codecov-action
codecov-action copied to clipboard
codecov
Provide clarity on future of tokenless uploads from GitHub Actions
v4 dropped support for tokenless uploads on GitHub Actions due to #1068 ("use cli instead of node uploader"). In the PR description there is the comment:
Notes to reviewer:
- Currently tokenless upload is not supported. Releasing this PR for users who are not using a codecov token will break their CI
Is there a plan to restore support for tokenless uploads in the the GitHub Action going forward? Tokenless uploads still work with v3, the Node uploader obviously still supports tokenless uploads. Will the CLI uploader gain support for them? The Codecov documentation still mentions tokenless uploads in lots of places.
Despite mentioning "PRs made from forks to the upstream public repos will support tokenless" in the changelog, this does not seem to be working at all.
Would be great to get some feedback on this. Are tokens now a hard requirement?
We just updated from v3 to v4 and the upload is broken.
My projects that use codecov are now saying:
[2024-05-03T23:11:57.452Z] ['error'] There was an error running the uploader: Error uploading to [https://codecov.io:](https://codecov.io/) Error: There was an error fetching the storage URL during POST: 429 - {'detail': ErrorDetail(string='Rate limit reached. Please upload with the Codecov repository upload token to resolve issue. Expected available in 10 seconds.', code='throttled')}
Is tokenless uploading gone for good now? It would be really helpful to get confirmation from someone at Codecov on this.
Was dropping the tokenless upload feature just an unintended side effect, as #1068 seems to imply? Or is there a reason it's no long desirable?
I accept that as a purely open-source user who doesn't pay Codecov, I have no claim on your time. But the v3 action works so smoothly, with no need to think about secret tokens, and I've left several projects using v3 while waiting to hear something about this.
Hi all...
Tokenless upload should still work for v3. And with v4, the tokens are required, except for when uploading from forks as detailed here
@lpsinger - looking at the error, it looks like a rate limit issue - have you set up the codecov app on Github?
Thanks Rohan!
Tokenless upload should still work for v3.
It does! :smiley: But at some point fairly soon the v3 action will stop working entirely, unless it's updated to run on Node 20: https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/
And with v4, the tokens are required
To be clear, are you confirming that there's no plan to change that?
:laughing: OK, maybe I'll just pin 3.1.5 and see how long it carries on working for.
@rohan-at-sentry, we'd still love an answer to this question from @takluyver:
Was dropping the tokenless upload feature just an unintended side effect, as https://github.com/codecov/codecov-action/pull/1068 seems to imply? Or is there a reason it's no long desirable?
Meanwhile I have held back all of my projects to v3 of the GitHub action.
@lpsinger apologies for not addressing that, happy to do so now.
We felt repo tokens would
-
serve as a means to tell Codecov "who you are" so that Codecov can go look-up details from the repo's Codecov App and use that app token. This reduces chances of being rate limited by Github which impacts our ability to ingest, process and report on coverage changes.
-
there is an additional (if less prominent) benefit of ensuring uploads are from a real CI and a real repo.
To be clear, we were aware of the fact that secrets wouldn't be passed over to forks - which is why token-less uploading was and still is supported for uploads from forks.
That said, we recognize that the change was not well communicated, and that setting a token can introduce friction. We're making some changes to how the tokenless flows work currently and once that ships, we're going to take a look to see how we can make this better.