fix: use_oidc shoudl be required false (#1353)

* fix: allow for oidc token

* chore(docs): update docs with use_oidc argument

* Update action.yml

Co-authored-by: Cristian Le <github@lecris.me>

* chore(release): 4.2.0

---------

Co-authored-by: Cristian Le <github@lecris.me>

.eslintrc.json

@@ -17,6 +17,7 @@
         "@typescript-eslint"
     ],
     "rules": {
+        "max-len": ["error", { "code": 120 }],
         "linebreak-style": 0
     }
 }

.github/workflows/codeql-analysis.yml

@@ -37,11 +37,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4.1.1
+      uses: actions/checkout@v4.1.2
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3.24.3
+      uses: github/codeql-action/init@v3.24.9
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -52,7 +52,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3.24.3
+      uses: github/codeql-action/autobuild@v3.24.9
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -66,4 +66,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3.24.3
+      uses: github/codeql-action/analyze@v3.24.9

.github/workflows/main.yml

@@ -8,7 +8,47 @@ jobs:
         os: [macos-latest, windows-latest, ubuntu-latest, macos-latest-xlarge]
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.1.2
+      - name: Install dependencies
+        run: npm install
+      - name: Lint
+        run: npm run lint
+      - name: Run tests and collect coverage
+        run: npm run test
+      - name: Upload coverage to Codecov (script)
+        uses: ./
+        with:
+          files: ./coverage/script/coverage-final.json
+          flags: script,${{ matrix.os }}
+          name: codecov-script
+          verbose: true
+          token: ${{ secrets.CODECOV_TOKEN }}
+      - name: Upload coverage to Codecov (demo)
+        uses: ./
+        with:
+          files: ./coverage/calculator/coverage-final.json,./coverage/coverage-test/coverage-final.json
+          file: ./coverage/coverage-final.json
+          flags: demo,${{ matrix.os }}
+          name: codecov-demo
+          verbose: true
+          token: ${{ secrets.CODECOV_TOKEN }}
+      - name: Upload coverage to Codecov (version)
+        uses: ./
+        with:
+          files: ./coverage/calculator/coverage-final.json,./coverage/coverage-test/coverage-final.json
+          file: ./coverage/coverage-final.json
+          flags: version,${{ matrix.os }}
+          name: codecov-version
+          version: v0.2.0
+          verbose: true
+          token: ${{ secrets.CODECOV_TOKEN }}
+
+  run-container:
+    runs-on: ubuntu-latest
+    container: node:18
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4.1.2
       - name: Install dependencies
         run: npm install
       - name: Lint

.github/workflows/scorecards-analysis.yml

@@ -24,7 +24,7 @@ jobs:
     
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v4.1.1 # v3.0.0
+        uses: actions/checkout@v4.1.2 # v3.0.0
         with:
           persist-credentials: false
 
@@ -56,6 +56,6 @@ jobs:
       
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3.24.3 # v1.0.26
+        uses: github/codeql-action/upload-sarif@v3.24.9 # v1.0.26
         with:
           sarif_file: results.sarif

README.md

@@ -64,6 +64,17 @@ steps:
 > [!NOTE]
 > This assumes that you've set your Codecov token inside *Settings > Secrets* as `CODECOV_TOKEN`. If not, you can [get an upload token](https://docs.codecov.io/docs/frequently-asked-questions#section-where-is-the-repository-upload-token-found-) for your specific repo on [codecov.io](https://www.codecov.io). Keep in mind that secrets are *not* available to forks of repositories.
 
+### Using OIDC
+For users with [OpenID Connect(OIDC) enabled](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect), the Codecov token is not necessary. You can use OIDC with the `use_oidc` argument as following.
+
+```yaml
+- uses: codecov/codecov-action@v4
+  with:
+    use_oidc: true
+```
+
+Any token supplied will be ignored, as Codecov will default to the OIDC token for verification.
+
 ## Arguments
 
