Skip to content

Reference CODECOV_TOKEN secret instead of a hardcoded token in coverage workflow#10618

Open
kobihikri wants to merge 1 commit into
apache:developfrom
kobihikri:fix-codecov-token-secret
Open

Reference CODECOV_TOKEN secret instead of a hardcoded token in coverage workflow#10618
kobihikri wants to merge 1 commit into
apache:developfrom
kobihikri:fix-codecov-token-secret

Conversation

@kobihikri

Copy link
Copy Markdown

Follow-up to #10617 (as invited on that issue).

What this changes

.github/workflows/coverage.yml line 30 passes the Codecov upload token as a hardcoded literal. This one-line change makes it read from a repository secret instead:

token: ${{ secrets.CODECOV_TOKEN }}

Single file, single line, no other changes.

Important — this is only half the fix

Removing the literal from the workflow does not invalidate the value that is already in the git history. As noted on #10617, the token should be treated as compromised and rotated by a maintainer (regenerate it in the Codecov dashboard, then store the new value as the CODECOV_TOKEN repository secret). This PR just makes sure the workflow reads from that secret once it exists. Until the secret is set, the upload step will run without a token (which is fine for public-repo Codecov uploads).

I kept this PR to the single security concern. I did not touch actions/checkout@master or pin the actions to SHAs in this PR — happy to open a separate small PR for that supply-chain hardening if the maintainers would like it.


Disclosure: I used an AI tool to help identify and prepare this. I verified the change myself against the workflow and take responsibility for it. I understand this contribution is subject to the Apache ICLA.

@RockteMQ-AI RockteMQ-AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review by github-manager-bot

Summary

Replace hardcoded Codecov upload token in .github/workflows/coverage.yml with a repository secret reference (${{ secrets.CODECOV_TOKEN }}).

Findings

  • [Info] .github/workflows/coverage.yml:30 — Good security practice. The hardcoded token is removed from the workflow file and replaced with a secret reference.

Notes

  • As the PR description correctly notes, the old token value remains in git history and should be rotated by a maintainer in the Codecov dashboard.
  • For public repos, Codecov uploads work without a token, so this change won't break CI even before the secret is configured.
  • Single-line change, no side effects. LGTM.

Automated review by github-manager-bot

@RockteMQ-AI RockteMQ-AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review by github-manager-bot

PR: Reference CODECOV_TOKEN secret instead of a hardcoded token in coverage workflow
Verdict: ✅ Approved

Summary

Replaces a hardcoded Codecov token (cf0cba0a-...) in .github/workflows/coverage.yml with a reference to the GitHub Actions secret ${{ secrets.CODECOV_TOKEN }}.

Analysis

Correctness

  • Straightforward substitution. The secret reference syntax is correct for GitHub Actions.

Security

  • This is a security improvement — hardcoded tokens in workflow files are visible to anyone with read access to the repo. Moving to secrets is the correct practice.

Compatibility

  • No behavioral change as long as the CODECOV_TOKEN secret is configured in the repository settings. Maintainers should verify the secret exists before merging.

Minor Note

  • Ensure the CODECOV_TOKEN secret has been added to the repository settings with the correct value before merging, otherwise Codecov uploads will fail.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants