ci: use OIDC for codecov-action #5173
Conversation
Replace token-based authentication with OIDC (OpenID Connect) for codecov-action. This is more secure and eliminates the need to manage upload tokens. Changes: - Add use_oidc: true to codecov-action configuration - Add id-token: write permission at workflow level - Remove token parameter from codecov-action (ignored when using OIDC) This improves security and follows codecov-action best practices. Generated by the task: njzjz-bot/njzjz-bot#25.
📝 WalkthroughWalkthroughTwo GitHub Actions workflow files are updated to enable OIDC-based authentication for Codecov integration. Both workflows receive top-level permissions blocks granting Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Fix all issues with AI agents
In @.github/workflows/test_cc.yml:
- Around line 116-117: The workflow-level permissions block currently sets only
"id-token: write"; update the permissions block to include "contents: read"
alongside "id-token: write" so actions/checkout@v6 has the required repo read
access—modify the permissions section (the permissions: id-token: write entry)
to add contents: read at the same level.
- Around line 101-105: Remove the unnecessary CODECOV_TOKEN environment variable
from the codecov action block since codecov/codecov-action@v5 uses OIDC when
use_oidc: true; update the action stanza that references uses:
codecov/codecov-action@v5 and env: CODECOV_TOKEN to delete the CODECOV_TOKEN
entry so only use_oidc: true remains for authentication.
In @.github/workflows/test_python.yml:
- Around line 119-120: The workflow-level permissions currently set only
"id-token: write" override defaults and break actions/checkout; update the
permissions block by adding "contents: read" alongside "id-token: write" so
actions/checkout can access the repository contents (i.e., change the
permissions stanza that contains "id-token: write" to include "contents: read"
as well).
- Around line 79-83: The workflow still defines the CODECOV_TOKEN environment
variable for the codecov/codecov-action@v5 step while also setting with:
use_oidc: true; remove the unnecessary secret exposure by deleting the env:
CODECOV_TOKEN line (or conditionally set it only when use_oidc is false) so the
Codecov action relies on OIDC instead of the secret; locate the
codecov/codecov-action@v5 step to remove the CODECOV_TOKEN env entry and ensure
the with: use_oidc: true remains.
| - uses: codecov/codecov-action@v5 | ||
| env: | ||
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | ||
| with: | ||
| use_oidc: true |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
codecov codecov-action v5 use_oidc CODECOV_TOKEN documentation
💡 Result:
codecov/codecov-action@v5: using OIDC (no CODECOV_TOKEN)
In v5, you can authenticate uploads with GitHub OIDC by setting use_oidc: true and granting the workflow (or job) id-token: write permission. If you also pass a token, it will be ignored (OIDC is used instead). [1]
permissions:
id-token: write
steps:
- uses: actions/checkout@v4
- uses: codecov/codecov-action@v5
with:
use_oidc: trueUsing CODECOV_TOKEN (token-based upload)
If you’re not using OIDC, pass a token either via the token: input or the CODECOV_TOKEN environment variable (typically sourced from secrets.CODECOV_TOKEN). [1][2]
- uses: codecov/codecov-action@v5
with:
token: ${{ secrets.CODECOV_TOKEN }}
# or:
- uses: codecov/codecov-action@v5
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}When a token is required
Codecov’s docs note: private repos require a token; for public repos, token requirements depend on org/repo settings and whether the upload is for a protected branch (unless token auth for public repos is disabled). [2]
Sources: [1] codecov/codecov-action README (v5, “Using OIDC”, token env/input) • [2] Codecov Docs: “Codecov Tokens” (when tokens are required, how to set CODECOV_TOKEN)
Remove CODECOV_TOKEN when using OIDC.
When use_oidc: true is set in codecov-action v5, any provided token is ignored and OIDC is used for authentication instead. Exposing the CODECOV_TOKEN secret in this configuration unnecessarily increases secret exposure without providing any value.