 Codecov's Action supports inputs from the user. These inputs, along with their descriptions and usage contexts, are listed in the table below:
@@ -95,10 +106,11 @@ Codecov's Action supports inputs from the user. These inputs, along with their d
 | `plugin` | plugins to run. Options: xcode, gcov, pycoverage. The default behavior runs them all. | Optional
 | `plugins` | Comma-separated list of plugins for use during upload. | Optional
 | `report_code` | The code of the report. If unsure, do not include | Optional
-| `root_dir` | Used when not in git/hg project to identify project root directory | Optional 
+| `root_dir` | Used to specify the location of your   .git   root to identify project root directory | Optional
 | `slug` | Specify the slug manually (Enterprise use) | Optional
 | `url` | Specify the base url to upload (Enterprise use) | Optional
 | `use_legacy_upload_endpoint` | Use the legacy upload endpoint | Optional
+| `use_oidc` | Use OpenID Connect for verification instead of token. This will ignore any token supplied. Please see [GitHub documentation](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) for details.
 | `verbose` | Specify whether the Codecov output should be verbose | Optional
 | `version` | Specify which version of the Codecov CLI should be used. Defaults to `latest` | Optional
 | `working-directory` | Directory in which to execute codecov.sh | Optional

action.yml

@@ -14,11 +14,14 @@ inputs:
   directory:
     description: 'Directory to search for coverage reports.'
     required: false
+  disable_file_fixes:
+    description: 'Disable file fixes to ignore common lines from coverage (e.g. blank lines or empty brackets)'
+    required: false
   disable_search:
     description: 'Disable search for coverage files. This is helpful when specifying what files you want to upload with the --file option.'
     required: false
-  disable_file_fixes:
-    description: 'Disable file fixes to ignore common lines from coverage (e.g. blank lines or empty brackets)'
+  disable_safe_directory:
+    description: 'Disable setting safe directory. Set to true to disable.'
     required: false
   dry_run:
     description: "Don't upload files to Codecov"
@@ -41,6 +44,9 @@ inputs:
   flags:
     description: 'Flag upload to group coverage metrics (e.g. unittests | integration | ui,chrome)'
     required: false
+  git_service:
+    description: 'Override the git_service (e.g. github_enterprise)'
+    required: false
   handle_no_reports_found:
     description: 'Raise no exceptions when no coverage reports found'
     required: false
@@ -89,6 +95,9 @@ inputs:
   use_legacy_upload_endpoint:
     description: 'Use the legacy upload endpoint'
     required: false
+  use_oidc:
+    description: 'Use OIDC instead of token. This will ignore any token supplied'
+    required: false
   verbose:
     description: 'Specify whether the Codecov output should be verbose'
     required: false

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codecov-action",
-  "version": "4.0.2",
+  "version": "4.2.0",
   "description": "Upload coverage reports to Codecov from GitHub Actions",
   "main": "index.js",
   "scripts": {
@@ -27,18 +27,18 @@
     "@actions/exec": "^1.1.1",
     "@actions/github": "^6.0.0",
     "gpg": "^0.6.0",
-    "undici": "5.28.2"
+    "undici": "5.28.3"
   },
   "devDependencies": {
     "@types/jest": "^29.5.12",
-    "@typescript-eslint/eslint-plugin": "^7.0.0",
-    "@typescript-eslint/parser": "^6.21.0",
+    "@typescript-eslint/eslint-plugin": "^7.5.0",
+    "@typescript-eslint/parser": "^7.5.0",
     "@vercel/ncc": "^0.38.1",
-    "eslint": "^8.56.0",
+    "eslint": "^8.57.0",
     "eslint-config-google": "^0.14.0",
     "jest": "^29.7.0",
     "jest-junit": "^16.0.0",
     "ts-jest": "^29.1.2",
-    "typescript": "^5.3.3"
+    "typescript": "^5.4.3"
   }
 }

src/buildExec.test.ts

@@ -10,7 +10,7 @@ import {
 
 const context = github.context;
 
-test('general args', () => {
+test('general args', async () => {
   const envs = {
     codecov_yml_path: 'dev/codecov.yml',
     url: 'https://codecov.enterprise.com',
@@ -20,7 +20,7 @@ test('general args', () => {
     process.env['INPUT_' + env.toUpperCase()] = envs[env];
   }
 
-  const {args, verbose} = buildGeneralExec();
+  const {args, verbose} = await buildGeneralExec();
 
   expect(args).toEqual(
       expect.arrayContaining([
@@ -36,10 +36,12 @@ test('general args', () => {
   }
 });
 
-
-test('upload args using context', () => {
-  const expectedArgs = [];
-  const {uploadExecArgs, uploadCommand} = buildUploadExec();
+test('upload args using context', async () => {
+  const expectedArgs = [
+    '--git-service',
+    'github',
+  ];
+  const {uploadExecArgs, uploadCommand} = await buildUploadExec();
   if (context.eventName == 'pull_request') {
     expectedArgs.push('-C', `${context.payload.pull_request.head.sha}`);
   }
@@ -51,7 +53,7 @@ test('upload args using context', () => {
   expect(uploadCommand).toEqual('do-upload');
 });
 
