Skip to content

ci: use OIDC for codecov-action #5173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
njzjz-bot wants to merge 1 commit into
base: master
Choose a base branch
from
Open

ci: use OIDC for codecov-action #5173

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 25 additions & 21 deletions .github/workflows/test_cc.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
on:
push:
branches-ignore:
- "gh-readonly-queue/**"
- "copilot/**"
- "dependabot/**"
- "pre-commit-ci-update-config"
- "gh-readonly-queue/**"
- "copilot/**"
- "dependabot/**"
- "pre-commit-ci-update-config"
pull_request:
merge_group:
concurrency:
Expand All @@ -18,22 +18,22 @@ jobs:
strategy:
matrix:
include:
- check_memleak: true
enable_tensorflow: true
enable_pytorch: true
enable_paddle: false
- check_memleak: true
enable_tensorflow: false
enable_pytorch: false
enable_paddle: true
- check_memleak: false
enable_tensorflow: true
enable_pytorch: true
enable_paddle: false
- check_memleak: false
enable_tensorflow: false
enable_pytorch: false
enable_paddle: true
- check_memleak: true
enable_tensorflow: true
enable_pytorch: true
enable_paddle: false
- check_memleak: true
enable_tensorflow: false
enable_pytorch: false
enable_paddle: true
- check_memleak: false
enable_tensorflow: true
enable_pytorch: true
enable_paddle: false
- check_memleak: false
enable_tensorflow: false
enable_pytorch: false
enable_paddle: true
steps:
- uses: actions/checkout@v6
- uses: actions/setup-python@v6
Expand All @@ -54,7 +54,7 @@ jobs:
run: sudo sysctl vm.mmap_rnd_bits=28
if: ${{ matrix.check_memleak }}
- run: |
source/install/test_cc_local.sh
source/install/test_cc_local.sh
env:
OMP_NUM_THREADS: 1
TF_INTRA_OP_PARALLELISM_THREADS: 1
Expand Down Expand Up @@ -101,6 +101,8 @@ jobs:
- uses: codecov/codecov-action@v5
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
with:
use_oidc: true
Comment on lines 101 to +105
Copy link
Contributor

@coderabbitai coderabbitai bot Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

codecov codecov-action v5 use_oidc CODECOV_TOKEN documentation

💡 Result:

codecov/codecov-action@v5: using OIDC (no CODECOV_TOKEN)

In v5, you can authenticate uploads with GitHub OIDC by setting use_oidc: true and granting the workflow (or job) id-token: write permission. If you also pass a token, it will be ignored (OIDC is used instead). [1]

permissions:
  id-token: write

steps:
  - uses: actions/checkout@v4
  - uses: codecov/codecov-action@v5
    with:
      use_oidc: true

Using CODECOV_TOKEN (token-based upload)

If you’re not using OIDC, pass a token either via the token: input or the CODECOV_TOKEN environment variable (typically sourced from secrets.CODECOV_TOKEN). [1][2]

- uses: codecov/codecov-action@v5
  with:
    token: ${{ secrets.CODECOV_TOKEN }}
# or:
- uses: codecov/codecov-action@v5
  env:
    CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

When a token is required

Codecov’s docs note: private repos require a token; for public repos, token requirements depend on org/repo settings and whether the upload is for a protected branch (unless token auth for public repos is disabled). [2]

Sources: [1] codecov/codecov-action README (v5, “Using OIDC”, token env/input) • [2] Codecov Docs: “Codecov Tokens” (when tokens are required, how to set CODECOV_TOKEN)

Remove CODECOV_TOKEN when using OIDC.

When use_oidc: true is set in codecov-action v5, any provided token is ignored and OIDC is used for authentication instead. Exposing the CODECOV_TOKEN secret in this configuration unnecessarily increases secret exposure without providing any value.

