search

Julian / venvs

venvs creates virtualenvs
https://pypi.org/project/venvs/
MIT License
17 stars 12 forks source link

PR fails to upload coverage data #90

Closed altendky closed 4 years ago

altendky commented 4 years ago

Maybe make the repository upload token available for PRs?

https://github.com/Julian/venvs/pull/48/checks?check_run_id=365463489#step:6:363

Error: Missing repository upload token
Julian commented 4 years ago

Hummm let's see how you do that...

Julian commented 4 years ago

Yeah I have no idea how to make this work I see nothing that'd let you do that, wat :/

altendky commented 4 years ago

How is it set up now? As an environment variable? Not at all because of codecov integration with github?

So there is https://github.com/codecov/codecov-action but sure, I would rather do CI agnostic activities with CI agnostic code.

Julian commented 4 years ago

It's currently just using the codecov executable directly, because of yeah your second point, but I don't think it matters much, the issue is just whether GHA supports sharing secrets with PRs (without say, letting them change the workflow code to be able to steal them).

Even if I were using the "official" codecov-action GHA I think you'd have the same issue.

Julian commented 4 years ago

Yeah it looks like that's the case, and that obviously this is already a known issue:

https://github.com/codecov/codecov-action/issues/29

and

https://github.community/t5/GitHub-Actions/Make-secrets-available-to-builds-of-forks/m-p/30678/highlight/true#M508

Fun.

Julian commented 4 years ago

Sigh, I guess for now just disabling running coverage for PRs.

altendky commented 4 years ago

Trio anyways decided that submitting code coverage results was an unlikely attack vector with minimal damage and just made the code public. Granted that's assuming everything else in the security chain works...

Julian commented 4 years ago

The token you mean? Yeah I probably agree with that especially considering I never even look at codecov.io, sounds reasonable to me.

On Mon, Dec 30, 2019, 14:44 Kyle Altendorf notifications@github.com wrote:

Trio anyways decided that submitting code coverage results was an unlikely attack vector with minimal damage and just made the code public. Granted that's assuming everything else in the security chain works...

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/Julian/venvs/issues/90?email_source=notifications&email_token=AACQQXTITYUNJ6XZENE5HDTQ3ICL3A5CNFSM4KABPZFKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEH2OJ2Y#issuecomment-569697515, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACQQXQ4S24EMRNTZXUC32TQ3ICL3ANCNFSM4KABPZFA .