question-mark

Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Document how to separate codecov-action use into a separate job

See original GitHub issue

Issue Description

In the README.md of this action, the documented way of using codecov-action is to run it as a step of the same job that collects the coverage info. However, I think it would be better for security and reliability if CodeCov recommended using codecov-action in a separate job instead.

I have been investigating minimization of GITHUB_TOKEN permissions based on https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and similar. According to that blog post, it is only possible to control permissions on GITHUB_TOKEN on a per-workflow or per-job basis, not a per-step basis. It thus seems GitHub Actions treats the job as the unit of security. Consequently, it seems desirable to put tasks with different permission needs into separate jobs. In particular, I think people will start wanting to have separate jobs for collecting coverage and uploading coverage to Codecov. This way, the job that uploads to codecov wouldn’t even need contents: read permission on the GitHub token and it wouldn’t accidentally get access to the token through the unfortunate persist-credentials: true default of actions/checkout.

Further in issue #234 some users seem to have encountered some timeout issue when there is a long period of time between jobs that submit coverage to codecov when they don’t use a codecov token. Codecov developers have suggested that using a codecov access token is a way to work around that problem. However, I think many people are like me and would like to avoid maintaining a GitHub secret just for the codecov token for a public [edit] repo. An alternative solution would be:

  1. Run all the jobs that collect coverage info and save the coverage data as an GitHub Actions artifacts.
  2. Have a separate job for uploading to codecov, that depends on the jobs that collect the coverage. This job would download all the artifacts from the coverage collection jobs and then submit them all at once to codecov.

Since the upload to codecov would happen in only one place, the timeout issue would seem to go away.

Issue Analytics

  • State:open
  • Created 2 years ago
  • Reactions:3
  • Comments:7 (1 by maintainers)

github_iconTop GitHub Comments

3reactions
briansmithcommented, Apr 29, 2021

Also, having a separate job for the uploading would reduce the annoyance where the Codecov commenter comments about a reduction of code coverage before it has received all the coverage data.

0reactions
briansmithcommented, May 11, 2021

Indeed, assuming the comment https://github.com/actions/upload-artifact/issues/197#issuecomment-832279436 is correct, I wouldn’t feel comfortable using upload-artifact.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Uploading Code Coverage in a Separate Job on GitHub Actions
This tutorial walks through how to upload coverage reports in a separate job on GitHub Actions. Although all developers can benefit from ...
Read more >
Quick Start - Codecov
Step 1: Sign up for Codecov · Step 2: Get the repository upload token · Step 3: Setup integration/team bot · Step 4:...
Read more >
How to Generate a Code Coverage Report with CodeCov and ...
Create a .github file at the root of your project folder. Inside the .github folder, create a workflows folder. Then inside workflows ...
Read more >
Optimal usage of codecov in a monorepo context with ...
I know it's possible to use a comma-separated value to upload multiple files, but I have to set a separate flag for each...
Read more >
azu on Twitter: "見てる: "Document how to separate codecov-action ...
見てる: "Document how to separate codecov-action use into a separate job · Issue #300 · codecov/codecov-action". The following media includes potentially ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found