Skip to content

feat: add JUnit reporter for unit tests and upload test results #192

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
kb-typeform wants to merge 7 commits into
base: main
Choose a base branch
from
Draft

feat: add JUnit reporter for unit tests and upload test results #192

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
b2b4637
feat: add JUnit reporter for unit tests and upload test results
kb-typeform Feb 18, 2026
6ed1bde
feat: remove dependency on build job for unit tests
kb-typeform Feb 18, 2026
0e79aee
feat: update JUnit reporter installation to ignore scripts
kb-typeform Feb 18, 2026
1abd028
feat: add test summary reporting for unit tests in workflow
kb-typeform Feb 18, 2026
d3ed652
feat: update unit test reporter installation command to use npm
kb-typeform Feb 18, 2026
dd8b4ed
fix: replace grep -oP with POSIX-compatible awk for failed test extra…
kb-typeform Feb 18, 2026
70764ea
fix: add --legacy-peer-deps to npm install for jest-junit
kb-typeform Feb 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion .github/workflows/frontend-pr-workflow-v1.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -228,7 +228,7 @@
required: false

permissions:
id-token: write

Check warning on line 231 in .github/workflows/frontend-pr-workflow-v1.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Move this write permission from workflow level to job level. 


See more on https://sonarcloud.io/project/issues?id=Typeform_.github&issues=AZ2LZfdK8IGLqJepuK-h&open=AZ2LZfdK8IGLqJepuK-h&pullRequest=192
contents: read

# Concurrency control: Only cancels runs within the SAME PR
Expand Down Expand Up @@ -264,7 +264,7 @@

- name: Run linting
if: inputs.run-linting
run: ${{ inputs.lint-command }}

Check failure on line 267 in .github/workflows/frontend-pr-workflow-v1.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

inputs.lint-command is vulnerable to script injection: values of inputs are provided by whoever triggers the workflow. Change this workflow to not use user-controlled data directly in a run block, for example by assigning this expression to an environment variable. 


See more on https://sonarcloud.io/project/issues?id=Typeform_.github&issues=AZ2LZfdK8IGLqJepuK-A&open=AZ2LZfdK8IGLqJepuK-A&pullRequest=192

- name: Clean dist directory
run: ${{ inputs.clean-command }}
Expand Down Expand Up @@ -296,7 +296,6 @@
unit-tests:
name: 🧪 Unit Tests
if: inputs.run-unit-tests
needs: build
runs-on: ${{ fromJSON(inputs.runner) }}
timeout-minutes: ${{ inputs.test-timeout }}

Expand All @@ -319,7 +318,7 @@

- name: Run pre-test command
if: inputs.pre-test-command != ''
run: ${{ inputs.pre-test-command }}

Check failure on line 321 in .github/workflows/frontend-pr-workflow-v1.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

inputs.pre-test-command is vulnerable to script injection: values of inputs are provided by whoever triggers the workflow. Change this workflow to not use user-controlled data directly in a run block, for example by assigning this expression to an environment variable. 


See more on https://sonarcloud.io/project/issues?id=Typeform_.github&issues=AZ2LZfdK8IGLqJepuK-F&open=AZ2LZfdK8IGLqJepuK-F&pullRequest=192
env:
GH_TOKEN: ${{ secrets.GH_TOKEN }}

Expand Down Expand Up @@ -363,7 +362,7 @@

- name: Run pre-test command
if: inputs.pre-test-command != ''
run: ${{ inputs.pre-test-command }}

Check failure on line 365 in .github/workflows/frontend-pr-workflow-v1.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

inputs.pre-test-command is vulnerable to script injection: values of inputs are provided by whoever triggers the workflow. Change this workflow to not use user-controlled data directly in a run block, for example by assigning this expression to an environment variable. 


See more on https://sonarcloud.io/project/issues?id=Typeform_.github&issues=AZ2LZfdK8IGLqJepuK-J&open=AZ2LZfdK8IGLqJepuK-J&pullRequest=192
env:
GH_TOKEN: ${{ secrets.GH_TOKEN }}

Expand All @@ -378,7 +377,7 @@
output-dir: ${{ inputs.build-output-dir }}

- name: Run integration tests
run: ${{ inputs.integration-test-command }}

Check failure on line 380 in .github/workflows/frontend-pr-workflow-v1.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

inputs.integration-test-command is vulnerable to script injection: values of inputs are provided by whoever triggers the workflow. Change this workflow to not use user-controlled data directly in a run block, for example by assigning this expression to an environment variable. 