✅ Suggested fix
- uses: codecov/codecov-action@v5
- env:
- CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
with:
use_oidc: true📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: codecov/codecov-action@v5 | |
| env: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| with: | |
| use_oidc: true | |
| - uses: codecov/codecov-action@v5 | |
| with: | |
| use_oidc: true |
🤖 Prompt for AI Agents
In @.github/workflows/test_cc.yml around lines 101 - 105, Remove the unnecessary
CODECOV_TOKEN environment variable from the codecov action block since
codecov/codecov-action@v5 uses OIDC when use_oidc: true; update the action
stanza that references uses: codecov/codecov-action@v5 and env: CODECOV_TOKEN to
delete the CODECOV_TOKEN entry so only use_oidc: true remains for
authentication.
| permissions: | ||
| id-token: write |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/test_cc.yml | sed -n '100,130p'Repository: deepmodeling/deepmd-kit
Length of output: 662
🏁 Script executed:
rg 'actions/checkout' .github/workflows/test_cc.yml -B 2 -A 5Repository: deepmodeling/deepmd-kit
Length of output: 274
🌐 Web query:
GitHub Actions actions/checkout permissions requirements contents read
💡 Result:
actions/checkout needs permission to read repository contents (so it can fetch/clone the repo) when it uses the default GITHUB_TOKEN. The action’s docs recommend explicitly setting: permissions: contents: read, unless you provide alternate auth via the token or ssh-key inputs. [1][2]
Example:
permissions:
contents: read
steps:
- uses: actions/checkout@v6Notes:
- Many orgs default
GITHUB_TOKENto read-only; explicitly settingcontents: readmakes the requirement clear and avoids failures when workflows otherwise have restricted permissions. [3] - If your workflow needs to push commits/tags, you’ll need
contents: write(not just read). [3]
Sources: [1] [2] [3]
Add contents: read alongside id-token: write.
Line 116 sets workflow-level permissions to only id-token: write, which overrides defaults. The actions/checkout@v6 step requires contents: read permission and will fail without it.
✅ Suggested fix
permissions:
+ contents: read
id-token: write📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| permissions: | |
| id-token: write | |
| permissions: | |
| contents: read | |
| id-token: write |
🤖 Prompt for AI Agents
In @.github/workflows/test_cc.yml around lines 116 - 117, The workflow-level
permissions block currently sets only "id-token: write"; update the permissions
block to include "contents: read" alongside "id-token: write" so
actions/checkout@v6 has the required repo read access—modify the permissions
section (the permissions: id-token: write entry) to add contents: read at the
same level.
| - uses: codecov/codecov-action@v5 | ||
| env: | ||
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | ||
| with: | ||
| use_oidc: true |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
codecov/codecov-action v5 OIDC use_oidc CODECOV_TOKEN documentation
💡 Result:
codecov/codecov-action@v5: use_oidc vs CODECOV_TOKEN
Where it’s documented
- The official action README documents OIDC uploads via the
use_oidcinput and explains that any provided token is ignored when OIDC is enabled. (github.com) - Codecov’s docs explain when a
CODECOV_TOKENis required (e.g., private repos; certain public/protected-branch scenarios) and how tokenless uploads can work in some public-repo configurations. (docs.codecov.com)
OIDC (tokenless) example (v5)
permissions:
id-token: write
steps:
- uses: actions/checkout@v4
- uses: codecov/codecov-action@v5
with:
use_oidc: true- Requires GitHub Actions permission:
id-token: write. (github.com) - If you set
use_oidc: true, anytoken:/CODECOV_TOKENyou provide is ignored (OIDC is used instead). (github.com)
Token-based example (v5)
steps:
- uses: actions/checkout@v4
- uses: codecov/codecov-action@v5
with:
token: ${{ secrets.CODECOV_TOKEN }}(or equivalently via env)
steps:
- uses: actions/checkout@v4
- uses: codecov/codecov-action@v5
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}Both patterns are shown in the v5 README. (github.com)
When you still need CODECOV_TOKEN
Codecov documents that uploads generally require tokens for private repos, and for some public repo cases (notably protected branches depending on org settings). (docs.codecov.com)
Citations:
- 1: https://github.com/codecov/codecov-action?utm_source=openai
- 2: https://docs.codecov.com/docs/codecov-tokens?utm_source=openai
- 3: https://github.com/codecov/codecov-action?utm_source=openai
- 4: https://github.com/codecov/codecov-action?utm_source=openai
- 5: https://github.com/codecov/codecov-action?utm_source=openai
- 6: https://docs.codecov.com/docs/codecov-tokens?utm_source=openai
Remove CODECOV_TOKEN when using OIDC.
