codecov-action icon indicating copy to clipboard operation
codecov-action copied to clipboard

Published 20 hours ago verified publisher icon codecov

support Github Actions OIDC

Open zetaab opened this issue 2 years ago • 9 comments
trafficstars

adds support for using Github OIDC that was requested https://github.com/codecov/feedback/issues/53

so after this, the codecov-action itself supports following:

jobs:
  build:
    permissions: # these are needed after oidc change
      id-token: write
      contents: read
    steps:
    ...
    - uses: codecov/codecov-action@v3

However, this still needs support to codecov-api (https://github.com/codecov/codecov-api/pull/90)

This is tested in following scenarios:

  • without token and without GHA permissions -> it will continue posting to Codecov without any token
  • without token and with GHA permission -> it will fetch Github JWT and post that to Codecov
  • with token and without GHA permission -> it will post original token to Codecov
  • with token and with GHA permission -> it will post original token to Codecov

This can be merged before the codecov-api has changes or updated version running. If someone will start using this before it will not just work. It should not break backwards compatibility

zetaab avatar Aug 22 '23 06:08 zetaab

@thomasrockhu-codecov is there any timeline to get some feedback for the pr?

zetaab avatar Aug 30 '23 19:08 zetaab

@zetaab I'll take a look today

thomasrockhu-codecov avatar Sep 05 '23 17:09 thomasrockhu-codecov

Codecov Report

Merging #1054 (b9fd881) into main (525bbff) will increase coverage by 1.10%. The diff coverage is 100.00%.

:exclamation: Current head b9fd881 differs from pull request most recent head 8049f50. Consider uploading reports for the commit 8049f50 to get more accurate results

@@            Coverage Diff             @@
##             main    #1054      +/-   ##
==========================================
+ Coverage   94.83%   95.94%   +1.10%     
==========================================
  Files           4        4              
  Lines         213      345     +132     
  Branches       60      103      +43     
==========================================
+ Hits          202      331     +129     
- Misses         10       14       +4     
+ Partials        1        0       -1
Flag Coverage Δ
demo 80.00% <ø> (-14.84%) :arrow_down:
macos-latest 95.94% <100.00%> (+1.10%) :arrow_up:
script 96.66% <100.00%> (+1.83%) :arrow_up:
ubuntu-latest 95.94% <100.00%> (+1.10%) :arrow_up:
version 80.00% <ø> (-14.84%) :arrow_down:
windows-latest 95.94% <100.00%> (+1.10%) :arrow_up:

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Coverage Δ
src/buildExec.ts 97.29% <100.00%> (+0.46%) :arrow_up:

... and 1 file with indirect coverage changes

codecov[bot] avatar Sep 06 '23 01:09 codecov[bot]

@zetaab this is cool and it's nice to have. I just want to point out that OIDC won't work for PRs from forks because of the limited privileges the pull_request event-triggered GHA jobs have. So this might be something to document.

webknjaz avatar Sep 26 '23 17:09 webknjaz

I just want to point out that OIDC won't work for PRs from forks because of the limited privileges the pull_request event-triggered GHA jobs have.

Bummer, then this does not cover our personal use case... We'll need tokenless support.

s0undt3ch avatar Sep 26 '23 18:09 s0undt3ch

@s0undt3ch yep, that's definitely annoying. Though, you can use pull_request_target instead, if you're ready to take on more responsibility that GitHub currently has, security-wise. But don't forget to read all the security considerations — they have a doc on that somewhere.

webknjaz avatar Sep 27 '23 14:09 webknjaz

@s0undt3ch yep, that's definitely annoying. Though, you can use pull_request_target instead, if you're ready to take on more responsibility that GitHub currently has, security-wise. But don't forget to read all the security considerations — they have a doc on that somewhere.

Nope :grin:

What we really need is tokenless uploads, though the new codecov-cli does not support them :disappointed:

s0undt3ch avatar Sep 27 '23 14:09 s0undt3ch

This PR will work as is. However, newer codecov cli is now forcing token to be UUID

Error: Invalid value for '-t' / '--token': '\*\*\*' is not a valid UUID.

which should not be the case anymore after https://github.com/codecov/codecov-api/pull/177. So we need another PR to codecov-cli to fix this issue.

(and seems that codecov-action does not work anymore against 0.6.x versions)

zetaab avatar Oct 20 '23 08:10 zetaab

I guess this PR fixes https://github.com/codecov/feedback/issues/112? What's the status for this?

LecrisUT avatar Dec 18 '23 13:12 LecrisUT

@zetaab I'm running into some issues pushing some changes here. We are looking to implement in the next 2 weeks. You can find the changes

https://github.com/codecov/codecov-action/pull/1330 https://github.com/codecov/codecov-action/pull/1329

thomasrockhu-codecov avatar Mar 17 '24 22:03 thomasrockhu-codecov