Error: `Commit creating failed: {"detail":"You do not have permission to perform this action."}`

[josecelano]

I'm using a token, but I'm getting this error:

evenName: workflow_run
evenName: workflow_run
evenName: workflow_run
==> linux OS detected
https://cli.codecov.io/latest/linux/codecov.SHA256SUM
Received SHA256SUM 8777a6078323948d31cbd81b7776254d1fbfd6888c33dc899b1447b208d717f6  codecov
Received SHA256SUM signature -----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEJwNOf9uFDgu8LGL/gGuyiu13mGkFAmaAJWsACgkQgGuyiu13
mGkQ3A//dLrJ/XHpPp2thv4B5t4Vh2uREsyAYcxiZsp756tQkt+ITwWbyAGRBcrq
Pi9t/eLpo/AcNQhzVeApLMoBr7oe0Ysk98TAv7IaEUhpI8ewjCnYXLK7zn+dSkf7
/igUw+LPNS9a0eHnWuZAheVbAsBpHM5fDzp7/FiOzDsSwLCboyqZLb0VSkOY/UOo
2kPXTrf+ousvHeGeMbKlZhyVv6FHXP9BSwij+cwnBCFuJL0lRrPHK84AEpQ5a1hZ
siQ1jOzh3zecsCEH897EARf2006q4EVe6tLs6HyS0jCApek6nqnqtu2mJ7qNaP8e
snY6t65I9uYkyLWCHSm/90ukilIDOvuZQk+ywDDKPMh2MHQKw8CfD7hgllTDDQOj
1zFMvMIOaJx7XoxPPqCfm/ZllT5PlzwL+F2jIczFiMMTFa1xNKTfdnIfL5jZalgr
VElcqr/+RgYMVtIXhKhOXww7AHfzpSQzehiP/RYeDMM5/bxn5ATMo8Zq/MNL99V0
CdWBNJWALkruSev30uf4gX3hLqNDT5mt0oMQapRZAUIQFswHil3+gb46SojIq9lM
opyItwBNiI5O5sJ8UzZCn7RLfUXDnEWR3O2YUb2elZk9m24W3CW2gTtjShx5mrSb
bYleDtjW9Q2caH0Nv3toX3s+C5yDuHg7RBKHzzXDXA4LrFkGnec=
=EZuw
-----END PGP SIGNATURE-----

gpg: directory '/home/runner/.gnupg' created
gpg: keybox '/home/runner/.gnupg/pubring.kbx' created
gpg: /home/runner/.gnupg/trustdb.gpg: trustdb created
gpg: key 806BB28AED779869: public key "Codecov Uploader (Codecov Uploader Verification Key) <security@codecov.io>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: Signature made Sat Jun 29 15:16:59 2024 UTC
gpg:                using RSA key 27034E7FDB850E0BBC2C62FF806BB28AED779869
gpg: Good signature from "Codecov Uploader (Codecov Uploader Verification Key) <security@codecov.io>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2703 4E7F DB85 0E0B BC2C  62FF 806B B28A ED77 9869
==> Uploader SHASUM verified (8777a6078323948d31cbd81b7776254d1fbfd6888c33dc899b1447b208d717f6  codecov)
==> Running version latest
==> Running version v0.7.2
==> Running git config --global --add safe.directory /home/runner/work/pull_request_target/pull_request_target
/usr/bin/git config --global --add safe.directory /home/runner/work/pull_request_target/pull_request_target
==> Running command '/home/runner/work/_actions/codecov/codecov-action/v4/dist/codecov -v create-commit'
/home/runner/work/_actions/codecov/codecov-action/v4/dist/codecov -v create-commit --git-service github -C 244db3b3de5d01bca44a92c3ffb45e067e1d3ba9 --pr 16 -Z
info - 2024-07-[12](https://github.com/josecelano-test/pull_request_target/actions/runs/9907290283/job/27370651458#step:5:13) 11:42:10,908 -- ci service found: github-actions
debug - 2024-07-12 11:42:10,911 -- versioning system found: <class 'codecov_cli.helpers.versioning_systems.GitVersioningSystem'>
debug - 2024-07-12 11:42:10,9[14](https://github.com/josecelano-test/pull_request_target/actions/runs/9907290283/job/27370651458#step:5:15) -- versioning system found: <class 'codecov_cli.helpers.versioning_systems.GitVersioningSystem'>
warning - 2024-07-12 11:42:10,9[16](https://github.com/josecelano-test/pull_request_target/actions/runs/9907290283/job/27370651458#step:5:17) -- No config file could be found. Ignoring config.
debug - 2024-07-12 11:42:10,917 -- No codecov_yaml found
debug - 2024-07-12 11:42:10,9[17](https://github.com/josecelano-test/pull_request_target/actions/runs/9907290283/job/27370651458#step:5:18) -- Starting create commit process --- {"commit_sha": "244db3b3de5d01bca44a92c3ffb45e067e1d3ba9", "parent_sha": null, "pr": "16", "branch": "develop", "slug": "josecelano-test/pull_request_target", "token": "e******************", "service": "github", "enterprise_url": null}
info - [20](https://github.com/josecelano-test/pull_request_target/actions/runs/9907290283/job/27370651458#step:5:21)24-07-12 11:42:11,096 -- Process Commit creating complete
debug - 2024-07-12 11:42:11,097 -- Commit creating result --- {"result": "RequestResult(error=RequestError(code='HTTP Error 403', params={}, description='{\"detail\":\"You do not have permission to perform this action.\"}'), warnings=[], status_code=403, text='{\"detail\":\"You do not have permission to perform this action.\"}')"}
error - 20[24](https://github.com/josecelano-test/pull_request_target/actions/runs/9907290283/job/27370651458#step:5:25)-07-12 11:42:11,097 -- Commit creating failed: {"detail":"You do not have permission to perform this action."}

The workflow: https://github.com/josecelano-test/pull_request_target/blob/develop/.github/workflows/upload_coverage_pr.yaml#L104-L119

I have another workflow using version 3, and it works:

https://github.com/josecelano-test/pull_request_target/blob/develop/.github/workflows/coverage.yaml#L78-L85

[josecelano]

It's also failing with the latest version: 4.5.0. See https://github.com/josecelano-test/pull_request_target/actions/runs/9907290283/job/28115928698#step:1:29

Download action repository 'codecov/codecov-action@v4' (SHA:e28ff129e5465c2c0dcc6f003fc735cb6ae0c673)

[Spacetown]

It's also failing with the latest version: 4.5.0. See https://github.com/josecelano-test/pull_request_target/actions/runs/9907290283/job/28115928698#step:1:29

Download action repository 'codecov/codecov-action@v4' (SHA:e28ff129e5465c2c0dcc6f003fc735cb6ae0c673)

Same for me. I'm wondering why in the log the first character of the token isn't masked: "token": "e******************"

For me (https://github.com/gcovr/gcovr/actions/runs/10461552705/job/28970126469) it shows "token": "6******************" but the token doesn't start with a 6.

[ajfriend]

We seem to be having the same issue here: https://github.com/uber/h3-py/pull/389

[beat-buesser]

We see the same issue in https://github.com/Trusted-AI/adversarial-robustness-toolbox. The new action codecov-action@v4 and secret for Dependabot have worked for the Dependabot-PR updating to codecov-action@v4, but it seems not to work for PRs already opened by Dependabot before upgrading to codecov-action@v4. I have not yet observed new Dependabot PRs and if codecov-action@v4 would work there.