Publish token for arduino-cli main repo.

cmaglie · cmaglie · commit ff1ad361692f · 2023-03-28T10:46:38.000+02:00
PRs from forks do not have access to repository secrets. The same intermittent spurious workflow run failures will continue to occur for PRs from forks. https://community.codecov.com/t/upload-issues-unable-to-locate-build-via-github-actions-api/3954 > Public repositories that rely on PRs via forks will find that they cannot effectively > use Codecov if the token is stored as a GitHub secret. The scope of the Codecov token > is only to confirm that the coverage uploaded comes from a specific repository, not to > pull down source code or make any code changes. > > For this reason, we recommend that teams with public repositories that rely on PRs via > forks consider the security ramifications of making the Codecov token available as > opposed to being in a secret. > > A malicious actor would be able to upload incorrect or misleading coverage reports to > a specific repository if they have access to your upload token, but would not be able > to pull down source code or make any code changes.
diff --git a/.github/workflows/test-go-task.yml b/.github/workflows/test-go-task.yml
@@ -197,7 +197,7 @@ jobs:
       - name: Send unit tests coverage to Codecov
         uses: codecov/codecov-action@v3
         with:
-          token: ${{ secrets.CODECOV_TOKEN }}
+          token: db21daa9-939e-4742-be68-a9db33b8bdcb
           files: ./coverage.txt
           flags: unit
           fail_ci_if_error: ${{ github.repository == 'arduino/arduino-cli' }}
