Allow PRs from forks to access CODECOV_TOKEN

This commit fixes behavior that was preventing Dependabot PRs from accessing our Codecov repository token to use the Codecov API.
panorama-ed · Dec 16, 2024 · 0f840cc · 0f840cc
1 parent e446ec7
commit 0f840cc
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -6,6 +6,20 @@ on:
   push:
     branches:
     - main
+
+  # Though GitHub's documentation mostly says you only need this for reusable
+  # workflows (i.e. workflows that call other workflows), it seems that GitHub
+  # does not pass secrets to `pull_request` events that come from forks (which
+  # it seems Dependabot's PRs do?) unless they are explicitly passed through,
+  # because they do not want a forker's PR to be able to exfiltrate secret data
+  # from the forked repo. This behavior is not really documented with respect to
+  # Dependabot but some hints are here:
+  # - https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow
+  # - https://github.com/pypa/gh-action-pypi-publish/discussions/49
+  workflow_call:
+    secrets:
+      CODECOV_TOKEN:
+        required: true
 jobs:
   ci:
     name: CI