feat: switch coverage badge from gist/PAT to GitHub Pages (#8)

NWarila · web-flow · commit 9561c30bf52d · 2026-04-08T14:45:49.000-04:00
## Summary

Replace the PAT-dependent gist approach with GitHub Pages deployment.
The coverage badge is now built into the reusable workflow — every
downstream repo that calls `python-qa.yml` gets automatic badge
publishing using only `GITHUB_TOKEN`.

## What changed

- **`python-qa.yml`**: Added `coverage-badge` job that extracts
coverage, generates shields.io JSON, and deploys to gh-pages via
`peaceiris/actions-gh-pages`
- **`template-ci.yml`**: Same pattern for this repo's own CI, replacing
the schneegans/gist approach
- **`README.md`**: Badge URL now points to
`nwarila.github.io/python-template/coverage.json`
- **`reference/repo-ci.yml`**: Updated permissions to `contents: write`,
added badge setup instructions
- **Cleanup**: Deleted gist, removed `COVERAGE_GIST_ID` variable

## Before vs after

| | Before (gist) | After (gh-pages) |
|---|---|---|
| PAT required? | Yes (classic PAT, gist scope) | No |
| 3rd-party account? | No | No |
| Built into reusable workflow? | No | Yes |
| Downstream setup | Create PAT, add secret, add workflow steps | Enable
Pages, add badge URL |

## Test plan

- [x] gh-pages branch created and initialized
- [x] GitHub Pages enabled on repo
- [x] Badge URL resolves with placeholder data
- [x] Gist and COVERAGE_GIST_ID cleaned up
diff --git a/.github/workflows/python-qa.yml b/.github/workflows/python-qa.yml
@@ -21,7 +21,7 @@ on:
         default: true
 
 permissions:
-  contents: read
+  contents: write
 
 jobs:
   lint:
@@ -125,6 +125,23 @@ jobs:
         run: echo "${{ github.workspace }}\.venv\Scripts" | Out-File -FilePath $env:GITHUB_PATH -Append
       - name: Run tests
         run: python .github/scripts/check_tests.py
+      - name: Generate coverage badge data
+        if: matrix.os == 'ubuntu-latest' && matrix.python == inputs.python-min
+        shell: bash
+        run: |
+          COV=$(python -m coverage report --format=total 2>/dev/null || echo "0")
+          if [ "$COV" -ge 90 ] 2>/dev/null; then COLOR="brightgreen"
+          elif [ "$COV" -ge 70 ] 2>/dev/null; then COLOR="yellow"
+          else COLOR="red"; fi
+          mkdir -p badge
+          echo "{\"schemaVersion\":1,\"label\":\"coverage\",\"message\":\"${COV}%\",\"color\":\"${COLOR}\"}" > badge/coverage.json
+      - name: Upload coverage badge data
+        if: matrix.os == 'ubuntu-latest' && matrix.python == inputs.python-min
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: coverage-badge
+          path: badge/coverage.json
+          retention-days: 1
 
   security:
     runs-on: ubuntu-latest
@@ -184,6 +201,22 @@ jobs:
       - name: Run package check
         run: python .github/scripts/check_package.py
 
+  coverage-badge:
+    if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
+    needs: [tests]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download coverage badge data
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: coverage-badge
+      - name: Deploy badge to GitHub Pages
+        uses: peaceiris/actions-gh-pages@47f197a2200bb9de68ba5f48fad1c088eb1c4a32 # v4.0.0
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          publish_dir: .
+          keep_files: true
+
   ci-passed:
     if: always()
     needs: [lint, types, tests, security, spelling, package]
diff --git a/.github/workflows/template-ci.yml b/.github/workflows/template-ci.yml
@@ -7,7 +7,7 @@ on:
     branches: [main]
 
