Skip to content

ci: use OIDC for codecov-action #926

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
wanghan-iapcm merged 1 commit into from
Jan 26, 2026
Merged

ci: use OIDC for codecov-action #926

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
name: Python package

on:
- push
- pull_request
- push
- pull_request

jobs:
build:
Expand Down Expand Up @@ -33,6 +33,8 @@ jobs:
uses: codecov/codecov-action@v5
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
with:
use_oidc: true
Comment on lines 33 to +37
Copy link

@coderabbitai coderabbitai bot Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

codecov/codecov-action v5 OIDC CODECOV_TOKEN required documentation

💡 Result:

For codecov/codecov-action@v5, CODECOV_TOKEN is not required if you use OIDC.

  • OIDC upload (no token): set use_oidc: true and grant the workflow/job id-token: write. Any token / CODECOV_TOKEN you provide will be ignored when OIDC is enabled. [1]

    permissions:
  id-token: write

steps:
  - uses: actions/checkout@v4
  - uses: codecov/codecov-action@v5
    with:
      use_oidc: true

  • Token upload (when OIDC is not used): you may still need CODECOV_TOKEN depending on your repo/org settings (e.g., private repos require a token, and public repos may require one for protected branches unless token authentication is disabled). [2]

Sources: Codecov Action v5 README (OIDC section) [1]; Codecov “When do I need a token?” docs [2].

Remove CODECOV_TOKEN when using OIDC.

With use_oidc: true, the CODECOV_TOKEN environment variable is unnecessary and ignored. Exporting the secret keeps it in the runner environment without purpose. Remove the env block and consider deleting the secret from repo settings if no longer needed.

Proposed change 
-    - name: Run codecov
-      uses: codecov/codecov-action@v5
-      env:
-        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-      with:
-        use_oidc: true
+    - name: Run codecov
+      uses: codecov/codecov-action@v5
+      with:
+        use_oidc: true
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: codecov/codecov-action@v5
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
with:
use_oidc: true
uses: codecov/codecov-action@v5
with:
use_oidc: true
🤖 Prompt for AI Agents 
In @.github/workflows/test.yml around lines 33 - 37, The workflow sets
CODECOV_TOKEN in the env block for the codecov/codecov-action even though
use_oidc: true is enabled; remove the env: CODECOV_TOKEN declaration so the
action relies on OIDC instead (delete the env block that contains CODECOV_TOKEN
from the codecov/codecov-action step), and optionally remove the CODECOV_TOKEN
secret from repository settings if it's no longer needed.

pass:
needs: [build]
runs-on: ubuntu-latest
Expand All @@ -42,3 +44,5 @@ jobs:
uses: re-actors/alls-green@release/v1
with:
jobs: ${{ toJSON(needs) }}
permissions:
id-token: write
Comment on lines +47 to +48
Copy link

@coderabbitai coderabbitai bot Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

GitHub Actions workflow permissions defaults unspecified none

💡 Result:

  • If your workflow/job does not include a permissions: block at all, GitHub uses the repository’s (or org’s) default GITHUB_TOKEN permissions. Repos/orgs created on or after Feb 2, 2023 default to read-only, while those created before Feb 2, 2023 default to read/write (unless an admin changed the default in settings). [1][3]
  • If you do include a permissions: block, then any permission scope you don’t specify is set to none (i.e., unspecified scopes become no-access). [2]
  • Practical takeaway:
    • Want “use the repo/org default”? omit permissions: entirely. [3]
    • Want “everything not explicitly granted should be none”? add permissions: and list only what you need. [2][3]

Sources: [1] GitHub Docs (enterprise/org default workflow permissions) • [2] GitHub Changelog (missing scopes => none) • [3] CodeQL help (no explicit permissions => repo/org defaults)

🌐 Web query:

actions/checkout contents read permission required

💡 Result:

actions/checkout needs the workflow’s GITHUB_TOKEN to be able to read repository contents, so you must grant contents: read (unless you provide another auth method via the action’s token or ssh-key inputs). The actions/checkout README explicitly recommends this permission block. [1]

Add one of these:

Workflow-wide

permissions:
  contents: read

Job-only

jobs:
  build:
    permissions:
      contents: read

Common gotcha: if you set any permissions: in a workflow/job, any scope you don’t list becomes none, so checkout fails unless contents: read is included. GitHub’s docs confirm unspecified permissions become none. [2]

If you still can’t use actions/checkout: your org/repo may be configured to allow only actions from your organization, which blocks GitHub-authored actions like actions/checkout. [3]

Sources: [1] [2] [3]

🌐 Web query:

GitHub Actions permissions scope default behavior private repository

💡 Result:

In a private GitHub repository, the default GitHub Actions GITHUB_TOKEN permission scope is not “always write”—it depends on the repo/org/enterprise “Workflow permissions” default (and, for orgs/enterprises, often the creation date of the org/enterprise).

  • Default for new repos/orgs/enterprises (created on/after Feb 2, 2023): GITHUB_TOKEN defaults to read-only (effectively the “restricted” default, i.e., read access for contents (and typically packages) unless you grant more). (github.blog)
  • Older orgs/enterprises (created before Feb 2, 2023): may still default to read/write for all scopes unless an admin changed the “Workflow permissions” setting. (docs.github.com)
  • You can override in workflow YAML with permissions: at the workflow/job level; any permission you don’t list becomes none (with special cases like fork PR behavior). (github.blog)
  • Fork PRs are treated specially (e.g., token is constrained/read-only in those contexts), and for forks the token may only have read access to the parent repo. (github.blog)

Citations:

Add contents: read permission for actions/checkout to work.

When a permissions: block is present, any unspecified permission scope is set to none. Since actions/checkout requires read access to repository contents, you must explicitly grant contents: read alongside id-token: write.

Proposed change 
 permissions:
+  contents: read
   id-token: write
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
id-token: write
permissions:
contents: read
id-token: write
🤖 Prompt for AI Agents 
In @.github/workflows/test.yml around lines 47 - 48, The workflow's permissions
block only grants "id-token: write" which leaves all other scopes as none and
breaks actions/checkout; update the permissions section to also include
"contents: read" so actions/checkout can access repository files (modify the
permissions block that currently contains "id-token: write" to add "contents:
read").

Loading