Use token when uploading unit test code coverage data to Codecov from workflow

per1234 · per1234 · commit 59cc14f47ee8 · 2023-10-16T22:05:50.000-07:00
Codecov claims a token is not needed when using the codecov/codecov-action GitHub Actions action in workflows of a public repository: https://github.com/codecov/codecov-action#usage > For public repositories, no token is needed However, experience shows that that step of the workflow is subject to intermittent spurious failures caused by a 404 error during the upload attempt: ``` [2023-10-17T04:37:33.792Z] ['error'] There was an error running the uploader: Error uploading to https://codecov.io: Error: There was an error fetching the storage URL during POST: 404 - {'detail': ErrorDetail(string='Unable to locate build via Github Actions API. Please upload with the Codecov repository upload token to resolve issue.', code='not_found')} ``` It is suggested that this can be avoided by providing the upload token: https://community.codecov.com/t/upload-issues-unable-to-locate-build-via-github-actions-api/3954 It should be noted that PRs from forks do not have access to repository secrets, so the recommended approach of using an encrypted repository secret for the token would mean that PRs from forks (the workflow runs for which don't have access to secrets) would still be subject to the same intermittent spurious workflow run failures. The alternative solution is to add the token in plaintext directly in the workflow. The security implications of that approach are described here: https://community.codecov.com/t/upload-issues-unable-to-locate-build-via-github-actions-api/3954 > Public repositories that rely on PRs via forks will find that they cannot effectively use Codecov if the token is > stored as a GitHub secret. The scope of the Codecov token is only to confirm that the coverage uploaded comes from a > specific repository, not to pull down source code or make any code changes. > > For this reason, we recommend that teams with public repositories that rely on PRs via forks consider the security > ramifications of making the Codecov token available as opposed to being in a secret. > > A malicious actor would be able to upload incorrect or misleading coverage reports to a specific repository if they > have access to your upload token, but would not be able to pull down source code or make any code changes. We have evaluated the risks of exposing the token and are intentionally choosing to accept the possibility of abuse.
diff --git a/.github/workflows/test-go-task.yml b/.github/workflows/test-go-task.yml
@@ -97,10 +97,26 @@ jobs:
           GO_MODULE_PATH: ${{ matrix.module.path }}
         run: task go:test
 
+      # A token is used to avoid intermittent spurious job failures caused by rate limiting.
+      - name: Set up Codecov upload token
+        if: runner.os == 'Linux'
+        run: |
+          if [[ "${{ github.repository }}" == "arduino/arduino-lint" ]]; then
+            # In order to avoid uploads of data from forks, only use the token for runs in the parent repo.
+            # Token is intentionally exposed.
+            # See: https://community.codecov.com/t/upload-issues-unable-to-locate-build-via-github-actions-api/3954
+            CODECOV_TOKEN="12e51647-df00-4555-843a-ece637530116"
+          else
+            # codecov/codecov-action does unauthenticated upload if empty string is passed via the `token` input.
+            CODECOV_TOKEN=""
+          fi
+          echo "CODECOV_TOKEN=$CODECOV_TOKEN" >> "$GITHUB_ENV"
+
       - name: Send unit tests coverage to Codecov
         if: runner.os == 'Linux'
         uses: codecov/codecov-action@v3
         with:
           file: ${{ matrix.module.path }}coverage_unit.txt
           flags: ${{ matrix.module.codecov-flags }}
           fail_ci_if_error: ${{ github.repository == 'arduino/arduino-lint' }}
+          token: ${{ env.CODECOV_TOKEN }}
