Fix codecov system-test coverage upload instability, absence of reporting for master branch (#2014)

ni-jfitzger · web-flow · commit 4437fdd53856 · 2023-09-21T16:51:00.000-05:00
* pass token to codecov-action

* Update system-test coverage uploading
diff --git a/.github/workflows/PUBLIC_CODECOV_TOKEN_README.md b/.github/workflows/PUBLIC_CODECOV_TOKEN_README.md
@@ -0,0 +1,19 @@
+# WHY DO WE NEED THIS TOKEN WHEN THE ACTION DOCUMENTATION CLAIMS NO TOKEN IS NEEDED FOR PUBLIC REPOSITORIES?
+See ISSUE #2013: codecov-action does not reliably upload system-test coverage to codecov
+According to community discussion, failed uploads often occur due to "Codecov’s inability to check the validity
+of a coverage upload when using tokenless uploads. The underlying issue is rate-limiting from GitHub."
+
+There are 2 possible fixes:
+1. Pass the token, when uploading
+2. Implement a retry on upload failure (we do this for travis-ci)
+
+# OKAY, BUT WHY AREN'T WE STORING THIS TOKEN IN A SECRET?
+According to GitHub: "With the exception of GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository."
+We require contributors to fork this repository, so that rules out secrets.
+
+# WHAT ARE THE SECURITY RAMIFICATIONS OF MAKING THIS TOKEN PUBLICLY VISIBLE?
+From the community discussion:
+"The scope of the Codecov token is only to confirm that the coverage uploaded comes from a specific repository,
+not to pull down source code or make any code changes."
+"A malicious actor would be able to upload incorrect or misleading coverage reports to a specific repository if
+they have access to your upload token, but would not be able to pull down source code or make any code changes."
diff --git a/.github/workflows/github_actions_aws_rhel_python64.yml b/.github/workflows/github_actions_aws_rhel_python64.yml
@@ -37,6 +37,8 @@ jobs:
       - name: upload coverage
         uses: codecov/codecov-action@v3
         with:
+          # See ../PUBLIC_CODECOV_TOKEN_README.md
+          token: 4c58f03d-b74c-489a-889a-ab0a77b7809f
           flags: ${{ matrix.module_name }}systemtests
           name: ${{ matrix.module_name }}
           files: ./generated/${{ matrix.module_name }}/coverage.xml
diff --git a/.github/workflows/github_actions_aws_windows_python32.yml b/.github/workflows/github_actions_aws_windows_python32.yml
@@ -49,6 +49,8 @@ jobs:
         - name: upload coverage
           uses: codecov/codecov-action@v3
           with:
+            # See ../PUBLIC_CODECOV_TOKEN_README.md
+            token: 4c58f03d-b74c-489a-889a-ab0a77b7809f
             flags: ${{ matrix.module_name }}systemtests
             name: ${{ matrix.module_name }}
             files: ./generated/${{ matrix.module_name }}/coverage.xml
diff --git a/.github/workflows/github_actions_aws_windows_python64.yml b/.github/workflows/github_actions_aws_windows_python64.yml
@@ -13,6 +13,20 @@ on:
       - VERSION
     types: [ opened, synchronize, reopened ]
 
+  # For this action, also trigger on a merge to master, because
+  # the coverage badge tracks coverage of master, not PRs.
+  # Doing this for windows_python32 and rhel_python64 is unlikely to
+  # add any coverage, so don't bother triggering those on pushes to master.
+  push:
+    branches:
+      - master
+    paths-ignore:
+      - CHANGELOG.md
+      - CONTRIBUTING.md
+      - .gitattributes
+      - LICENSE
+      - VERSION
+
   # Allows you to run this workflow manually from the Actions tab.
   workflow_dispatch:
   
@@ -49,6 +63,8 @@ jobs:
         - name: upload coverage
           uses: codecov/codecov-action@v3
           with:
+            # See ../PUBLIC_CODECOV_TOKEN_README.md
+            token: 4c58f03d-b74c-489a-889a-ab0a77b7809f
             flags: ${{ matrix.module_name }}systemtests
             name: ${{ matrix.module_name }}
             files: ./generated/${{ matrix.module_name }}/coverage.xml