 permissions:
-  contents: read
+  contents: write
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -57,25 +57,23 @@ jobs:
           python-version: "3.11"
       - name: Run tests
         run: python .github/scripts/check_tests.py
-      - name: Extract coverage percentage
+      - name: Generate coverage badge data
         if: matrix.os == 'ubuntu-latest'
-        id: coverage
+        shell: bash
         run: |
-          COVERAGE=$(python -m coverage report --format=total 2>/dev/null || echo "0")
-          echo "pct=$COVERAGE" >> "$GITHUB_OUTPUT"
-      - name: Upload coverage badge
-        if: matrix.os == 'ubuntu-latest' && github.ref == 'refs/heads/main' && github.event_name == 'push'
-        continue-on-error: true
-        uses: schneegans/dynamic-badges-action@e9a478b16159b4d31420099ba146cdc50f134483 # v1.7.0
+          COV=$(python -m coverage report --format=total 2>/dev/null || echo "0")
+          if [ "$COV" -ge 90 ] 2>/dev/null; then COLOR="brightgreen"
+          elif [ "$COV" -ge 70 ] 2>/dev/null; then COLOR="yellow"
+          else COLOR="red"; fi
+          mkdir -p badge
+          echo "{\"schemaVersion\":1,\"label\":\"coverage\",\"message\":\"${COV}%\",\"color\":\"${COLOR}\"}" > badge/coverage.json
+      - name: Upload coverage badge data
+        if: matrix.os == 'ubuntu-latest'
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
-          auth: ${{ secrets.GIST_SECRET }}
-          gistID: ${{ vars.COVERAGE_GIST_ID }}
-          filename: coverage.json
-          label: coverage
-          message: ${{ steps.coverage.outputs.pct }}%
-          valColorRange: ${{ steps.coverage.outputs.pct }}
-          minColorRange: 50
-          maxColorRange: 100
+          name: coverage-badge
+          path: badge/coverage.json
+          retention-days: 1
 
   security:
     runs-on: ubuntu-latest
@@ -132,6 +130,22 @@ jobs:
         with:
           globs: "**/*.md"
 
+  coverage-badge:
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    needs: [tests]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download coverage badge data
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: coverage-badge
+      - name: Deploy badge to GitHub Pages
+        uses: peaceiris/actions-gh-pages@47f197a2200bb9de68ba5f48fad1c088eb1c4a32 # v4.0.0
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          publish_dir: .
+          keep_files: true
+
   ci-passed:
     if: always()
     needs: [dependency-review, lint, types, tests, security, spelling, package, shellcheck, actionlint, markdownlint]
diff --git a/README.md b/README.md
@@ -1,7 +1,7 @@
 # python-template
 
 [![CI](https://github.com/nwarila/python-template/actions/workflows/template-ci.yml/badge.svg)](https://github.com/nwarila/python-template/actions/workflows/template-ci.yml)
-[![Coverage](https://img.shields.io/endpoint?url=https://gist.githubusercontent.com/NWarila/47ca9a1b16c3730c21cb89449ecb8d6c/raw/coverage.json)](https://github.com/nwarila/python-template/actions/workflows/template-ci.yml)
+[![Coverage](https://img.shields.io/endpoint?url=https://nwarila.github.io/python-template/coverage.json)](https://github.com/nwarila/python-template/actions/workflows/template-ci.yml)
 [![Python](https://img.shields.io/badge/python-%E2%89%A53.11-3776ab?logo=python&logoColor=white)](https://www.python.org)
 [![Platform](https://img.shields.io/badge/platform-linux%20%7C%20macos%20%7C%20windows-lightgrey)](https://github.com/nwarila/python-template)
 [![License](https://img.shields.io/github/license/nwarila/python-template)](LICENSE)
diff --git a/reference/repo-ci.yml b/reference/repo-ci.yml
@@ -3,6 +3,10 @@
 # Also add a template-sync.yml workflow that calls self-update.yml via uses:
 # to receive automatic script and config updates via pull request.
 # See README.md "Template Sync" for the snippet.
+#
+# Coverage badge: enable GitHub Pages (Settings > Pages > Source: gh-pages)
+# and add to README:
+#   ![Coverage](https://img.shields.io/endpoint?url=https://<owner>.github.io/<repo>/coverage.json)
 name: CI
 
 on:
@@ -12,7 +16,7 @@ on:
     branches: [main]
 
 permissions:
-  contents: read
+  contents: write
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