See more on https://sonarcloud.io/project/issues?id=Typeform_.github&issues=AZ2LZfdK8IGLqJepuK-K&open=AZ2LZfdK8IGLqJepuK-K&pullRequest=192
env:
GH_TOKEN: ${{ secrets.GH_TOKEN }}

Expand Down Expand Up @@ -523,7 +522,7 @@

- name: Run pre-test command
if: inputs.pre-test-command != ''
run: ${{ inputs.pre-test-command }}

Check failure on line 525 in .github/workflows/frontend-pr-workflow-v1.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

inputs.pre-test-command is vulnerable to script injection: values of inputs are provided by whoever triggers the workflow. Change this workflow to not use user-controlled data directly in a run block, for example by assigning this expression to an environment variable. 


See more on https://sonarcloud.io/project/issues?id=Typeform_.github&issues=AZ2LZfdK8IGLqJepuK-X&open=AZ2LZfdK8IGLqJepuK-X&pullRequest=192
env:
GH_TOKEN: ${{ secrets.GH_TOKEN }}

Expand Down Expand Up @@ -580,7 +579,7 @@

- name: Run pre-test command
if: inputs.pre-test-command != ''
run: ${{ inputs.pre-test-command }}

Check failure on line 582 in .github/workflows/frontend-pr-workflow-v1.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

inputs.pre-test-command is vulnerable to script injection: values of inputs are provided by whoever triggers the workflow. Change this workflow to not use user-controlled data directly in a run block, for example by assigning this expression to an environment variable. 


See more on https://sonarcloud.io/project/issues?id=Typeform_.github&issues=AZ2LZfdK8IGLqJepuK-c&open=AZ2LZfdK8IGLqJepuK-c&pullRequest=192
env:
GH_TOKEN: ${{ secrets.GH_TOKEN }}

Expand Down
1 change: 0 additions & 1 deletion .github/workflows/frontend-pr-workflow-v2.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -251,8 +251,8 @@
required: false

permissions:
id-token: write

Check warning on line 254 in .github/workflows/frontend-pr-workflow-v2.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Move this write permission from workflow level to job level. 


See more on https://sonarcloud.io/project/issues?id=Typeform_.github&issues=AZ2LZffI8IGLqJepuK-8&open=AZ2LZffI8IGLqJepuK-8&pullRequest=192
contents: read

Check warning on line 255 in .github/workflows/frontend-pr-workflow-v2.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Move this read permission from workflow level to job level. 


See more on https://sonarcloud.io/project/issues?id=Typeform_.github&issues=AZ2LZffI8IGLqJepuK-i&open=AZ2LZffI8IGLqJepuK-i&pullRequest=192

# Concurrency control: Only cancels runs within the SAME PR
concurrency:
Expand Down Expand Up @@ -288,13 +288,13 @@

- name: Run linting
if: inputs.run-linting
run: ${{ inputs.lint-command }}

Check failure on line 291 in .github/workflows/frontend-pr-workflow-v2.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

inputs.lint-command is vulnerable to script injection: values of inputs are provided by whoever triggers the workflow. Change this workflow to not use user-controlled data directly in a run block, for example by assigning this expression to an environment variable. 


See more on https://sonarcloud.io/project/issues?id=Typeform_.github&issues=AZ2LZffI8IGLqJepuK-j&open=AZ2LZffI8IGLqJepuK-j&pullRequest=192

- name: Clean dist directory
run: ${{ inputs.clean-command }}

Check failure on line 294 in .github/workflows/frontend-pr-workflow-v2.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

inputs.clean-command is vulnerable to script injection: values of inputs are provided by whoever triggers the workflow. Change this workflow to not use user-controlled data directly in a run block, for example by assigning this expression to an environment variable. 


See more on https://sonarcloud.io/project/issues?id=Typeform_.github&issues=AZ2LZffI8IGLqJepuK-k&open=AZ2LZffI8IGLqJepuK-k&pullRequest=192

- name: Build assets
run: ${{ inputs.build-command }}

Check failure on line 297 in .github/workflows/frontend-pr-workflow-v2.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

inputs.build-command is vulnerable to script injection: values of inputs are provided by whoever triggers the workflow. Change this workflow to not use user-controlled data directly in a run block, for example by assigning this expression to an environment variable. 


