Enable coverage tracking

- Only run coverage on one platform (Cython line tracing seems to have
  some issues with Python 3.13, to be determined)
- There are a few paradoxical red spots in the Cython coverage analysis
  (code that must run for other blocks to be green, but nevertheless
   showing up as red) but the analysis does give a good indication of
  where the blind spots are already.

Author: MatthiasValvekens

.github/workflows/coverage.yml

@@ -0,0 +1,87 @@
+name: Coverage
+on:
+  pull_request: {}
+  workflow_dispatch: {}
+env:
+  UV_PYTHON_PREFERENCE: only-system
+  UV_NO_SYNC: "1"
+  PKCS11_TOKEN_LABEL: "TEST"
+  PKCS11_TOKEN_PIN: "1234"
+  PKCS11_TOKEN_SO_PIN: "5678"
+jobs:
+  # For now, we run the coverage as a separate job.
+  # At the time of writing, the latest version of Cython's line tracing
+  # seems to lead to segfaults in Python 3.13 -> TODO: investigate
+  pytest-coverage:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Acquire sources
+        uses: actions/checkout@v4
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.12
+      - uses: ./.github/actions/install-softhsm
+        id: softhsm
+        with:
+          os: ubuntu-latest
+          token-label: ${{ env.PKCS11_TOKEN_LABEL }}
+          token-so-pin: ${{ env.PKCS11_TOKEN_SO_PIN }}
+          token-user-pin: ${{ env.PKCS11_TOKEN_PIN }}
+      - uses: ./.github/actions/install-opencryptoki
+        # only run opencryptoki tests on ubuntu
+        # (macos and windows don't seem to be supported)
+        id: opencryptoki
+        with:
+          os: ubuntu-latest
+          token-label: ${{ env.PKCS11_TOKEN_LABEL }}
+          token-so-pin: ${{ env.PKCS11_TOKEN_SO_PIN }}
+          token-user-pin: ${{ env.PKCS11_TOKEN_PIN }}
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+        with:
+          enable-cache: true
+          python-version: 3.12
+      - name: Install testing dependencies
+        run: uv sync --no-dev --exact --group coverage
+        env:
+          CFLAGS: "-DCYTHON_TRACE_NOGIL=1"
+          EXT_BUILD_DEBUG: "1"
+      - name: Run tests with SoftHSM
+        run: uv run pytest -v --cov=pkcs11 --cov-branch --cov-report=xml:python-softhsm-coverage.xml
+        env:
+          PKCS11_MODULE: ${{ steps.softhsm.outputs.module }}
+      - name: Run tests with opencryptoki
+        run: uv run pytest -v --cov=pkcs11 --cov-branch --cov-report=xml:python-opencryptoki-coverage.xml
+        env:
+          PKCS11_MODULE: ${{ steps.opencryptoki.outputs.module }}
+          # For testing logic around swapping PKCS#11 libs
+          PKCS11_MODULE2: ${{ steps.softhsm.outputs.module }}
+      - name: Stash coverage report
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage
+          path: "*-coverage.xml"
+  codecov-upload:
+    permissions:
+      actions: write
+      contents: read
+    runs-on: ubuntu-latest
+    needs: [pytest-coverage]
+    steps:
+      # checkout necessary to ensure the uploaded report contains the correct paths
+      - uses: actions/checkout@v4
+      - name: Retrieve coverage reports
+        uses: actions/download-artifact@v4
+        with:
+          name: coverage
+          path: ./reports/
+      - name: Upload all coverage reports to Codecov
+        uses: codecov/codecov-action@v5
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          directory: ./reports/
+          flags: unittests
+          env_vars: OS,PYTHON
+          name: codecov-umbrella

.gitignore

@@ -6,4 +6,7 @@ __pycache__
 /dist/
 /docs/_build
 /python_pkcs11.egg-info/
-/.eggs/
+/.eggs/
+.coverage
+*coverage.xml
+*.html

pkcs11/_pkcs11.pxd

@@ -4,7 +4,6 @@ Definitions imported from PKCS11 C headers.
 
 from cython.view cimport array
 
-from pkcs11.defaults import *
 from pkcs11.exceptions import *
 
 cdef extern from '../extern/cryptoki.h':

pkcs11/_pkcs11.pyx

@@ -1,5 +1,6 @@
 #!python
 #cython: language_level=3
+#cython: linetrace=True
 """
 High-level Python PKCS#11 Wrapper.
 

pyproject.toml

@@ -67,12 +67,35 @@ archs = ["universal2"]
 [tool.setuptools.packages.find]
 include = ["pkcs11*"]
 
+[tool.coverage.run]
+plugins = ["Cython.Coverage"]
+
+[tool.coverage.report]
+exclude_lines = [
+    "pragma: no cover",
+    "pragma: nocover",
+    "raise AssertionError",
+    "raise NotImplementedError",
+    "raise MemoryError",
+    "raise TypeError",
+    "TYPE_CHECKING",
+    "^\\s*\\.\\.\\.",
+    "noqa"
+]
+precision = 2
+
 [dependency-groups]
 testing = [
     "cryptography>=44.0.0",
     "parameterized>=0.9.0",
     "pytest>=8.3.4",
 ]
+coverage = [
+    { include-group = "testing" },
+    "coverage>=7.9.1",
+    "pytest-cov>=4.0,<6.3",
+    "cython",
+]
 docs = [
     "sphinx>=7.4.7",
     "sphinx-rtd-theme>=3.0.2",