From 433e641af5a7b14e2a8ab12c4299de6b0521d519 Mon Sep 17 00:00:00 2001 From: per1234 Date: Wed, 28 Jun 2023 08:58:48 -0700 Subject: [PATCH 1/2] Bump `codecov/codecov-action` dependency to v3 The "Unit Test" GitHub Actions workflow uses the "codecov/codecov-action" GitHub Actions action to upload coverage data to Codecov. Previously the workflow specified the "v1" version ref for the action dependency. That pinned the dependency to the major version 1 series. Several major version bumps have been made in the action since that time so the use of the v1 ref caused the workflow to use a significantly outdated and deprecated version of the action. Bumping the action to the latest "v3" ref will avoid the potential for the step to stop working entirely (the action docs claim v1 was sunset 1.5 years ago) and allow the workflow to benefit from the enhancements and fixes from ongoing development work in the action until such time as a breaking change in the action triggers them to make another major version bump. At that time it will be necessary for the project maintainers to evaluate whether the breaking change requires any modifications to the workflow before manually bumping the ref again (i.e., `uses: codecov/codecov-action@v3` -> `uses: codecov/codecov-action@v4`). --- .github/workflows/unit-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml index f3b66c2c8..13460c6a4 100644 --- a/.github/workflows/unit-tests.yml +++ b/.github/workflows/unit-tests.yml @@ -36,7 +36,7 @@ jobs: coverage-data-path: ${{ env.COVERAGE_DATA_PATH }} - name: Upload coverage report to Codecov - uses: codecov/codecov-action@v1 + uses: codecov/codecov-action@v3 with: file: "${{ env.COVERAGE_DATA_PATH }}" fail_ci_if_error: true From 4b112e8bdcb016ed1de9bd4b111feffef602d613 Mon Sep 17 00:00:00 2001 From: per1234 Date: Wed, 28 Jun 2023 09:06:35 -0700 Subject: [PATCH 2/2] Use token when uploading unit test code coverage data to Codecov from workflow Codecov claims a token is not needed when using the codecov/codecov-action GitHub Actions action in workflows of a public repository: https://github.com/codecov/codecov-action#usage > For public repositories, no token is needed However, experience shows that that step of the workflow is subject to intermittent spurious failures caused by a 404 error during the upload attempt: ``` [2023-06-26T09:18:51.453Z] ['error'] There was an error running the uploader: Error uploading to https://codecov.io: Error: There was an error fetching the storage URL during POST: 404 - {'detail': ErrorDetail(string='Unable to locate build via Github Actions API. Please upload with the Codecov repository upload token to resolve issue.', code='not_found')} ``` It is suggested that this can be avoided by providing the upload token: https://community.codecov.com/t/upload-issues-unable-to-locate-build-via-github-actions-api/3954 It should be noted that PRs from forks do not have access to repository secrets, so the approach suggested there of using an encrypted repository secret for the token would mean that PRs from forks (the workflow runs for which don't have access to secrets) would still be subject to the same intermittent spurious workflow run failures. The alternative approach is to add the token in plaintext directly in the workflow. The security implications of that approach are described here: https://community.codecov.com/t/upload-issues-unable-to-locate-build-via-github-actions-api/3954 > Public repositories that rely on PRs via forks will find that they cannot effectively use Codecov if the token is > stored as a GitHub secret. The scope of the Codecov token is only to confirm that the coverage uploaded comes from a > specific repository, not to pull down source code or make any code changes. > > For this reason, we recommend that teams with public repositories that rely on PRs via forks consider the security > ramifications of making the Codecov token available as opposed to being in a secret. > > A malicious actor would be able to upload incorrect or misleading coverage reports to a specific repository if they > have access to your upload token, but would not be able to pull down source code or make any code changes. We have evaluated the risks of exposing the token and are intentionally choosing to accept the possibility of it being used by a malicious actor to upload incorrect coverage data for this project to Codecov. --- .github/workflows/unit-tests.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml index 13460c6a4..2b4283747 100644 --- a/.github/workflows/unit-tests.yml +++ b/.github/workflows/unit-tests.yml @@ -35,8 +35,23 @@ jobs: - '*/src/cbor/lib/*' coverage-data-path: ${{ env.COVERAGE_DATA_PATH }} + # A token is used to avoid intermittent spurious job failures caused by rate limiting. + - name: Set up Codecov upload token + run: | + if [[ "${{ github.repository }}" == "arduino-libraries/ArduinoIoTCloud" ]]; then + # In order to avoid uploads of data from forks, only use the token for runs in the parent repo. + # Token is intentionally exposed. + # See: https://community.codecov.com/t/upload-issues-unable-to-locate-build-via-github-actions-api/3954 + CODECOV_TOKEN="47827969-3fda-4ba1-9506-e8d0834ed88c" + else + # codecov/codecov-action does unauthenticated upload if empty string is passed via the `token` input. + CODECOV_TOKEN="" + fi + echo "CODECOV_TOKEN=$CODECOV_TOKEN" >> "$GITHUB_ENV" + - name: Upload coverage report to Codecov uses: codecov/codecov-action@v3 with: file: "${{ env.COVERAGE_DATA_PATH }}" fail_ci_if_error: true + token: ${{ env.CODECOV_TOKEN }}