Summary

Bookmark to track the Harness acquisition of Codecov from Sentry (announced 2026-06-02, via PR Newswire) and revisit Vera's Codecov integration once Harness publishes migration specifics (endpoint/domain, token, action repo).

Why a bookmark, not actionable work now

Per the announcement, Codecov retains its brand and free access for open-source projects under Harness — so the risk is migration mechanics, not loss of access. There is nothing to change until Harness announces details. One proactive hardening step is already taken (below).

Impact assessment (current state): LOW

Vera's coverage gate and Codecov reporting are decoupled:

No codecov/* check is in branch protection's required list, so a Codecov outage during migration cannot block merges or break the coverage floor.

Proactive step taken (see linked PR)

SHA-pinned codecov/codecov-action@v6 → @e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1 in both upload steps. An ownership change is the canonical scenario where a floating tag could be repointed by the new owner; pinning to a reviewed commit means a moved tag can't silently flow into CI. Dependabot (github-actions ecosystem, already configured) keeps proposing version bumps, now gated on human review. Deliberately a targeted pin — the repo otherwise tag-pins all actions.

Revisit / close when Harness announces specifics — watch for:

• Endpoint / domain migration (codecov.io → a Harness domain): update the upload URL and the README badge.
• CODECOV_TOKEN re-issuance / auth change: rotate the repo secret.
• codecov/codecov-action re-homed (e.g. codecov org → harness): update the uses: path and re-pin the SHA.
• codecov/project/python status behaviour change: confirm it stays non-required / informational as intended.

Watching

• Harness/Sentry announcement, 2026-06-02 (PR Newswire).
• https://github.com/codecov/codecov-action/releases — watch for an org move or endpoint change.