Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tokenless support in the new CLI (for public repos and forks) #112

Closed
Tracked by #384
toddbaert opened this issue Sep 14, 2023 · 60 comments
Closed
Tracked by #384

Tokenless support in the new CLI (for public repos and forks) #112

toddbaert opened this issue Sep 14, 2023 · 60 comments

Comments

@toddbaert
Copy link

toddbaert commented Sep 14, 2023

Hello! I've recently updated a number of projects in our org to use the latest versions of the codecov action.

I see now that the codecov CLI is used to power this action, and that it requires a token. No problem, I went and got the token for the repositories in question, and all seemed to work... until we got a PR from a fork (something that happens quite frequently in our case). This results in a problem: secrets aren't available in PRs from forks (unless we use the pull_request_target trigger, which would allow malicious actors to potentially exfiltrate our secret(s)).

So my question is, as an open-source project, how am I supposed to use the new action? I want to run the coverage analysis on the new code (which is untrusted) but in order to do that, I need to run in a trusted environment to get access to the secret. Am I missing something? 🤔

@toddbaert toddbaert changed the title Token required in latest versions - security implications with forks? Token required in latest versions - how can I make this work with PRs from forks? Sep 14, 2023
@thomasrockhu-codecov
Copy link
Contributor

@toddbaert this is a known and yet unsolved problem. We are investigating GitHub's OIDC to see if this will be a suitable replacement for token-less uploading (including forks)

@toddbaert
Copy link
Author

toddbaert commented Sep 14, 2023

@thomasrockhu-codecov Thanks!

For now we'll stick to v3! Happy to help you folks test v4 if you have a proposed solution for forks at some point.

Should I close this issue?

@thomasrockhu-codecov
Copy link
Contributor

thomasrockhu-codecov commented Sep 14, 2023

@toddbaert let's leave it open for now so that anyone watching will get an update if OIDC is the way to go for forks.

For everyone else, you can add the CODECOV_TOKEN from the Codecov repo settings page to your repo secrets. Then, update your GitHub Actions workflows:

...
uses: codecov/codecov-action@v4
env:
  CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
...

@toddbaert
Copy link
Author

toddbaert commented Sep 14, 2023

@toddbaert let's leave it open for now so that anyone watching will get an update if OIDC is the way to go for forks.

For everyone else, you can add the CODECOV_TOKEN from the Codecov repo settings page to your repo secrets. Then, update your GitHub Actions workflows:

...
uses: codecov/codecov-action@v4
env:
  CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
...

Yep, looks like there's some linked PRs/issues, so probably good to keep it open until there's a solution for forks. Thanks again!

@thomasrockhu-codecov thomasrockhu-codecov changed the title Token required in latest versions - how can I make this work with PRs from forks? How can I make this work with PRs from forks (when token is required)? Sep 15, 2023
@dolfinus
Copy link

you can add the CODECOV_TOKEN from the Codecov repo settings page to your repo secrets

But this still requires changing on:pull_request to on:pull_request_target to access secrets of original repo from a fork.

beeme1mr referenced this issue in open-feature/go-sdk Sep 21, 2023
There's an ongoing issue with v4.
https://github.com/codecov/codecov-action/issues/1087

Signed-off-by: Michael Beemer <[email protected]>
beeme1mr referenced this issue in open-feature/go-sdk Sep 21, 2023
Revert to CodeCov v3

There's an ongoing issue with v4.
https://github.com/codecov/codecov-action/issues/1087

Signed-off-by: Michael Beemer <[email protected]>
@thomasrockhu-codecov thomasrockhu-codecov changed the title How can I make this work with PRs from forks (when token is required)? Tokenless support (for public repos and forks) Oct 20, 2023
@thomasrockhu-codecov thomasrockhu-codecov changed the title Tokenless support (for public repos and forks) Tokenless support in the new CLI (for public repos and forks) Oct 20, 2023
@mwestphal
Copy link

Please note codecov v3 doesn't seem to work anymore.

@mwestphal
Copy link

So I managed to fix this on my own CI.

Somehow, the current behavior is completely undocumented but this is pretty simple.

  • non-fork workflow should use a token
  • forked workflow should be token-less

Actually, codecov@v4 action detect forked workflow and use tokenless automatically in the case, even if a token is specified, the codecov output will tell you:

    info - 2024-04-28 03:27:00,660 -- The PR is happening in a forked repo. Using tokenless upload.

So here is how it looks in my CI:

    - name: Upload coverage to Codecov
      uses: codecov/codecov-action@v4
      with:
        token: ${{secrets.codecov_token}}
        fail_ci_if_error: true
        verbose: true
        use_oidc: false
  • token is empty in forked workflow but it doesnt matter, codecov action just ignore it anyway.
  • fail_ci_if_error: added this to avoid the previous situation where codecov@v3 started failing silently
  • verbose : Great for debugging
  • use_oidc: I dont think this is needed right now, but for now I want to make sure codecov doesnt try to use this

hth

@rohan-at-sentry
Copy link

@mwestphal - thanks for writing in, this was indeed documented before at https://docs.codecov.com/docs/codecov-uploader#supporting-tokenless-uploads.