-test('upload args', () => {
+test('upload args', async () => {
   const envs = {
     'codecov_yml_path': 'dev/codecov.yml',
     'commit_parent': 'fakeparentcommit',
@@ -65,6 +67,7 @@ test('upload args', () => {
     'file': 'coverage.xml',
     'files': 'dir1/coverage.xml,dir2/coverage.xml',
     'flags': 'test,test2',
+    'git_service': 'github_enterprise',
     'handle_no_reports_found': 'true',
     'job_code': '32',
     'name': 'codecov',
@@ -90,7 +93,7 @@ test('upload args', () => {
     process.env['INPUT_' + env.toUpperCase()] = envs[env];
   }
 
-  const {uploadExecArgs, uploadCommand} = buildUploadExec();
+  const {uploadExecArgs, uploadCommand} = await buildUploadExec();
   const expectedArgs = [
     '--disable-file-fixes',
     '--disable-search',
@@ -110,6 +113,8 @@ test('upload args', () => {
     'test',
     '-F',
     'test2',
+    '--git-service',
+    'github_enterprise',
     '--handle-no-reports-found',
     '--job-code',
     '32',
@@ -150,8 +155,9 @@ test('upload args', () => {
 });
 
 
-test('report args', () => {
+test('report args', async () => {
   const envs = {
+    git_service: 'github_enterprise',
     override_commit: '9caabca5474b49de74ef5667deabaf74cdacc244',
     override_pr: 'fakePR',
     slug: 'fakeOwner/fakeRepo',
@@ -162,9 +168,11 @@ test('report args', () => {
     process.env['INPUT_' + env.toUpperCase()] = envs[env];
   }
 
-  const {reportExecArgs, reportCommand} = buildReportExec();
+  const {reportExecArgs, reportCommand} = await buildReportExec();
 
   const expectedArgs = [
+    '--git-service',
+    'github_enterprise',
     '-C',
     '9caabca5474b49de74ef5667deabaf74cdacc244',
     '-P',
@@ -182,19 +190,22 @@ test('report args', () => {
 });
 
 
-test('report args using context', () => {
+test('report args using context', async () => {
   const envs = {
     token: 'd3859757-ab80-4664-924d-aef22fa7557b',
   };
   for (const env of Object.keys(envs)) {
     process.env['INPUT_' + env.toUpperCase()] = envs[env];
   }
-  const expectedArgs : string[] = [];
+  const expectedArgs : string[] = [
+    '--git-service',
+    'github',
+  ];
   if (context.eventName == 'pull_request') {
     expectedArgs.push('-C', `${context.payload.pull_request.head.sha}`);
   }
 
-  const {reportExecArgs, reportCommand} = buildReportExec();
+  const {reportExecArgs, reportCommand} = await buildReportExec();
 
   expect(reportExecArgs).toEqual(expectedArgs);
   expect(reportCommand).toEqual('create-report');
@@ -204,8 +215,9 @@ test('report args using context', () => {
 });
 
 
-test('commit args', () => {
+test('commit args', async () => {
   const envs = {
+    git_service: 'github_enterprise',
     commit_parent: '83231650328f11695dfb754ca0f540516f188d27',
     override_branch: 'thomasrockhu/test',
     override_commit: '9caabca5474b49de74ef5667deabaf74cdacc244',
@@ -218,10 +230,12 @@ test('commit args', () => {
     process.env['INPUT_' + env.toUpperCase()] = envs[env];
   }
 
-  const {commitExecArgs, commitCommand} = buildCommitExec();
+  const {commitExecArgs, commitCommand} = await buildCommitExec();
   const expectedArgs = [
     '--parent-sha',
     '83231650328f11695dfb754ca0f540516f188d27',
+    '--git-service',
+    'github_enterprise',
     '-B',
     'thomasrockhu/test',
     '-C',
@@ -240,10 +254,13 @@ test('commit args', () => {
   }
 });
 
-test('commit args using context', () => {
-  const expectedArgs :string[] = [];
+test('commit args using context', async () => {
+  const expectedArgs :string[] = [
+    '--git-service',
+    'github',
+  ];
 
-  const {commitExecArgs, commitCommand} = buildCommitExec();
+  const {commitExecArgs, commitCommand} = await buildCommitExec();
   if (context.eventName == 'pull_request') {
     expectedArgs.push('-C', `${context.payload.pull_request.head.sha}`);
   }

src/buildExec.ts

@@ -3,6 +3,7 @@
 import * as core from '@actions/core';
 import * as github from '@actions/github';
 
