[TCE-969] Pull request and push are failed: project or account API token not found

[vitalijr2]

I am using Codacy actions for many my projects, but since March I have met the issue of Coverate Reporter.

It says that cannot find project token while other Codacy's action work well.

The issue

Action source is here https://github.com/vitalijr2/tidy-chat/blob/main/.github/workflows/codacy.yml

Related issue: TCE-897 Pull-Request from contributors can't find CODACY_PROJECT_TOKEN

[github-actions[bot]]

Internal ticket created : TCE-969

[vitalijr2]

There is strange behavior of the action:

PR Bump mockito.version from 5.11.0 to 5.12.0:

• first run was failed https://github.com/vitalijr2/aws-lambda-slf4j/actions/runs/9051167759/job/24867381889
• then I played with secrets option but reverted changed back
• last run was successful https://github.com/vitalijr2/aws-lambda-slf4j/actions/runs/9061334934/job/24892913096 but it only increments a dependency version https://github.com/vitalijr2/aws-lambda-slf4j/pull/19/files

[vitalijr2]

Looks like I have found solution.

First I used versions from Codacy action and Codacy documentation:

...
uses: codacy/codacy-analysis-cli-action@3ff...4f93
...
uses: codacy/codacy-coverage-reporter-action@v1
...

The dependency bot sometimes updated codacy-analysis-cli-action but never updated codacy-coverage-reporter-action.

When I dealt with this issue, I noticed that the version of codacy-coverage-reporter-action is very old. Then I decided to update both versions manually. And now the issue is no longer observed in all four repositories where it was before.

my current Codacy workflow looks like:

name: "Codacy"

on:
  push:
    branches: [ "**" ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ "**" ]

jobs:
  build:
    name: Maven build
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Setup Java JDK
        uses: actions/setup-java@v4
        with:
          distribution: 'temurin'
          java-version: 17
      - name: Build with Maven
        run: ./mvnw --batch-mode
      - name: Temporarily save target and test requests
        uses: actions/upload-artifact@master
        with:
          name: tests-and-target
          path: |
            target
          retention-days: 1
  codacy-security-scan:
    name: Codacy Security Scan
    needs: build
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Run Codacy Analysis CLI
        uses: codacy/codacy-analysis-cli-action@v4.4.1
        with:
          project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
          verbose: true
          output: results.sarif
          format: sarif
          gh-code-scanning-compat: true
          max-allowed-issues: 2147483647
      - name: Upload SARIF results file
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif
  codacy-coverage-reporter:
    name: Codacy Coverage Reporter
    needs: build
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Retrieve saved test requests and target
        uses: actions/download-artifact@master
        with:
          name: tests-and-target
          path: target
      - name: Run Codacy Coverage Reporter
        uses: codacy/codacy-coverage-reporter-action@v1.3.0
        with:
          coverage-reports: target/site/jacoco/jacoco.xml
          project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}

[asturio]

Is it still working for you?

[vitalijr2]

Last Sunday I met this issue on my ijhttp-tools repo, see PRs 1, 2, 3.

Then I update the development branch (base for these PRs): changed versions both codacy/codacy-analysis-cli-action and codacy/codacy-coverage-reporter-action to v4.4.1 and v1.3.0 respectively. Then merged changes back to branches - all workflows done well.

I will not close the PR yet - maybe it will be useful for you.

[vitalijr2]

Maybe one picture better then 1000 words :)

[vitalijr2]

I was wrong: it happend again. And again. Even with updated versions for both actions: coverage and security check.

Codacy Coverage Reporter is failed on missed API token https://github.com/vitalijr2/aws-lambda-slf4j/actions/runs/9535472577/job/26281254400?pr=30 https://github.com/vitalijr2/aws-lambda-slf4j/actions/runs/9535472459/job/26281254992?pr=30

But some other Codacy actions can find it! https://github.com/vitalijr2/aws-lambda-slf4j/actions/runs/9535472577/job/26281254484?pr=30 https://github.com/vitalijr2/aws-lambda-slf4j/actions/runs/9535472459/job/26281255094?pr=30 https://github.com/vitalijr2/aws-lambda-slf4j/pull/30/checks?check_run_id=26281290537 https://github.com/vitalijr2/aws-lambda-slf4j/pull/30/checks?check_run_id=26281290518 etc.

Also Codacy Static Code Analysis fails https://github.com/vitalijr2/aws-lambda-slf4j/pull/30/checks?check_run_id=26281275633 but Codacy says nothing what is happend https://app.codacy.com/gh/vitalijr2/aws-lambda-slf4j/pull-requests/30 and logs are empty

[vitalijr2]

Now I have three PR from dependency bot https://github.com/vitalijr2/aws-lambda-slf4j/pull/30 https://github.com/vitalijr2/aws-lambda-slf4j/pull/29 https://github.com/vitalijr2/aws-lambda-slf4j/pull/28 and all of them are failed because of Codacy Coverage Reporter (that says he could not find project API token) and Codacy Static Code Analysis (that says nothing)

[vitalijr2]

Another two cases, same issues with reporter and static code analyser https://github.com/vitalijr2/ijhttp-tools/pull/32 https://github.com/vitalijr2/ijhttp-tools/pull/31

[vitalijr2]

Uhhh, looks like it GitHub feature especially for dependebot:

When a Dependabot event triggers a workflow, the only secrets available to the workflow are Dependabot secrets. See:

• Dependabot triggered Actions cant access secrets or use a writable token
• Automating Dependabot with GitHub Actions: Accessing secrets

I have copied the CODACY_PROJECT_TOKEN Settings => Secrets and variables => Dependabot secrets then re-run coverage jobs and all are green. The static code analyser's issue still exists.

[asturio]

Uhhh, looks like it GitHub feature especially for dependebot:

When a Dependabot event triggers a workflow, the only secrets available to the workflow are Dependabot secrets. See:

* [Dependabot triggered Actions cant access secrets or use a writable token](https://github.com/dependabot/dependabot-core/issues/3253)

* [Automating Dependabot with GitHub Actions: Accessing secrets](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#accessing-secrets)

I have copied the CODACY_PROJECT_TOKEN Settings => Secrets and variables => Dependabot secrets then re-run coverage jobs and all are green. The static code analyser's issue still exists.

Oh, THIS makes sense.