I am going to try to augment the docs with more detail, and also make this more prominent in the readme for the action

@mwestphal
Copy link

mwestphal commented Apr 29, 2024

Indeed, thanks for pointing out the doc!

make this more prominent in the readme for the action

I think this is why I missed it. The doc you linked is massive. I should have searched there for "tokenless" but I did not.
In any case, improving the action doc to cover such a classic usecase is worth it imo.

@hugovk
Copy link

hugovk commented Apr 29, 2024

I've started adding tokens to organisations. Unfortunately, my projects tend to be:

  • under my personal account
  • the only one in an org, so it's tedious to click through to add secrets
  • or in an repo or org I don't have admin access to and the admins are unavailable

Is there a way to add a token to a personal account so it can be used by all repos, similar to adding an an org-level?

What are the downsides of adding tokens in some shared plaintext file?

@rohan-at-sentry
Copy link

@hugovk

For the following use-cases

under my personal account
the only one in an org, so it's tedious to click through to add secrets

you can grab the global upload token and either

  • set them as an environment secret OR
  • specify it during upload time
    • If using CLI in CI, you have to pass the token during upload upload-process -t<token>

For

or in an repo or org I don't have admin access to and the admins are unavailable

see if you can access the settings page in the codecov UI for the repo (https://app.codecov.io/gh//settings

If yes, then you can grab the token and

  • specify it during upload time
    • If using CLI in CI, you have to pass the token during upload upload-process -t<token>

Re

What are the downsides of adding tokens in some shared plaintext file?

If you are doing this to ensure uploads from forks are not impacted, this should largely already be in place see above and docs.

As for risks, sharing your token means others can upload phony coverage and blow away your data.

@hugovk
Copy link

hugovk commented May 2, 2024

Thanks, I'll try these out.

under my personal account
the only one in an org, so it's tedious to click through to add secrets

you can grab the global upload token and either

  • set them as an environment secret OR

  • specify it during upload time

    • If using CLI in CI, you have to pass the token during upload upload-process -t<token>

I use the GitHub Action.

Can an environment secret be set in my user account for all my repos, or does it need repeating for each repo at https://github.com/my_username/my_repo/settings/secrets/actions and https://github.com/my_username/my_repo/settings/secrets/dependabot?

@rohan-at-sentry
Copy link

@hugovk - from their docs, Github doesn't appear to support setting secrets at an account level. If you have the ability to set secrets at the org level, then you can set the Global Upload Token for all repos without individually setting it for each repo.

@jsoref
Copy link

jsoref commented May 8, 2024

@rohan-at-sentry: correct, it's a really horrible idea to imagine secrets at an account level because people tend to willy-nilly fork repositories into their account, which is just inviting repositories to be written such that when they're forked they steal user's secrets.

Instead anyone interested in doing things should create their own (single-account) org, and move/fork things from their account to their org. A nice benefit is that organizations also give you the ability to see current runners (you can't do that for actions running in repositories in your user account...).

@rohan-at-sentry
Copy link

@jsoref exactly!

@ljharb
Copy link

ljharb commented May 8, 2024

Forcing a move to an org is a pretty unacceptable ask for codecov usability, though - while it sucks that GitHub treats user-owned repos as second-class, user-owned repos need love too :-)

@rohan-at-sentry
Copy link

Forcing a move to an org is a pretty unacceptable ask for codecov usability

I agree, - to be clear I'm not advocating for user-owned repos to move to orgs (and I can see how my response could be interpreted that way).

@jsoref
Copy link

jsoref commented May 8, 2024

In theory, OIDC is the right way to go...

  • it can do the right thing in an original repository or for commits in a fork of an original repository (secrets will do the wrong thing in forks, in that they'll be missing, and then you'll hit rate limits and things will fail)
  • it's true that it won't handle PRs from across forks (for pull_request)
  • if it actually worked and people were really careful and it was willing to allow it, it could work if people used pull_request_target, but getting that right would require two jobs, one for doing the testing and one for uploading the report (and the current code explicitly blocks this use case so that'd have to be removed...)
  • but at least in my tests it codecov-actions' OIDC implementation doesn't appear to work and the error reporting from codecov's server isn't particularly helpful.

I'm not strongly advocating for using orgs, but I personally have moved to doing most of my work in them because the security benefits and additional concurrent runners / visibility I get from runners make them worthwhile.

@thomasrockhu-codecov
Copy link
Contributor

The original intent of this issue was to see if OIDC would be a reasonable replacement. We have added OIDC support, so if you have it implemented, you will be able to use it for uploads.

Currently, we are making some changes to tokenless uploading for forks. I believe in the next few days we should see huge improvements where most users (if not all) will be able to upload coverage on their PRs if they come from forks (without a token). This means that the Codecov step should not fail your CIs for this case.

I'm going to close this issue for now as it's been a bit of time and I believe needs have changed since. Please open a new issue if you, by the end of this week, are not able to upload coverage to your projects on a fork.

@harryzcy
Copy link

Are there reasons that OIDC can not be used for public repos? This issue is for both "public repos and forks". Is there a timeline for this or it's not planned at all?

@thomasrockhu-codecov
Copy link
Contributor

@harryzcy OIDC and tokenless are mutually exclusive. OIDC can be used on public repos.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Waiting for: Product Owner
Development

No branches or pull requests