+import {setFailure} from './helpers';
 
 const context = github.context;
 
@@ -17,14 +18,36 @@ const isTrue = (variable) => {
   );
 };
 
+const getToken = async () => {
+  let token = core.getInput('token');
+  let url = core.getInput('url');
+  const useOIDC = isTrue(core.getInput('use_oidc'));
 
-const buildCommitExec = () => {
+  if (useOIDC) {
+    if (!url) {
+      url = 'https://codecov.io';
+    }
+    try {
+      token = await core.getIDToken(url);
+      return token;
+    } catch (err) {
+      setFailure(
+          `Codecov: Failed to get OIDC token with url: ${url}. ${err.message}`,
+          true,
+      );
+    }
+  }
+  return token;
+};
+
+const buildCommitExec = async () => {
   const commitParent = core.getInput('commit_parent');
+  const gitService = core.getInput('git_service');
   const overrideBranch = core.getInput('override_branch');
   const overrideCommit = core.getInput('override_commit');
   const overridePr = core.getInput('override_pr');
   const slug = core.getInput('slug');
-  const token = core.getInput('token');
+  const token = await getToken();
   const failCi = isTrue(core.getInput('fail_ci_if_error'));
   const workingDir = core.getInput('working-directory');
 
@@ -48,6 +71,7 @@ const buildCommitExec = () => {
   if (commitParent) {
     commitExecArgs.push('--parent-sha', `${commitParent}`);
   }
+  commitExecArgs.push('--git-service', `${gitService ? gitService : 'github'}`);
 
   if (overrideBranch) {
     commitExecArgs.push('-B', `${overrideBranch}`);
@@ -99,11 +123,12 @@ const buildGeneralExec = () => {
   return {args, verbose};
 };
 
-const buildReportExec = () => {
+const buildReportExec = async () => {
+  const gitService = core.getInput('git_service');
   const overrideCommit = core.getInput('override_commit');
   const overridePr = core.getInput('override_pr');
   const slug = core.getInput('slug');
-  const token = core.getInput('token');
+  const token = await getToken();
   const failCi = isTrue(core.getInput('fail_ci_if_error'));
   const workingDir = core.getInput('working-directory');
 
@@ -125,6 +150,8 @@ const buildReportExec = () => {
   if (token) {
     reportOptions.env.CODECOV_TOKEN = token;
   }
+  reportExecArgs.push('--git-service', `${gitService ? gitService : 'github'}`);
+
   if (overrideCommit) {
     reportExecArgs.push('-C', `${overrideCommit}`);
   } else if (
@@ -153,8 +180,9 @@ const buildReportExec = () => {
   return {reportExecArgs, reportOptions, reportCommand};
 };
 
-const buildUploadExec = () => {
+const buildUploadExec = async () => {
   const disableFileFixes = isTrue(core.getInput('disable_file_fixes'));
+  const disableSafeDirectory = isTrue(core.getInput('disable_safe_directory'));
   const disableSearch = isTrue(core.getInput('disable_search'));
   const dryRun = isTrue(core.getInput('dry_run'));
   const envVars = core.getInput('env_vars');
@@ -163,6 +191,7 @@ const buildUploadExec = () => {
   const file = core.getInput('file');
   const files = core.getInput('files');
   const flags = core.getInput('flags');
+  const gitService = core.getInput('git_service');
   const handleNoReportsFound = isTrue(core.getInput('handle_no_reports_found'));
   const jobCode = core.getInput('job_code');
   const name = core.getInput('name');
@@ -178,7 +207,7 @@ const buildUploadExec = () => {
   const rootDir = core.getInput('root_dir');
   const searchDir = core.getInput('directory');
   const slug = core.getInput('slug');
-  const token = core.getInput('token');
+  const token = await getToken();
   let uploaderVersion = core.getInput('version');
   const useLegacyUploadEndpoint = isTrue(
       core.getInput('use_legacy_upload_endpoint'),
@@ -239,6 +268,7 @@ const buildUploadExec = () => {
       uploadExecArgs.push('-F', `${f}`);
     });
   }
+  uploadExecArgs.push('--git-service', `${gitService ? gitService : 'github'}`);
   if (handleNoReportsFound) {
     uploadExecArgs.push('--handle-no-reports-found');
   }
@@ -305,6 +335,7 @@ const buildUploadExec = () => {
   return {
     uploadExecArgs,
     uploadOptions,
+    disableSafeDirectory,
     failCi,
     os,
     uploaderVersion,

