From 28820748f70a844e60e70119fd7bcb8430b1e854 Mon Sep 17 00:00:00 2001
From: Micheal Wilkinson <micheal.wilkinson@createfuture.com>
Date: Sat, 21 Mar 2026 22:54:07 +0000
Subject: [PATCH] ci: harden workflow dedup and badge gating

---
 .gitea/workflows/pr-validation.yml   | 16 +++++++++++++++-
 .gitea/workflows/push-validation.yml | 12 ++++++------
 2 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/.gitea/workflows/pr-validation.yml b/.gitea/workflows/pr-validation.yml
index bd18788..e818122 100644
--- a/.gitea/workflows/pr-validation.yml
+++ b/.gitea/workflows/pr-validation.yml
@@ -153,11 +153,24 @@ jobs:
           cache: true
           cache-dependency-path: go.sum
 
+      - name: Check coverage artefacts
+        id: coverage-files
+        if: ${{ always() && steps.coverage.outcome == 'success' }}
+        run: |
+          set -euo pipefail
+          if [[ -f coverage.out ]]; then
+            echo "exists=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "exists=false" >> "$GITHUB_OUTPUT"
+            echo "coverage.out was not produced; skipping coverage badge upload." >> "$GITHUB_STEP_SUMMARY"
+          fi
+
       - name: Upload coverage badge
         id: badge
-        if: ${{ always() && steps.coverage.outcome == 'success' }}
+        if: ${{ always() && steps.coverage.outcome == 'success' && steps.coverage-files.outputs.exists == 'true' }}
         uses: https://git.hrafn.xyz/aether/vociferate/coverage-badge@v1.1.0
         with:
+          coverage-profile: coverage.out
           artefact-bucket-name: ${{ vars.ARTEFACT_BUCKET_NAME }}
           artefact-bucket-endpoint: ${{ vars.ARTEFACT_BUCKET_ENDPONT }}
 
@@ -178,6 +191,7 @@ jobs:
       - name: Decorate PR
         if: ${{ always() }}
         uses: https://git.hrafn.xyz/aether/vociferate/decorate-pr@v1.1.0
+        continue-on-error: true
         with:
           coverage-percentage: ${{ steps.badge.outputs.total }}
           badge-url: ${{ steps.badge.outputs.badge-url }}
diff --git a/.gitea/workflows/push-validation.yml b/.gitea/workflows/push-validation.yml
index c26e8ef..3a55c33 100644
--- a/.gitea/workflows/push-validation.yml
+++ b/.gitea/workflows/push-validation.yml
@@ -27,18 +27,18 @@ jobs:
           SERVER_URL: ${{ github.server_url }}
           TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          set -euo pipefail
+          set -eu
 
           api_url="${SERVER_URL}/api/v1/repos/${REPOSITORY}/pulls?state=open&head=${OWNER}:${BRANCH}"
-          auth_args=()
-          if [[ -n "${TOKEN:-}" ]]; then
-            auth_args=(-H "Authorization: token ${TOKEN}")
+          if [ -n "${TOKEN:-}" ]; then
+            response="$(curl -fsSL -H "Authorization: token ${TOKEN}" -H "accept: application/json" "$api_url" || echo '[]')"
+          else
+            response="$(curl -fsSL -H "accept: application/json" "$api_url" || echo '[]')"
           fi
 
-          response="$(curl -fsSL "${auth_args[@]}" -H 'accept: application/json' "$api_url" || echo '[]')"
           open_prs="$(printf '%s' "$response" | grep -o '"number":[0-9]\+' | wc -l | tr -d ' ')"
 
-          if [[ "$open_prs" -gt 0 ]]; then
+          if [ "$open_prs" -gt 0 ]; then
             echo "should_run=false" >> "$GITHUB_OUTPUT"
             echo "Open PR detected for ${OWNER}:${BRANCH}; skipping push validation." >> "$GITHUB_STEP_SUMMARY"
           else