Fix JaCoCo workflow: handle fork/Dependabot PRs and eliminate set-output deprecation

[Copilot]

The JaCoCo workflow was failing on Dependabot PRs with HttpError: Resource not accessible by integration and emitting set-output deprecation warnings.

Changes

• Action upgrade: madrapps/jacoco-report@v1.3 → v1.7.2 (eliminates deprecated set-output)

• Conditional execution: Split coverage reporting based on token permissions:

  • Same-repo PRs (non-Dependabot): Comment on PR
  • Fork/Dependabot PRs: Write to workflow summary via comment-type: summary

  if: github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]'

• DRY paths config: Extracted JaCoCo XML paths to JACOCO_PATHS env var

• Explicit permissions: Added contents: read and pull-requests: write to job

• Output handling: Check steps.<id>.conclusion instead of relying on output presence for step success detection

Coverage threshold enforcement (80% for changed files) remains active across all PR contexts.

Original prompt

Create a PR that fixes failing GitHub Actions job 62831447443 in workflow .github/workflows/ci-check-jacoco.yml.

Context

• Workflow: CI check JaCoCo code-coverage (.github/workflows/ci-check-jacoco.yml).
• Job log ends with: HttpError: Resource not accessible by integration.
• The error is typical when a workflow triggered from a fork or Dependabot context attempts to call GitHub APIs with insufficient GITHUB_TOKEN permissions.
• Same job log also shows warnings about deprecated set-output usage.

References

• PR: build(deps-dev): bump webpack from 5.94.0 to 5.105.0 in /arangodb-foxx-services #1497
• Failing job id: 62831447443
• Job log ref commit: cb33638

Tasks

1. Inspect .github/workflows/ci-check-jacoco.yml and locate the step/action that is calling GitHub API and failing with Resource not accessible by integration.
2. Fix the workflow so it does not fail in restricted token contexts (Dependabot, fork PRs):
   • Gate write-back steps (e.g., commenting on PR, updating check run/status) with a condition so they only run when github.event.pull_request.head.repo.full_name == github.repository AND actor is not dependabot[bot] (or equivalently when the token has write permissions).
   • Alternatively, switch to actions that do not require write permissions, or make those steps best-effort (continue-on-error: true) if they are non-critical.
   • Keep permissions minimal; do not broadly grant write permissions.
3. Remove/replace any deprecated set-output usage in the workflow by migrating to $GITHUB_OUTPUT, or update the offending action version if it fixes it.
4. Ensure the workflow still generates and uploads JaCoCo coverage artifacts/reports where possible.

Acceptance criteria

• CI no longer fails with HttpError: Resource not accessible by integration.
• Any set-output usage in the workflow is eliminated.
• Workflow remains functional for normal PRs and for Dependabot PRs.

Base branch for PR

• Open the PR with base ref: dependabot/npm_and_yarn/arangodb-foxx-services/webpack-5.105.0.

This pull request was created from Copilot chat.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[wajda]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[sonarqubecloud]

Quality Gate failed

Failed conditions
2 Security Hotspots

See analysis details on SonarQube Cloud