See more on https://sonarcloud.io/project/issues?id=Typeform_.github&issues=AZ2LZffI8IGLqJepuK-l&open=AZ2LZffI8IGLqJepuK-l&pullRequest=192
env:
PUBLIC_CDN_URL: ${{ inputs.cdn-url }}
GH_TOKEN: ${{ secrets.GH_TOKEN }}
Expand Down Expand Up @@ -324,7 +324,6 @@
unit-tests:
name: 🧪 Unit Tests
if: inputs.run-unit-tests
needs: build
runs-on: ${{ fromJSON(inputs.runner) }}
timeout-minutes: ${{ inputs.test-timeout }}

Expand All @@ -347,12 +346,12 @@

- name: Run pre-test command
if: inputs.pre-test-command != ''
run: ${{ inputs.pre-test-command }}

Check failure on line 349 in .github/workflows/frontend-pr-workflow-v2.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

inputs.pre-test-command is vulnerable to script injection: values of inputs are provided by whoever triggers the workflow. Change this workflow to not use user-controlled data directly in a run block, for example by assigning this expression to an environment variable. 


See more on https://sonarcloud.io/project/issues?id=Typeform_.github&issues=AZ2LZffI8IGLqJepuK-o&open=AZ2LZffI8IGLqJepuK-o&pullRequest=192
env:
GH_TOKEN: ${{ secrets.GH_TOKEN }}

- name: Run unit tests
run: ${{ inputs.unit-test-command }}

Check failure on line 354 in .github/workflows/frontend-pr-workflow-v2.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

inputs.unit-test-command is vulnerable to script injection: values of inputs are provided by whoever triggers the workflow. Change this workflow to not use user-controlled data directly in a run block, for example by assigning this expression to an environment variable. 


See more on https://sonarcloud.io/project/issues?id=Typeform_.github&issues=AZ2LZffI8IGLqJepuK-p&open=AZ2LZffI8IGLqJepuK-p&pullRequest=192
env:
GH_TOKEN: ${{ secrets.GH_TOKEN }}

Expand Down Expand Up @@ -406,7 +405,7 @@
output-dir: ${{ inputs.build-output-dir }}

- name: Run integration tests
run: ${{ inputs.integration-test-command }}

Check failure on line 408 in .github/workflows/frontend-pr-workflow-v2.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

inputs.integration-test-command is vulnerable to script injection: values of inputs are provided by whoever triggers the workflow. Change this workflow to not use user-controlled data directly in a run block, for example by assigning this expression to an environment variable. 


See more on https://sonarcloud.io/project/issues?id=Typeform_.github&issues=AZ2LZffI8IGLqJepuK-t&open=AZ2LZffI8IGLqJepuK-t&pullRequest=192
env:
GH_TOKEN: ${{ secrets.GH_TOKEN }}

Expand Down Expand Up @@ -460,7 +459,7 @@
account: 'prod'

- name: Deploy preview
run: ${{ inputs.deploy-command }}

Check failure on line 462 in .github/workflows/frontend-pr-workflow-v2.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

inputs.deploy-command is vulnerable to script injection: values of inputs are provided by whoever triggers the workflow. Change this workflow to not use user-controlled data directly in a run block, for example by assigning this expression to an environment variable. 


See more on https://sonarcloud.io/project/issues?id=Typeform_.github&issues=AZ2LZffI8IGLqJepuK-y&open=AZ2LZffI8IGLqJepuK-y&pullRequest=192
env:
DEBUG: jarvis
GH_TOKEN: ${{ secrets.GH_TOKEN }}
Expand Down
77 changes: 75 additions & 2 deletions .github/workflows/frontend-pr-workflow.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -281,6 +281,7 @@
permissions:
id-token: write
contents: read
checks: write

Check notice

Code scanning / SonarCloud

Write permissions should be defined at the job level Low

Move this write permission from workflow level to job level. See more on SonarQube Cloud

# Concurrency control: Only cancels runs within the SAME PR
concurrency:
Expand Down Expand Up @@ -354,7 +355,6 @@
unit-tests:
name: 🧪 Unit Tests
if: inputs.run-unit-tests
needs: build
runs-on: ${{ fromJSON(inputs.runner) }}
timeout-minutes: ${{ inputs.test-timeout }}

Expand Down Expand Up @@ -383,10 +383,83 @@
env:
GH_TOKEN: ${{ secrets.GH_TOKEN }}

- name: Install JUnit reporter
run: npm install --no-save --ignore-scripts --legacy-peer-deps jest-junit@^16.0.0

- name: Run unit tests
run: ${{ inputs.unit-test-command }}
run: ${{ inputs.unit-test-command }} --reporters=default --reporters=jest-junit

Check failure on line 390 in .github/workflows/frontend-pr-workflow.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

inputs.unit-test-command is vulnerable to script injection: values of inputs are provided by whoever triggers the workflow. Change this workflow to not use user-controlled data directly in a run block, for example by assigning this expression to an environment variable. 


