Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Document how to separate codecov-action use into a separate job
See original GitHub issueIn the README.md of this action, the documented way of using codecov-action is to run it as a step of the same job that collects the coverage info. However, I think it would be better for security and reliability if CodeCov recommended using codecov-action in a separate job instead.
I have been investigating minimization of GITHUB_TOKEN permissions based on https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and similar. According to that blog post, it is only possible to control permissions on GITHUB_TOKEN on a per-workflow or per-job basis, not a per-step basis. It thus seems GitHub Actions treats the job as the unit of security. Consequently, it seems desirable to put tasks with different permission needs into separate jobs. In particular, I think people will start wanting to have separate jobs for collecting coverage and uploading coverage to Codecov. This way, the job that uploads to codecov wouldn’t even need contents: read permission on the GitHub token and it wouldn’t accidentally get access to the token through the unfortunate persist-credentials: true default of actions/checkout.
Further in issue #234 some users seem to have encountered some timeout issue when there is a long period of time between jobs that submit coverage to codecov when they don’t use a codecov token. Codecov developers have suggested that using a codecov access token is a way to work around that problem. However, I think many people are like me and would like to avoid maintaining a GitHub secret just for the codecov token for a public [edit] repo. An alternative solution would be:
- Run all the jobs that collect coverage info and save the coverage data as an GitHub Actions artifacts.
- Have a separate job for uploading to codecov, that depends on the jobs that collect the coverage. This job would download all the artifacts from the coverage collection jobs and then submit them all at once to codecov.
Since the upload to codecov would happen in only one place, the timeout issue would seem to go away.
Issue Analytics
- State:
- Created 2 years ago
- Reactions:3
- Comments:7 (1 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Also, having a separate job for the uploading would reduce the annoyance where the Codecov commenter comments about a reduction of code coverage before it has received all the coverage data.
Indeed, assuming the comment https://github.com/actions/upload-artifact/issues/197#issuecomment-832279436 is correct, I wouldn’t feel comfortable using upload-artifact.