Closes #22280: Set 91% test coverage threshold and exclude non-testable paths

[pheus]

Closes: #22280

Exclude non-application code from coverage reports and set fail_under to 91%. Omits scripts, configuration files, WSGI entrypoint, secret key generator, debug utilities, and deprecated management commands that lack testable logic or are outside the application scope.

[pheus]

@claude /review Only report on issues of potential concern; we don't need commentary on anything that doesn't require further consideration.

[github-actions]

Claude finished @pheus's task in 1m 39s —— View job

---

Review

• Read PR diff and relevant files
• Analyze coverage configuration
• Post review findings

---

pyproject.toml — [tool.coverage.report]

1. fail_under = 91 — threshold justification

The PR description doesn't clarify whether 91% reflects current measured coverage (i.e. this is the floor) or a target. If it's set exactly at the current level with no headroom, any new untested code could immediately break CI. It would help to know the actual current coverage percentage and whether the 91% value leaves a meaningful buffer.

2. */extras/management/commands/housekeeping.py — "deprecated; will not be tested"

The file still contains substantial logic (version checking via HTTP, ObjectChange queries, job management, cache operations). The comment "will not be tested" is a policy decision rather than a technical impossibility. This sets a precedent for excluding deprecated-but-functional code from coverage. Worth considering whether the exclusion should be removed once the command is actually deleted rather than kept indefinitely.

3. */scripts/* — broad pattern

The pattern matches any directory named scripts/ anywhere in the source tree, not just SCRIPTS_ROOT. Currently this appears safe (only netbox/scripts/__init__.py exists there, which is empty), but if any app ever gains a scripts/ subdirectory with real application logic, it would be silently excluded from coverage without a warning. A more targeted pattern like */netbox/scripts/* would be safer.

4. */utilities/debug.py — has testable branches

show_toolbar has three explicit return paths based on DEBUG and INTERNAL_IPS. Excluding it is pragmatic, but the reasoning in the comment ("active only when DEBUG=True") is slightly misleading — the branches could be tested with @override_settings(DEBUG=True). Not a blocker, just noting the characterization isn't quite accurate.

5. CI: coverage report exit code

coverage report in CI does not pass --fail-under explicitly, but fail_under in pyproject.toml is picked up automatically by coverage.py and will cause a non-zero exit. This is correct behavior and will work as intended.

[pheus]

1. The current coverage hits 91%, and the intent is to use that as the minimum floor so coverage does not regress below the current level. I’ll clarify this in the PR description.
2. The command is already deprecated, and we decided not to add new tests for it while it is pending removal. The exclusion is intended specifically for this deprecated command, not as a general precedent for active application code.
3. The current scripts/ directory is empty, and the only scripts present during coverage are generated test scripts, so they do not need coverage.
4. This is developer-only debug toolbar logic and not user-facing application behavior.
5. I’ll leave the CI command as-is since coverage.py picks up fail_under from pyproject.toml and will fail correctly when the threshold is not met.

[jnovinger]

I think I agree with claudebot here. Use the anchored pattern instead:

"netbox/scripts/*",  # SCRIPTS_ROOT: user/generated scripts

This matches the one real location with no wildcards that can drift.

Worth tightening because */scripts/* is only safe today by accident: nothing under source has a scripts/ subdirectory yet. Add one later (dcim/scripts/, etc.) and it gets silently excluded from coverage, which defeats the regression-catching this PR exists to provide.

[pheus]

Good catch! Thanks!