From 18f0c921d5ec587f25542153a63f974ad0ddf226 Mon Sep 17 00:00:00 2001
From: jordanstephens <jordan@stephens.io>
Date: Fri, 15 May 2026 11:33:42 -0700
Subject: [PATCH] fix(ci): compare coverage against merge-base commit, not
 latest main

Dependabot PRs (and any branch that diverges from main) were failing the
coverage regression check because the baseline was always the most recent
main artifact. If new tested code landed on main after the branch was
created, coverage on main would rise while the branch stayed flat.

Instead, find the GitHub Actions run whose head_sha matches the git
merge-base of the PR branch and main, and download the coverage artifact
from that specific run. This ensures the comparison is always
branch-point vs. branch, not latest-main vs. branch.

Falls back gracefully (continue-on-error) when no matching run exists
(first run, expired artifact, API error).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/go.yml | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 4a60389a7..154b2bc81 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -15,6 +15,7 @@ on:
 permissions:
   contents: read
   id-token: write # for GitHub id-token auth
+  actions: read # to query workflow runs for coverage baseline
 
 jobs:
   go-test:
@@ -53,15 +54,31 @@ jobs:
           path: src/coverage.txt
           overwrite: true
 
-      - name: Download main branch coverage
+      - name: Find merge-base run ID
         if: github.ref != 'refs/heads/main' && !startsWith(github.ref, 'refs/tags/v')
+        id: merge-base-run
+        continue-on-error: true # no baseline yet on first run
+        run: |
+          git fetch origin main --depth=50
+          MERGE_BASE=$(git merge-base HEAD origin/main)
+          echo "Merge base: $MERGE_BASE"
+          RUN_ID=$(gh api "repos/$GITHUB_REPOSITORY/actions/workflows/go.yml/runs" \
+            -X GET -f branch=main -f per_page=100 \
+            --jq ".workflow_runs[] | select(.head_sha == \"$MERGE_BASE\" and .conclusion == \"success\") | .id" \
+            | head -1)
+          echo "run_id=${RUN_ID}" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Download merge-base coverage
+        if: github.ref != 'refs/heads/main' && !startsWith(github.ref, 'refs/tags/v') && steps.merge-base-run.outputs.run_id != ''
         uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20
         with:
           workflow: go.yml
-          branch: main
+          run_id: ${{ steps.merge-base-run.outputs.run_id }}
           name: coverage-main
           path: coverage-main
-        continue-on-error: true # no baseline yet on first run
+        continue-on-error: true # artifact may have expired
 
       - name: Verify Go modules
         working-directory: src