src/helpers.test.ts

@@ -1,10 +1,13 @@
+import * as exec from '@actions/exec';
+
 import {
+  PLATFORMS,
   getBaseUrl,
+  getCommand,
   getPlatform,
   isValidPlatform,
   isWindows,
-  PLATFORMS,
-  getCommand,
+  setSafeDirectory,
 } from './helpers';
 
 let OLDOS = process.env.RUNNER_OS;
@@ -78,3 +81,16 @@ test('getCommand', () => {
   expect(getCommand('path', ['-v', '-x'], 'do-upload'))
       .toEqual(['path', '-v', '-x', 'do-upload']);
 });
+
+test('setSafeDirectory', async () => {
+  process.env.GITHUB_WORKSPACE = 'testOrg/testRepo';
+  await setSafeDirectory();
+  const testSafeDirectory = ([
+    'git',
+    'config',
+    '--get',
+    'safe.directory',
+  ]).join(' ');
+  const safeDirectory = await exec.getExecOutput(testSafeDirectory);
+  expect(safeDirectory.stdout).toBe('testOrg/testRepo\n');
+});

src/helpers.ts

@@ -1,4 +1,5 @@
 import * as core from '@actions/core';
+import * as exec from '@actions/exec';
 
 const PLATFORMS = [
   'linux',
@@ -64,6 +65,19 @@ const getCommand = (
   return fullCommand;
 };
 
+const setSafeDirectory = async () => {
+  const command = ([
+    'git',
+    'config',
+    '--global',
+    '--add',
+    'safe.directory',
+    `${process.env['GITHUB_WORKSPACE']}`,
+  ].join(' '));
+  core.info(`==> Running ${command}`);
+  await exec.exec(command);
+};
+
 export {
   PLATFORMS,
   getBaseUrl,
@@ -72,5 +86,6 @@ export {
   isValidPlatform,
   isWindows,
   setFailure,
+  setSafeDirectory,
   getCommand,
 };

src/index.ts

@@ -12,10 +12,11 @@ import {
 } from './buildExec';
 import {
   getBaseUrl,
+  getCommand,
   getPlatform,
   getUploaderName,
   setFailure,
-  getCommand,
+  setSafeDirectory,
 } from './helpers';
 
 import verify from './validate';
@@ -23,17 +24,19 @@ import versionInfo from './version';
 
 let failCi;
 
-try {
-  const {commitExecArgs, commitOptions, commitCommand} = buildCommitExec();
-  const {reportExecArgs, reportOptions, reportCommand} = buildReportExec();
+const run = async () => {
+  try {
+    const {commitExecArgs, commitOptions, commitCommand} = await buildCommitExec();
+    const {reportExecArgs, reportOptions, reportCommand} = await buildReportExec();
     const {
       uploadExecArgs,
       uploadOptions,
+      disableSafeDirectory,
       failCi,
       os,
       uploaderVersion,
       uploadCommand,
-  } = buildUploadExec();
+    } = await buildUploadExec();
     const {args, verbose} = buildGeneralExec();
 
     const platform = getPlatform(os);
@@ -55,6 +58,9 @@ try {
             await verify(filename, platform, uploaderVersion, verbose, failCi);
             await versionInfo(platform, uploaderVersion);
             await fs.chmodSync(filename, '777');
+            if (!disableSafeDirectory) {
+              await setSafeDirectory();
+            }
 
             const unlink = () => {
               fs.unlink(filename, (err) => {
@@ -115,6 +121,9 @@ try {
                 });
           });
     });
-} catch (err) {
+  } catch (err) {
     setFailure(`Codecov: Encountered an unexpected error ${err.message}`, failCi);
-}
+  }
+};
+
+run();

src/version.ts

@@ -3,14 +3,12 @@ import {request} from 'undici';
 
 const versionInfo = async (
     platform: string,
-    version?: string,
+    version: string,
 ): Promise<void> => {
-  if (version) {
   core.info(`==> Running version ${version}`);
-  }
 
   try {
-    const metadataRes = await request(`https://cli.codecov.io/${platform}/latest`, {
+    const metadataRes = await request(`https://cli.codecov.io/${platform}/${version}`, {
       headers: {'Accept': 'application/json'},
     });
     const metadata = await metadataRes.body.json();