✅ Suggested fix 
 - uses: codecov/codecov-action@v5
-  env:
-    CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
   with:
     use_oidc: true
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: codecov/codecov-action@v5
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
with:
use_oidc: true
- uses: codecov/codecov-action@v5
with:
use_oidc: true
🤖 Prompt for AI Agents 
In @.github/workflows/test_cc.yml around lines 101 - 105, Remove the unnecessary
CODECOV_TOKEN environment variable from the codecov action block since
codecov/codecov-action@v5 uses OIDC when use_oidc: true; update the action
stanza that references uses: codecov/codecov-action@v5 and env: CODECOV_TOKEN to
delete the CODECOV_TOKEN entry so only use_oidc: true remains for
authentication.

pass:
name: Pass testing C++
needs: [testcc]
Expand All @@ -111,3 +113,5 @@ jobs:
uses: re-actors/alls-green@release/v1
with:
jobs: ${{ toJSON(needs) }}
permissions:
id-token: write
Comment on lines +116 to +117
Copy link
Contributor

@coderabbitai coderabbitai bot Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/test_cc.yml | sed -n '100,130p'

Repository: deepmodeling/deepmd-kit

Length of output: 662

🏁 Script executed:

rg 'actions/checkout' .github/workflows/test_cc.yml -B 2 -A 5

Repository: deepmodeling/deepmd-kit

Length of output: 274

🌐 Web query:

GitHub Actions actions/checkout permissions requirements contents read

💡 Result:

actions/checkout needs permission to read repository contents (so it can fetch/clone the repo) when it uses the default GITHUB_TOKEN. The action’s docs recommend explicitly setting: permissions: contents: read, unless you provide alternate auth via the token or ssh-key inputs. [1][2]

Example:

permissions:
  contents: read

steps:
  - uses: actions/checkout@v6

Notes:

  • Many orgs default GITHUB_TOKEN to read-only; explicitly setting contents: read makes the requirement clear and avoids failures when workflows otherwise have restricted permissions. [3]
  • If your workflow needs to push commits/tags, you’ll need contents: write (not just read). [3]

Sources: [1] [2] [3]

Add contents: read alongside id-token: write.

Line 116 sets workflow-level permissions to only id-token: write, which overrides defaults. The actions/checkout@v6 step requires contents: read permission and will fail without it.

✅ Suggested fix 
 permissions:
+  contents: read
   id-token: write
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
id-token: write
permissions:
contents: read
id-token: write
🤖 Prompt for AI Agents 
In @.github/workflows/test_cc.yml around lines 116 - 117, The workflow-level
permissions block currently sets only "id-token: write"; update the permissions
block to include "contents: read" alongside "id-token: write" so
actions/checkout@v6 has the required repo read access—modify the permissions
section (the permissions: id-token: write entry) to add contents: read at the
same level.

12 changes: 8 additions & 4 deletions .github/workflows/test_python.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
on:
push:
branches-ignore:
- "gh-readonly-queue/**"
- "copilot/**"
- "dependabot/**"
- "pre-commit-ci-update-config"
- "gh-readonly-queue/**"
- "copilot/**"
- "dependabot/**"
- "pre-commit-ci-update-config"
pull_request:
merge_group:
concurrency:
Expand Down Expand Up @@ -79,6 +79,8 @@ jobs:
- uses: codecov/codecov-action@v5
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
with:
use_oidc: true
Comment on lines 79 to +83
Copy link
Contributor

@coderabbitai coderabbitai bot Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

codecov/codecov-action v5 OIDC use_oidc CODECOV_TOKEN documentation

💡 Result:

codecov/codecov-action@v5: use_oidc vs CODECOV_TOKEN

Where it’s documented

  • The official action README documents OIDC uploads via the use_oidc input and explains that any provided token is ignored when OIDC is enabled. (github.com)
  • Codecov’s docs explain when a CODECOV_TOKEN is required (e.g., private repos; certain public/protected-branch scenarios) and how tokenless uploads can work in some public-repo configurations. (docs.codecov.com)

