Document how to separate codecov-action use into a separate jobSee original GitHub issue
In the README.md of this action, the documented way of using codecov-action is to run it as a step of the same job that collects the coverage info. However, I think it would be better for security and reliability if CodeCov recommended using codecov-action in a separate job instead.
I have been investigating minimization of GITHUB_TOKEN permissions based on https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and similar. According to that blog post, it is only possible to control permissions on GITHUB_TOKEN on a per-workflow or per-job basis, not a per-step basis. It thus seems GitHub Actions treats the job as the unit of security. Consequently, it seems desirable to put tasks with different permission needs into separate jobs. In particular, I think people will start wanting to have separate jobs for collecting coverage and uploading coverage to Codecov. This way, the job that uploads to codecov wouldn’t even need
contents: read permission on the GitHub token and it wouldn’t accidentally get access to the token through the unfortunate
persist-credentials: true default of actions/checkout.
Further in issue #234 some users seem to have encountered some timeout issue when there is a long period of time between jobs that submit coverage to codecov when they don’t use a codecov token. Codecov developers have suggested that using a codecov access token is a way to work around that problem. However, I think many people are like me and would like to avoid maintaining a GitHub secret just for the codecov token for a public  repo. An alternative solution would be:
- Run all the jobs that collect coverage info and save the coverage data as an GitHub Actions artifacts.
- Have a separate job for uploading to codecov, that depends on the jobs that collect the coverage. This job would download all the artifacts from the coverage collection jobs and then submit them all at once to codecov.
Since the upload to codecov would happen in only one place, the timeout issue would seem to go away.
- Created 2 years ago
- Comments:7 (1 by maintainers)
Top GitHub Comments
Also, having a separate job for the uploading would reduce the annoyance where the Codecov commenter comments about a reduction of code coverage before it has received all the coverage data.
Indeed, assuming the comment https://github.com/actions/upload-artifact/issues/197#issuecomment-832279436 is correct, I wouldn’t feel comfortable using upload-artifact.