codecov-action
codecov-action copied to clipboard
codecov
Github Workflow Permissions
I wanted to ask if this workflow action needs extra permissions, because i could not find anything in the documentation (or existing issues) specifying what permissions are needed, if any,
The workflow action does not require any permissions on its own. I created https://github.com/codecov/codecov-action/pull/740 to demonstrate this.
Note that permissions for all scopes were disabled through setting permissions in the form of (as shown in your link):
permissions: {}
Are you sure? I've run into a number of codecov workflows that appear to talk with not particularly helpful messaging. I was going to file a ticket, but this seems to fit the bill. https://github.com/check-spelling/duckdb/actions/runs/3226662741/jobs/5281412111#step:10:40
[2022-10-11T15:41:13.971Z] ['info'] Pinging Codecov: https://codecov.io/upload/v4?package=github-action-2.1.0-uploader-0.3.2&token=*******&branch=spell-check-with-spelling&build=3226662741&build_url=https%3A%2F%2Fgithub.com%2Fcheck-spelling%2Fduckdb%2Factions%2Fruns%2F3226662741&commit=40704d5c9fa83c14e29ad38f9aefe88304908689&job=CodeQuality&pr=&service=github-actions&slug=check-spelling%2Fduckdb&name=&tag=&flags=&parent=
[2022-10-11T15:41:14.372Z] ['error'] There was an error running the uploader: Error uploading to [https://codecov.io:](https://codecov.io/) Error: There was an error fetching the storage URL during POST: 404 - {'detail': ErrorDetail(string='Unable to locate build via Github Actions API. Please upload with the Codecov repository upload token to resolve issue.', code='not_found')}
Error: Codecov: Failed to properly upload: The process '/home/runner/work/_actions/codecov/codecov-action/v2/dist/codecov' failed with exit code 255
https://github.com/check-spelling/smallstep-cli/actions/runs/3224300961/jobs/5275293667#step:11:34
[2022-10-11T05:20:22.218Z] ['info'] Pinging Codecov: https://codecov.io/upload/v4?package=github-action-3.1.1-uploader-0.3.2&token=*******&branch=test&build=3224300961&build_url=https%3A%2F%2Fgithub.com%2Fcheck-spelling%2Fsmallstep-cli%2Factions%2Fruns%2F3224300961&commit=8e2fec11fb5a480de787a9e0675e75f03a226450&job=CI&pr=3&service=github-actions&slug=check-spelling%2Fsmallstep-cli&name=codecov-umbrella&tag=&flags=&parent=
[2022-10-11T05:20:22.636Z] ['error'] There was an error running the uploader: Error uploading to [https://codecov.io:](https://codecov.io/) Error: There was an error fetching the storage URL during POST: 404 - {'detail': ErrorDetail(string='Could not find a repository, try using repo upload token', code='not_found')}
Error: Codecov: Failed to properly upload: The process '/home/runner/work/_actions/codecov/codecov-action/v3/dist/codecov' failed with exit code 255
@thomasrockhu-codecov as a DevRel person, could you please help the developer relations by finding someone who's available to actually look into the required permissions?
For reference, here are the instructions for how to create an org w/ restrictive default permissions https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
The url to get to that page is:
https://github.com/organizations/:ORG_NAME/settings/actions
And the section looks like this:
@jsoref I don't believe this is a permissions issue, it's a GitHub rate limiting issue. We don't have an ironclad solution for this yet, but I would check these things first
cc: @hasezoey
- Use the Codecov app integration
- Set the
CODECOV_TOKENin your CI. Although public repos can upload tokenless, we have been running into issues with rate limits which cause the above error.
@thomasrockhu-codecov: I'm willing to buy that explanation. I tried setting up a simple repository of my own w/ codecov following the official steps and then taking away the app and all permissions and it still seemed happy.
But, a few points:
- The error reporting needs to tell users this. The current error messaging isn't acceptable.
- I'm assuming that your side is basically just trying to download the sources of the current project. The action here has access to those very sources, which means that it could download them from github and then upload them to codecov. -- The are various ways to do this, you could use
git archive --format=zip $SPECIFIC_SHA > /tmp/code-cov-$SPECIFIC_SHA.zipif that doesn't work, you could do something like:curl -L $GITHUB_SERVER_URL/$OWNER/$REPO/archive/$SPECIFIC_SHA.zip > /tmp/code-cov-$SPECIFIC_SHA.zip(* this probably won't actually work properly for enterprise servers, but you can cross that bridge later -- just include code to handle the case where you don't get a file -- i.e. log the error output and give the user/yourselves enough to address it)
If you're trying to get something else, I'd be interested in knowing what objects you're trying to access. (My project runs as a github action in a github workflow and I routinely bump into edges like these ...)
@jsoref sorry for the delay here. I'm not super well-versed in what information we pull, but typically it's for information like a repo yaml or the commit author information. Every call is a GitHub API call, which leads to rate limiting
This is a pretty big issue and I'm tracking information in this thread
That seems like stuff your action could get proactively instead of the server asking GitHub after the fact. Conveniently, if you do this, if it doesn't require a GitHub API call (because you can just ask the repo), your API costs are 0, and if you actually need to make a GitHub API call, your billing is against the current workflow's API limit instead of your app's API limit.