Reference CODECOV_TOKEN secret instead of a hardcoded token in coverage workflow#10618
Open
kobihikri wants to merge 1 commit into
Open
Reference CODECOV_TOKEN secret instead of a hardcoded token in coverage workflow#10618kobihikri wants to merge 1 commit into
kobihikri wants to merge 1 commit into
Conversation
RockteMQ-AI
approved these changes
Jul 14, 2026
RockteMQ-AI
left a comment
Contributor
There was a problem hiding this comment.
Review by github-manager-bot
Summary
Replace hardcoded Codecov upload token in .github/workflows/coverage.yml with a repository secret reference (${{ secrets.CODECOV_TOKEN }}).
Findings
- [Info]
.github/workflows/coverage.yml:30— Good security practice. The hardcoded token is removed from the workflow file and replaced with a secret reference.
Notes
- As the PR description correctly notes, the old token value remains in git history and should be rotated by a maintainer in the Codecov dashboard.
- For public repos, Codecov uploads work without a token, so this change won't break CI even before the secret is configured.
- Single-line change, no side effects. LGTM.
Automated review by github-manager-bot
RockteMQ-AI
approved these changes
Jul 14, 2026
RockteMQ-AI
left a comment
Contributor
There was a problem hiding this comment.
Review by github-manager-bot
PR: Reference CODECOV_TOKEN secret instead of a hardcoded token in coverage workflow
Verdict: ✅ Approved
Summary
Replaces a hardcoded Codecov token (cf0cba0a-...) in .github/workflows/coverage.yml with a reference to the GitHub Actions secret ${{ secrets.CODECOV_TOKEN }}.
Analysis
Correctness ✅
- Straightforward substitution. The secret reference syntax is correct for GitHub Actions.
Security ✅
- This is a security improvement — hardcoded tokens in workflow files are visible to anyone with read access to the repo. Moving to secrets is the correct practice.
Compatibility ✅
- No behavioral change as long as the
CODECOV_TOKENsecret is configured in the repository settings. Maintainers should verify the secret exists before merging.
Minor Note
- Ensure the
CODECOV_TOKENsecret has been added to the repository settings with the correct value before merging, otherwise Codecov uploads will fail.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to #10617 (as invited on that issue).
What this changes
.github/workflows/coverage.ymlline 30 passes the Codecov upload token as a hardcoded literal. This one-line change makes it read from a repository secret instead:Single file, single line, no other changes.
Important — this is only half the fix
Removing the literal from the workflow does not invalidate the value that is already in the git history. As noted on #10617, the token should be treated as compromised and rotated by a maintainer (regenerate it in the Codecov dashboard, then store the new value as the
CODECOV_TOKENrepository secret). This PR just makes sure the workflow reads from that secret once it exists. Until the secret is set, the upload step will run without a token (which is fine for public-repo Codecov uploads).I kept this PR to the single security concern. I did not touch
actions/checkout@masteror pin the actions to SHAs in this PR — happy to open a separate small PR for that supply-chain hardening if the maintainers would like it.Disclosure: I used an AI tool to help identify and prepare this. I verified the change myself against the workflow and take responsibility for it. I understand this contribution is subject to the Apache ICLA.