Given the complexities of trying to do this with standard tools, I'd guess we should re-use the existing mwext-phpunit-coverage-patch-docker jobs instead. They're currently non-voting, but we could make them voting and only output a fail if configured in the repo by some special file?