See more on https://sonarcloud.io/project/issues?id=Typeform_.github&issues=AZ2LZffn8IGLqJepuK-9&open=AZ2LZffn8IGLqJepuK-9&pullRequest=192

Check failure

Code scanning / SonarCloud

GitHub Actions should not be vulnerable to script injections High

inputs.unit-test-command is vulnerable to script injection: values of inputs are provided by whoever triggers the workflow. Change this workflow to not use user-controlled data directly in a run block, for example by assigning this expression to an environment variable. See more on SonarQube Cloud
env:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
JEST_JUNIT_OUTPUT_DIR: ./test-results
JEST_JUNIT_OUTPUT_NAME: junit.xml
JEST_JUNIT_CLASSNAME: '{classname}'
JEST_JUNIT_TITLE: '{title}'

- name: Test Summary
if: always()
run: |
if [ -f test-results/junit.xml ]; then
# Parse JUnit XML for summary stats
TESTS=$(grep -o 'tests="[0-9]*"' test-results/junit.xml | head -1 | grep -o '[0-9]*')
FAILURES=$(grep -o 'failures="[0-9]*"' test-results/junit.xml | head -1 | grep -o '[0-9]*')
ERRORS=$(grep -o 'errors="[0-9]*"' test-results/junit.xml | head -1 | grep -o '[0-9]*')
TIME=$(grep -o 'time="[0-9.]*"' test-results/junit.xml | head -1 | grep -o '[0-9.]*')
PASSED=$((TESTS - FAILURES - ERRORS))

if [ "$FAILURES" -gt 0 ] || [ "$ERRORS" -gt 0 ]; then
echo "## ❌ Unit Test Results" >> $GITHUB_STEP_SUMMARY
else
echo "## ✅ Unit Test Results" >> $GITHUB_STEP_SUMMARY
fi

echo "" >> $GITHUB_STEP_SUMMARY
echo "| Metric | Count |" >> $GITHUB_STEP_SUMMARY
echo "|--------|-------|" >> $GITHUB_STEP_SUMMARY
echo "| ✅ Passed | $PASSED |" >> $GITHUB_STEP_SUMMARY
echo "| ❌ Failed | $FAILURES |" >> $GITHUB_STEP_SUMMARY
echo "| ⚠️ Errors | $ERRORS |" >> $GITHUB_STEP_SUMMARY
echo "| 📊 Total | $TESTS |" >> $GITHUB_STEP_SUMMARY
echo "| ⏱️ Duration | ${TIME}s |" >> $GITHUB_STEP_SUMMARY

# List failed tests using awk (POSIX-compatible, no grep -P needed)
if [ "$FAILURES" -gt 0 ] || [ "$ERRORS" -gt 0 ]; then
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Failed Tests" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
# Extract testcase names that contain <failure> or <error> child elements
awk '
/<testcase / {
match($0, /name="[^"]*"/);
name = substr($0, RSTART+6, RLENGTH-7);
in_testcase = 1;
}
in_testcase && /<failure/ { print "- `" name "`"; in_testcase = 0; }
in_testcase && /<error/ { print "- `" name "`"; in_testcase = 0; }
/<\/testcase>/ { in_testcase = 0; }
' test-results/junit.xml | head -20 >> $GITHUB_STEP_SUMMARY
fi
else
echo "## ⚠️ No test results found" >> $GITHUB_STEP_SUMMARY
echo "JUnit XML was not generated at test-results/junit.xml" >> $GITHUB_STEP_SUMMARY
fi

- name: Upload test results
if: always()
uses: actions/upload-artifact@v4
with:
name: test-results-${{ github.run_id }}
path: test-results/junit.xml
retention-days: 7
if-no-files-found: warn

- name: Test Report
if: always()
uses: dorny/test-reporter@v1
with:
name: Unit Test Results
path: test-results/junit.xml
reporter: jest-junit
fail-on-error: false

- name: Upload coverage
if: always()
Expand Down