Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[oic-auth-plugin] CodeCov stopped working 1 month ago #4267

Open
michael-doubez opened this issue Aug 27, 2024 · 13 comments
Open

[oic-auth-plugin] CodeCov stopped working 1 month ago #4267

michael-doubez opened this issue Aug 27, 2024 · 13 comments
Labels
github
Milestone
infra-team-sync-2...

Comments

@michael-doubez
Copy link

Service(s)

GitHub

Summary

Hello,

CodeCov report upload stopped working 1 month ago.
I could not find any reference in documentation - is codcov usage deprecated ?

I still see the GitHubApp installed but the GitHub action fails with an error about a missing token.
I tried to provide my own personnal token but I didn't have the rights to upload a report.

Reproduction steps

  1. Trigger CodeCov report github action
  2. Job succeeds
  3. Logs show the token is missing

See https://github.com/jenkinsci/oic-auth-plugin/blob/master/.github/workflows/ci.yml
@michael-doubez michael-doubez added the triage Incoming issues that need review label Aug 27, 2024
@michael-doubez michael-doubez mentioned this issue Aug 27, 2024
Open
@dduportal dduportal added this to the infra-team-sync-2024-09-10 milestone Sep 3, 2024
@dduportal dduportal removed the triage Incoming issues that need review label Sep 9, 2024
@dduportal dduportal self-assigned this Sep 9, 2024
@dduportal
Copy link
Contributor

For info:

I see that you introduced the GHA build 2 years ago in jenkinsci/oic-auth-plugin@fc9ee86 but I don't see any associated PR which could have documented. @michael-doubez Do you remember how was it configured and by whom?

The secret CODECOV_TOKEN might comes from:

  • Repository secrets (I do not have access to it as I'm not maintainer or admin)
    • Can you check the setup? If yes, is the token present?
  • Organization secrets (we need a jenkinsci org admin.)
    • Secret might have been removed or un-scoped (and we need a check from an admin: ping @jenkins-infra/jenkinsci-admins )
  • An upload token on codecov which is repository scoped (see the note at the ned of https://github.com/codecov/codecov-action?tab=readme-ov-file#usage). Need a GH org admin or repo admin As far as I can tell

@dduportal dduportal removed their assignment Sep 9, 2024
@timja
Copy link
Member

timja commented Sep 10, 2024

There's no organisation or repository level CODECOV_TOKEN

OIDC auth looks to be the easiest if you could try use that: https://github.com/codecov/codecov-action#using-oidc

@dduportal
Copy link
Contributor

Hi @michael-doubez any news or feedback?

@dduportal
Copy link
Contributor

Closing as there are no actionnable for the Jenkins infra team, and no response from the requester.

Please, feel free to reopen with details if the provided solutions does not work!

@michael-doubez
Copy link
Author

Sorry I was on vacations.

@dduportal I don't remember, I think it used to be part of the plugin modernisation checklist but I can no longer find it.

I expect the token comes from an APP installed on the github org.
I could use my personal token but it doesn't work because I don't have the relevant rights in codecov org.

@dduportal dduportal reopened this Sep 18, 2024
@dduportal
Copy link
Contributor

@michael-doubez no problem, I hope you nejoyed vacations! 👍 I've reopened the issue.

As indicated by Tim above:

OIDC auth looks to be the easiest if you could try use that: https://github.com/codecov/codecov-action#using-oidc

You should be able to switch to a tokenless coverage upload by changing the GitHub Actions workflow. Would that work?

@michael-doubez
Copy link
Author

I tried it just now and it failed (I gues OIDC is not enabled).

Error: Codecov: Failed to get OIDC token with url: https://codecov.io./ Error message: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable

See: jenkinsci/oic-auth-plugin@f0ef586

The root cause may be on codecov side: codecov/codecov-action#1359

@michael-doubez
Copy link
Author

I don't understand why other plugins don't havee the issue.
Ex: https://github.com/jenkinsci/badge-plugin/blob/master/.github/workflows/codecov.yml#L25

@dduportal
Copy link
Contributor

I don't understand why other plugins don't havee the issue. Ex: https://github.com/jenkinsci/badge-plugin/blob/master/.github/workflows/codecov.yml#L25

Ping @timja (as you have admin access to jenkinsci GH org which I don't)

@timja
Copy link
Member

timja commented Sep 19, 2024

The badge plugin has someones personal token setup

@timja
Copy link
Member

timja commented Sep 19, 2024

Looks like you haven't added the permission to id-token,
see https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers#adding-permissions-settings

@michael-doubez
Copy link
Author

michael-doubez commented Sep 19, 2024
edited
Loading

The badge plugin has someones personal token setup

I tried that but my ID was not allowed in codecov org/repo.

@michael-doubez
Copy link
Author

Looks like you haven't added the permission to id-token, see https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers#adding-permissions-settings

Damned. I ll try that.
Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
github
Projects
None yet
Milestone
infra-team-sync-2024-09-17
Development

No branches or pull requests
3 participants
@dduportal @michael-doubez @timja