Count open pull requests
-              id: pr-count
-              uses: actions/github-script@v7
-              with:
-                github-token: ${{ secrets.GITHUB_TOKEN }}
-                script: |
-                  const { owner, repo } = context.repo;
-                  const per_page = 100;
-                  let page = 1;
-                  let total = 0;
-
-                  while (true) {
-                    const { data } = await github.rest.pulls.list({
-                      owner,
-                      repo,
-                      state: 'open',
-                      per_page,
-                      page,
-                    });
-                    if (data.length === 0) break;
-                    total += data.length;
-                    if (data.length < per_page) break;
-                    page++;
-                  }
-
-                  core.info(`Open pull requests: ${total}`);
-                  core.setOutput('open_prs', total.toString());
+      - name: Count open pull requests
+        id: pr-count
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const { owner, repo } = context.repo;
+            const per_page = 100;
+            let page = 1;
+            let total = 0;
+
+            while (true) {
+              const { data } = await github.rest.pulls.list({
+                owner,
+                repo,
+                state: 'open',
+                base: 'main',
+                per_page,
+                page,
+              });
+              if (data.length === 0) break;
+              total += data.length;
+              if (data.length < per_page) break;
+              page++;
+            }
+
+            core.info(`Open pull requests: ${total}`);
+            core.setOutput('open_prs', total.toString());
+
+      - name: Write PR count result
+        if: always()
+        run: |
+          mkdir -p pr_count_gate
+          echo "status=${{ job.status }}" > pr_count_gate/result.txt
+          echo "open_prs=${{ steps.pr-count.outputs.open_prs }}" >> pr_count_gate/result.txt
+          echo "sha=${{ github.sha }}" >> pr_count_gate/result.txt
+          echo "run_id=${{ github.run_id }}" >> pr_count_gate/result.txt
+
+
+      - name: Upload PR count gate artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ inputs.artifact_id }}
+          path: pr_count_gate/result.txt
+
diff --git a/TSF/trustable/statements/JLS-04.md b/TSF/trustable/statements/JLS-04.md
@@ -8,13 +8,15 @@ references:
 evidence:
   type: "check_artifact_exists"
   configuration:
-    check_amalgamation: exclude
-    codeql: exclude
-    dependency_review: include
-    labeler: exclude
-    publish_documentation: exclude
-    test_trudag_extensions: exclude
-    ubuntu: exclude
+      ubuntu: exclude
+      coverage_gate: exclude
+      codeql: exclude
+      labeler: exclude
+      test_trudag_extensions: exclude
+      dependency_review: include
+      check_amalgamation: exclude
+      publish_documentation: exclude
+      pr_count_gate: exclude
 score:
     Jonas-Kirchhoff: 1.0
     Erikhu1: 1.0
diff --git a/TSF/trustable/statements/JLS-54.md b/TSF/trustable/statements/JLS-54.md
@@ -5,6 +5,18 @@ references:
     - type: verbose_file
       path: "./.github/workflows/coverage_gate.yml"
       description: "GitHub Actions workflow enforcing a minimum coverage threshold."
+evidence:
+  type: "check_artifact_exists"
+  configuration:
+      ubuntu: exclude
+      coverage_gate: include
+      codeql: exclude
+      labeler: exclude
+      test_trudag_extensions: exclude
+      dependency_review: exclude
+      check_amalgamation: exclude
+      publish_documentation: exclude
+      pr_count_gate: exclude
 ---
 
-In the eclipse-score/inc_nlohmann_json repository, code coverage for unit and integration tests is measured in every CI run, and a minimum coverage threshold is defined for each protected branch. If coverage for a change would fall below this threshold, the CI workflow blocks the merge until coverage is restored or the change is rejected.
+In the eclipse-score/inc_nlohmann_json repository, code coverage is measured in CI and a minimum threshold is enforced for pull requests into main and pushes to main. If coverage falls below the threshold, the coverage_gate check fails and blocks merging into main until coverage is restored.
diff --git a/TSF/trustable/statements/JLS-55.md b/TSF/trustable/statements/JLS-55.md
@@ -5,6 +5,18 @@ references:
     - type: verbose_file
       path: "./.github/workflows/pr_count_gate.yml"
       description: "GitHub Actions workflow enforcing a limit on open PRs."
+evidence:
+  type: "check_artifact_exists"
+  configuration:
+      ubuntu: exclude
+      coverage_gate: exclude
+      codeql: exclude
+      labeler: exclude
+      test_trudag_extensions: exclude
+      dependency_review: exclude
+      check_amalgamation: exclude
+      publish_documentation: exclude
+      pr_count_gate: include
 ---
 
 In eclipse-score/inc_nlohmann_json, a GitHub Actions workflow checks the number of open pull requests in the main branch. If the number exceeds a defined threshold, the workflow fails and blocks further merges until the number of open pull requests is reduced below that threshold.