When use_oidc: true is configured, the CODECOV_TOKEN environment variable is ignored per the official codecov-action documentation. Keeping it exposes an unnecessary secret to the workflow and contradicts the security goal of OIDC adoption.
Suggested fix
- uses: codecov/codecov-action@v5
- env:
- CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
with:
use_oidc: true📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: codecov/codecov-action@v5 | |
| env: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| with: | |
| use_oidc: true | |
| - uses: codecov/codecov-action@v5 | |
| with: | |
| use_oidc: true |
🤖 Prompt for AI Agents
In @.github/workflows/test_python.yml around lines 79 - 83, The workflow still
defines the CODECOV_TOKEN environment variable for the codecov/codecov-action@v5
step while also setting with: use_oidc: true; remove the unnecessary secret
exposure by deleting the env: CODECOV_TOKEN line (or conditionally set it only
when use_oidc is false) so the Codecov action relies on OIDC instead of the
secret; locate the codecov/codecov-action@v5 step to remove the CODECOV_TOKEN
env entry and ensure the with: use_oidc: true remains.
| permissions: | ||
| id-token: write |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/test_python.yml | head -150Repository: deepmodeling/deepmd-kit
Length of output: 5648
🌐 Web query:
GitHub Actions checkout requires contents: read permission workflow level
💡 Result:
actions/checkout needs the workflow’s GITHUB_TOKEN to be able to read the repository contents. If your workflow/job sets a restrictive permissions: block (or your org/repo default token permissions are restricted), you must grant at least:
permissions:
contents: readYou can set this at the workflow level (applies to all jobs) or per-job:
name: CI
on: [push, pull_request]
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5This is the permission recommended by actions/checkout itself. [1] GitHub also supports configuring default GITHUB_TOKEN permissions at the repo/org level, but an explicit permissions: block in the workflow/job is the reliable way to ensure checkout can read code. [2]
Sources: [1] [2]
Add contents: read alongside id-token: write.
Line 119 sets workflow permissions to only id-token: write, which overrides defaults. actions/checkout (line 25) requires contents: read permission and will fail without it when workflow-level permissions are explicitly set.
Suggested fix
permissions:
+ contents: read
id-token: write🤖 Prompt for AI Agents
In @.github/workflows/test_python.yml around lines 119 - 120, The workflow-level
permissions currently set only "id-token: write" override defaults and break
actions/checkout; update the permissions block by adding "contents: read"
alongside "id-token: write" so actions/checkout can access the repository
contents (i.e., change the permissions stanza that contains "id-token: write" to
include "contents: read" as well).
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #5173 +/- ##
=======================================
Coverage 81.95% 81.95%
=======================================
Files 714 714
Lines 73434 73434
Branches 3616 3617 +1
=======================================
Hits 60180 60180
Misses 12091 12091
Partials 1163 1163 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
1 participant
Replace token-based authentication with OIDC (OpenID Connect) for codecov-action.
This is more secure and eliminates the need to manage upload tokens.
Changes:
This improves security and follows codecov-action best practices.
Generated by the task: njzjz-bot/njzjz-bot#25.
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.