[🔥AUDIT🔥] Update codecov to v5 action and add bundle analysis (#1799)

somewhatabstract · web-flow · commit 5e93bdccbb5c · 2025-04-05T19:24:34.000-05:00
🖍 _This is an audit!_ 🖍 ## Summary: Dependabot wanted to do this update for me, but I wanted to add the bundle analysis to see what that looks like, so I've done it manually. Kept the old filesize plugin for rollup because the codecov action doesn't output info locally, it seems. Issue: XXX-XXXX ## Test plan: `pnpm clean & pnpm build` Going to see what the bundle analysis for codecov looks like on this PR. Author: somewhatabstract Auditors: copilot-pull-request-reviewer[bot] Required Reviewers: Approved By: Checks: ✅ 8 checks were successful, ⏭️ 1 check has been skipped Pull Request URL: #1799
diff --git a/.changeset/empty-memes-open.md b/.changeset/empty-memes-open.md
@@ -0,0 +1,2 @@
+---
+---
diff --git a/.codecov.yml b/.codecov.yml
@@ -5,15 +5,15 @@ coverage:
 
   status:
     project:
-      default: on
+      default: true
     patch:
-      default: off
+      default: false
     changes:
-      default: off
+      default: false
 
 comment:
   layout: "header, reach, diff, flags, files, footer"
   behavior: default
-  require_changes: no
-  require_base: no
-  require_head: yes
+  require_changes: false
+  require_base: false
+  require_head: true
diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
@@ -87,7 +87,7 @@ jobs:
     - name: Run tests with coverage
       run: pnpm coverage
     - name: Upload coverage
-      uses: codecov/codecov-action@v4
+      uses: codecov/codecov-action@v5
       env:
         CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
@@ -123,4 +123,8 @@ jobs:
       run: pnpm install --frozen-lockfile
 
     - name: Run tests and build
+      env:
+        # We only want to upload bundle analysis for a PR once,
+        # so we only provide a token for the ubuntu-latest job.
+        CODECOV_TOKEN: ${{ matrix.os == 'ubuntu-latest' && secrets.CODECOV_TOKEN || '' }}
       run: pnpm build
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -64,4 +64,7 @@ jobs:
           # the account of someone with appropriate access levels and given the
           # repo scope.
           GITHUB_TOKEN: ${{ secrets.BOT_PA_TOKEN }}
+          # This is used for the publish step to allow access to NPM.
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          # This is used for the bundle analysis
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
diff --git a/package.json b/package.json
@@ -38,6 +38,7 @@
         "@babel/preset-env": "^7.26.9",
         "@babel/preset-typescript": "^7.27.0",
         "@changesets/cli": "^2.28.1",
+        "@codecov/rollup-plugin": "^1.9.0",
         "@eslint/compat": "^1.2.8",
         "@eslint/eslintrc": "^3.3.1",
         "@eslint/js": "^9.24.0",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/rollup.config.mjs b/rollup.config.mjs
