Upgrade from 4.2.0 to 4.3.0 breaks CODECOV_TOKEN uploading

[darosio]

  - name: Upload coverage report
    if: matrix.tests == 'pytest'
    uses: codecov/[email protected]
    with:
      token: ${{ secrets.CODECOV_TOKEN }}

this action step now generates the following error/warning:

==> Uploader SHASUM verified (2c9804ba263ba6880d67a671c35388a72fbfe014bd814acd212d8ff38644bf91 codecov)
info - 2024-04-10 02:33:40,891 -- ci service found: github-actions
warning - 2024-04-10 02:33:40,899 -- No config file could be found. Ignoring config.
Error: Codecov token not found. Please provide Codecov token with -t flag.
Warning: Codecov: Failed to properly create commit: The process '/home/runner/work/_actions/codecov/codecov-action/v4.3.0/dist/codecov' failed with exit code 1

[KATT]

Pinning to 4.2.0 doesn't work either so my guess it's something in the API that doesn't support to submit it without a token anymore

[skateman]

According to the README:

Tokenless uploading is unsupported. However, PRs made from forks to the upstream public repos will support tokenless (e.g. contributors to OS projects do not need the upstream repo's Codecov token)

[KATT]

That's weird, it started breaking 3 days ago for me as well.

[Segelzwerg]

We face the same issue although we provide a token.

[thomasrockhu-codecov]

Sorry ya'll I'll take a look at what's happening here

[thomasrockhu-codecov]

@darosio or anyone on this thread, would you be able to post a link to CI where it was working on 4.2.x and is not working on 4.3.0?

There is nothing that I have seen that is specific to 4.3.0 or any changes to our CLI that would have made that error message show up between the two.

[darosio]

Thank you for your efforts.
Here is an incriminated pr https://github.com/darosio/ClopHfit/tree/dependabot/github_actions/codecov/codecov-action-4.3.0
and an example of a failing action https://github.com/darosio/ClopHfit/actions/runs/8625091012

[thomasrockhu-codecov]

@darosio what I'm first noticing is that the with: section is empty on the 4.3.0 PR, however it exists prior to that. Does dependabot have access to this secret? I know in previous iterations it has run with the token, but you can double-check https://github.com/OWNER/REPO/settings/secrets/dependabot

[darosio]

Indeed, adding the CODECOV_TOKEN secret to dependabot solved this issue in my case. Probably starting from 4.3.0 the with: token is needed.
Thank you, Tom.

[darosio]

I double-check the error in the dependabot actions was present since upgrade to v 4.0.0, and sorry nothing special on 4.3.0.

[skateman]

Will try to update to 4.3.0 and keep you informed if it still works

[ssbarnea]

I am using @v4 which means that latest version is always used but it seems that i get 403 error even with valid token (also added it to dependabot):

debug - 2024-04-17 10:21:48,905 -- Starting create commit process --- {"commit_sha": "17caa2cada40b97d672865d696e2736c17e2c6ba", "parent_sha": null, "pr": "155", "branch": "chore/readme-versions", "slug": "ansible/ansible-dev-tools", "token": "3******************", "service": "github", "enterprise_url": null}
[60](https://github.com/ansible/ansible-dev-tools/actions/runs/8720236504/job/23921375358?pr=155#step:8:61)
info - 2024-04-17 10:21:49,013 -- Process Commit creating complete
[61](https://github.com/ansible/ansible-dev-tools/actions/runs/8720236504/job/23921375358?pr=155#step:8:62)
debug - 2024-04-17 10:21:49,014 -- Commit creating result --- {"result": "RequestResult(error=RequestError(code='HTTP Error 403', params={}, description='{\"detail\":\"You do not have permission to perform this action.\"}'), warnings=[], status_code=403, text='{\"detail\":\"You do not have permission to perform this action.\"}')"}
[62](https://github.com/ansible/ansible-dev-tools/actions/runs/8720236504/job/23921375358?pr=155#step:8:63)
error - 2024-04-17 10:21:49,014 -- Commit creating failed: {"detail":"You do not have permission to perform this action."}

This is new and I updated the tokens just in case, still failing.

[thomasrockhu-codecov]

@ssbarnea please double check that you are using the ansible/ansible-dev-tools token. It should not have CODECOV_TOKEN. If this is still an issue, please open a new issue.

[KATT]

@thomasrockhu-codecov could you clarify if CODECOV_TOKEN is needed or not needed for OSS-projects?

According to the v4 docs it is required, but reading some mixed signals here.

Here's a run from today of my project where we're not using a token:

Error: Codecov token not found. Please provide Codecov token with -t flag.
Warning: Codecov: Failed to properly create commit: The process '/home/runner/work/_actions/codecov/codecov-action/v4/dist/codecov' failed with exit code 1

But, it runs successfully on a PR where I added the secret.

If the token is required, it's quite disruptive as secrets aren't available on forks of repos - if so, can you please provide documentation and GitHub action snippets on how to deal with forks correctly?

[thomasrockhu-codecov]

@KATT , the CODECOV_TOKEN is currently required even for OSS-projects.

As for forks of repos, if the fork is creating a PR against itself, it will need its own CODECOV_TOKEN. However, if it is making a PR against the upstream repo, the token and access to the token are not required.

[thomasrockhu-codecov]

@KATT if you are running into any issues, please open a new issue for this as it's not relevant to this one.