OIDC (tokenless) example (v5)

permissions:
  id-token: write

steps:
  - uses: actions/checkout@v4
  - uses: codecov/codecov-action@v5
    with:
      use_oidc: true
  • Requires GitHub Actions permission: id-token: write. (github.com)
  • If you set use_oidc: true, any token: / CODECOV_TOKEN you provide is ignored (OIDC is used instead). (github.com)

Token-based example (v5)

steps:
  - uses: actions/checkout@v4
  - uses: codecov/codecov-action@v5
    with:
      token: ${{ secrets.CODECOV_TOKEN }}

(or equivalently via env)

steps:
  - uses: actions/checkout@v4
  - uses: codecov/codecov-action@v5
    env:
      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

Both patterns are shown in the v5 README. (github.com)

When you still need CODECOV_TOKEN

Codecov documents that uploads generally require tokens for private repos, and for some public repo cases (notably protected branches depending on org settings). (docs.codecov.com)

Citations:

Remove CODECOV_TOKEN when using OIDC.

When use_oidc: true is configured, the CODECOV_TOKEN environment variable is ignored per the official codecov-action documentation. Keeping it exposes an unnecessary secret to the workflow and contradicts the security goal of OIDC adoption.

Suggested fix 
 - uses: codecov/codecov-action@v5
-  env:
-    CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
   with:
     use_oidc: true
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: codecov/codecov-action@v5
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
with:
use_oidc: true
- uses: codecov/codecov-action@v5
with:
use_oidc: true
🤖 Prompt for AI Agents 
In @.github/workflows/test_python.yml around lines 79 - 83, The workflow still
defines the CODECOV_TOKEN environment variable for the codecov/codecov-action@v5
step while also setting with: use_oidc: true; remove the unnecessary secret
exposure by deleting the env: CODECOV_TOKEN line (or conditionally set it only
when use_oidc is false) so the Codecov action relies on OIDC instead of the
secret; locate the codecov/codecov-action@v5 step to remove the CODECOV_TOKEN
env entry and ensure the with: use_oidc: true remains.

update_durations:
name: Combine and update integration test durations
runs-on: ubuntu-22.04
Expand Down Expand Up @@ -114,3 +116,5 @@ jobs:
uses: re-actors/alls-green@release/v1
with:
jobs: ${{ toJSON(needs) }}
permissions:
id-token: write
Comment on lines +119 to +120
Copy link
Contributor

@coderabbitai coderabbitai bot Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/test_python.yml | head -150

Repository: deepmodeling/deepmd-kit

Length of output: 5648

🌐 Web query:

GitHub Actions checkout requires contents: read permission workflow level

💡 Result:

actions/checkout needs the workflow’s GITHUB_TOKEN to be able to read the repository contents. If your workflow/job sets a restrictive permissions: block (or your org/repo default token permissions are restricted), you must grant at least:

permissions:
  contents: read

You can set this at the workflow level (applies to all jobs) or per-job:

name: CI
on: [push, pull_request]

permissions:
  contents: read

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5

This is the permission recommended by actions/checkout itself. [1] GitHub also supports configuring default GITHUB_TOKEN permissions at the repo/org level, but an explicit permissions: block in the workflow/job is the reliable way to ensure checkout can read code. [2]

Sources: [1] [2]

Add contents: read alongside id-token: write.

Line 119 sets workflow permissions to only id-token: write, which overrides defaults. actions/checkout (line 25) requires contents: read permission and will fail without it when workflow-level permissions are explicitly set.

Suggested fix 
 permissions:
+  contents: read
   id-token: write
🤖 Prompt for AI Agents 
In @.github/workflows/test_python.yml around lines 119 - 120, The workflow-level
permissions currently set only "id-token: write" override defaults and break
actions/checkout; update the permissions block by adding "contents: read"
alongside "id-token: write" so actions/checkout can access the repository
contents (i.e., change the permissions stanza that contains "id-token: write" to
include "contents: read" as well).