[oic-auth-plugin] CodeCov stopped working 1 month ago

michael-doubez commented 3 weeks ago

Service(s)

GitHub

Summary

Hello,

CodeCov report upload stopped working 1 month ago. I could not find any reference in documentation - is codcov usage deprecated ?

I still see the GitHubApp installed but the GitHub action fails with an error about a missing token. I tried to provide my own personnal token but I didn't have the rights to upload a report.

Reproduction steps

Trigger CodeCov report github action
Job succeeds
Logs show the token is missing

See https://github.com/jenkinsci/oic-auth-plugin/blob/master/.github/workflows/ci.yml

dduportal commented 1 week ago

For info:

You're tracking the problem on https://github.com/jenkinsci/oic-auth-plugin/issues/369
The Jenkins infra team does not have access to the jenkinsci GitHub organization as far as I can tell. (This is the right place to raise the issue! I'm just mentioning it to set expectations).

I see that you introduced the GHA build 2 years ago in https://github.com/jenkinsci/oic-auth-plugin/commit/fc9ee865ed0831a9a00cdd24901711f5e8f02749 but I don't see any associated PR which could have documented. @michael-doubez Do you remember how was it configured and by whom?

The secret CODECOV_TOKEN might comes from:

Repository secrets (I do not have access to it as I'm not maintainer or admin)
- Can you check the setup? If yes, is the token present?
Organization secrets (we need a jenkinsci org admin.)
- Secret might have been removed or un-scoped (and we need a check from an admin: ping @jenkins-infra/jenkinsci-admins )
An upload token on codecov which is repository scoped (see the note at the ned of https://github.com/codecov/codecov-action?tab=readme-ov-file#usage). Need a GH org admin or repo admin As far as I can tell

timja commented 1 week ago

There's no organisation or repository level CODECOV_TOKEN

OIDC auth looks to be the easiest if you could try use that: https://github.com/codecov/codecov-action#using-oidc

dduportal commented 1 week ago

Hi @michael-doubez any news or feedback?

dduportal commented 3 days ago

Closing as there are no actionnable for the Jenkins infra team, and no response from the requester.

Please, feel free to reopen with details if the provided solutions does not work!

michael-doubez commented 1 day ago

Sorry I was on vacations.

@dduportal I don't remember, I think it used to be part of the plugin modernisation checklist but I can no longer find it.

I expect the token comes from an APP installed on the github org. I could use my personal token but it doesn't work because I don't have the relevant rights in codecov org.

dduportal commented 1 day ago

@michael-doubez no problem, I hope you nejoyed vacations! 👍 I've reopened the issue.

As indicated by Tim above:

OIDC auth looks to be the easiest if you could try use that: https://github.com/codecov/codecov-action#using-oidc

You should be able to switch to a tokenless coverage upload by changing the GitHub Actions workflow. Would that work?

michael-doubez commented 1 day ago

I tried it just now and it failed (I gues OIDC is not enabled).

Error: Codecov: Failed to get OIDC token with url: https://codecov.io./ Error message: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable

See: https://github.com/jenkinsci/oic-auth-plugin/commit/f0ef5863a6b15954cfbe270f0dc3bfb67e08418a

The root cause may be on codecov side: https://github.com/codecov/codecov-action/issues/1359

michael-doubez commented 1 day ago

I don't understand why other plugins don't havee the issue. Ex: https://github.com/jenkinsci/badge-plugin/blob/master/.github/workflows/codecov.yml#L25

dduportal commented 19 hours ago

I don't understand why other plugins don't havee the issue. Ex: https://github.com/jenkinsci/badge-plugin/blob/master/.github/workflows/codecov.yml#L25

Ping @timja (as you have admin access to jenkinsci GH org which I don't)

timja commented 16 hours ago

The badge plugin has someones personal token setup

timja commented 16 hours ago

Looks like you haven't added the permission to id-token, see https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers#adding-permissions-settings

michael-doubez commented 5 hours ago

The badge plugin has someones personal token setup

I tried that but my ID was not allowed in codecov org/repo.

michael-doubez commented 5 hours ago

Looks like you haven't added the permission to id-token, see https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers#adding-permissions-settings

Damned. I ll try that. Thanks

jenkins-infra / helpdesk