-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC doesn't work #1378
Comments
v4 of codecov-action no longer supports tokenless upload. ~Let's try avoiding tokens altogether by using OIDC.~ OIDC doesn't seem to work: codecov/codecov-action#1378, using managed `CODECOV_TOKEN` secrets.
@nfx can you provide some more details? Specifically the rest of the logs? |
@thomasrockhu-codecov we're getting that over at
Note the last couple are using v4.1.1 specifically which is before OIDC support was landed - technically I can't verify this isn't user error as I don't have permissions to set secrets on the repository, but even if it is it seems like a very confusing error message to get if the problem is the codecov token is plain wrong. (I have tried giving a known bad token and gotten the same error - would be good to get confirmed if that is because the token is bad or that something related to OIDC is done before the token is validated) |
@G-Rath you're missing the permission -- I've added it in check-spelling-sandbox/eslint-plugin-jest@1ccd95e But even with that it isn't working: |
@jsoref we're not trying to use OIDC though so the permission should not be needed |
@G-Rath ok, we made a change here, would you be able to see if you run into that log again? |
@thomasrockhu-codecov, so, I'm forcing OIDC (https://github.com/check-spelling-sandbox/eslint-plugin-jest/blob/0e44095625c00fc931da2120f756788342f4b4f6/.github/workflows/nodejs.yml#L64, https://github.com/check-spelling-sandbox/eslint-plugin-jest/blob/0e44095625c00fc931da2120f756788342f4b4f6/.github/workflows/nodejs.yml#L113) and I've added enough logging (d09da3a) to show that OIDC is being used, but it still fails: https://github.com/check-spelling-sandbox/eslint-plugin-jest/actions/runs/8986717338/job/24683540548 ==> Got an OIDC token
==> Got an OIDC token
==> Got an OIDC token
...
==> Uploader SHASUM verified (e70beb7c9e3d894678e7d4d0fcb94e59133212dbda5ca7406b625a0167ce4ca8 codecov)
info - 2024-05-07 14:00:41,045 -- ci service found: github-actions
debug - 2024-05-07 14:00:41,048 -- versioning system found: <class 'codecov_cli.helpers.versioning_systems.GitVersioningSystem'>
debug - 2024-05-07 14:00:41,0[51](https://github.com/check-spelling-sandbox/eslint-plugin-jest/actions/runs/8986717338/job/24683540548#step:6:52) -- versioning system found: <class 'codecov_cli.helpers.versioning_systems.GitVersioningSystem'>
debug - 2024-05-07 14:00:41,054 -- Loading config from /home/runner/work/eslint-plugin-jest/eslint-plugin-jest/.codecov.yml
debug - 2024-05-07 14:00:41,055 -- Starting create commit process --- {"commit_sha": "a07975eaa2b0aeb8af59[53](https://github.com/check-spelling-sandbox/eslint-plugin-jest/actions/runs/8986717338/job/24683540548#step:6:54)8d8f62e91c35d72739", "parent_sha": null, "pr": null, "branch": "my-repo-is-not-a-fork", "slug": "check-spelling-sandbox/eslint-plugin-jest", "token": "e******************", "service": "github", "enterprise_url": null}
info - 2024-05-07 14:00:41,270 -- Process Commit creating complete
debug - 2024-05-07 14:00:41,271 -- Commit creating result --- {"result": "RequestResult(error=RequestError(code='HTTP Error 400', params={}, description='[\"Repository not found\"]'), warnings=[], status_code=400, text='[\"Repository not found\"]')"}
error - 2024-05-07 14:00:41,271 -- Commit creating failed: ["Repository not found"]
Error: Codecov: Failed to properly create commit: The process '/home/runner/work/_actions/check-spelling-sandbox/codecov-action/my-repo-is-not-a-fork/dist/codecov' failed with exit code 1 |
@jsoref will take it with you on this issue |
@nfx just wanted to circle back and see if a fix we made is working for you now |
@thomasrockhu-codecov will check approx in 1.5 weeks |
@thomasrockhu-codecov Works for me now |
I find it bit perplexing as OIDC is advertised by this action but seems to to be supported by codecov.io itself.
Basically, the default upload endpoint seems to not support it? A search on https://sourcegraph.com/search?q=context:global+lang:yaml+%22use_oidc:+true%22&patternType=keyword&case=yes&sm=0 makes me believe that probably we don't have more than 10 repositories using it. |
@ssbarnea Your job is missing the Yes, the codecov.io side has to support this. It was broken but apparently they fixed it and uploading with OIDC works for a few days for me now. |
Thanks @jkreileder that does seem to be the issue @ssbarnea @nfx going to close for now, please feel free to reopen if it's not working for you. |
This commit added OIDC - d820d60 but it doesn't work:
and config:
The text was updated successfully, but these errors were encountered: