Use token when uploading unit test code coverage data to Codecov from workflow #368
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The "Unit Test" GitHub Actions workflow uses the "codecov/codecov-action" GitHub Actions action to upload coverage data to Codecov. Previously the workflow specified the "v1" version ref for the action dependency. That pinned the dependency to the major version 1 series. Several major version bumps have been made in the action since that time so the use of the v1 ref caused the workflow to use a significantly outdated and deprecated version of the action. Bumping the action to the latest "v3" ref will avoid the potential for the step to stop working entirely (the action docs claim v1 was sunset 1.5 years ago) and allow the workflow to benefit from the enhancements and fixes from ongoing development work in the action until such time as a breaking change in the action triggers them to make another major version bump. At that time it will be necessary for the project maintainers to evaluate whether the breaking change requires any modifications to the workflow before manually bumping the ref again (i.e., `uses: codecov/codecov-action@v3` -> `uses: codecov/codecov-action@v4`).
… workflow Codecov claims a token is not needed when using the codecov/codecov-action GitHub Actions action in workflows of a public repository: https://github.com/codecov/codecov-action#usage > For public repositories, no token is needed However, experience shows that that step of the workflow is subject to intermittent spurious failures caused by a 404 error during the upload attempt: ``` [2023-06-26T09:18:51.453Z] ['error'] There was an error running the uploader: Error uploading to https://codecov.io: Error: There was an error fetching the storage URL during POST: 404 - {'detail': ErrorDetail(string='Unable to locate build via Github Actions API. Please upload with the Codecov repository upload token to resolve issue.', code='not_found')} ``` It is suggested that this can be avoided by providing the upload token: https://community.codecov.com/t/upload-issues-unable-to-locate-build-via-github-actions-api/3954 It should be noted that PRs from forks do not have access to repository secrets, so the approach suggested there of using an encrypted repository secret for the token would mean that PRs from forks (the workflow runs for which don't have access to secrets) would still be subject to the same intermittent spurious workflow run failures. The alternative approach is to add the token in plaintext directly in the workflow. The security implications of that approach are described here: https://community.codecov.com/t/upload-issues-unable-to-locate-build-via-github-actions-api/3954 > Public repositories that rely on PRs via forks will find that they cannot effectively use Codecov if the token is > stored as a GitHub secret. The scope of the Codecov token is only to confirm that the coverage uploaded comes from a > specific repository, not to pull down source code or make any code changes. > > For this reason, we recommend that teams with public repositories that rely on PRs via forks consider the security > ramifications of making the Codecov token available as opposed to being in a secret. > > A malicious actor would be able to upload incorrect or misleading coverage reports to a specific repository if they > have access to your upload token, but would not be able to pull down source code or make any code changes. We have evaluated the risks of exposing the token and are intentionally choosing to accept the possibility of it being used by a malicious actor to upload incorrect coverage data for this project to Codecov.
per1234
added
type: imperfection
Codecov Report
@@ Coverage Diff @@
## master #368 +/- ##
==========================================
+ Coverage 94.86% 95.00% +0.13%
==========================================
Files 27 27
Lines 1130 1220 +90
==========================================
+ Hits 1072 1159 +87
- Misses 58 61 +3 |
pennam
approved these changes
Jun 29, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Codecov claims a token is not needed when using the
codecov/codecov-actionGitHub Actions action in workflows of a public repository:https://github.com/codecov/codecov-action#usage
However, experience shows that that step of the workflow is subject to intermittent spurious failures caused by a 404 error during the upload attempt:
https://github.com/arduino-libraries/ArduinoIoTCloud/actions/runs/5403452364/jobs/9816277077#step:4:32
It is suggested that this can be avoided by using the Codecov upload token for the repository (which can be passed to the
codecov/codecov-actionaction via thetokeninput):https://community.codecov.com/t/upload-issues-unable-to-locate-build-via-github-actions-api/3954
It should be noted that PRs from forks do not have access to repository secrets, so the approach suggested there of using an encrypted repository secret for the token would mean that PRs from forks (the workflow runs for which don't have access to secrets) would still be subject to the same intermittent spurious workflow run failures.
The alternative approach is to add the token in plaintext directly in the workflow. The security implications of that
approach are described here:
https://community.codecov.com/t/upload-issues-unable-to-locate-build-via-github-actions-api/3954
I have evaluated the risks of exposing the token and am intentionally choosing to accept the possibility of it being used by a malicious actor to upload incorrect coverage data for this project to Codecov.