Skip to content

[ISSUE #10617] Use repository secret for Codecov upload token in coverage.yml#10619

Open
itxaiohanglover wants to merge 1 commit into
apache:developfrom
itxaiohanglover:fix/issue-10617-codecov-token
Open

[ISSUE #10617] Use repository secret for Codecov upload token in coverage.yml#10619
itxaiohanglover wants to merge 1 commit into
apache:developfrom
itxaiohanglover:fix/issue-10617-codecov-token

Conversation

@itxaiohanglover

Copy link
Copy Markdown

Closes #10617

What

.github/workflows/coverage.yml passed the Codecov upload token as a plaintext value. This PR replaces it with a repository secret reference, matching every other credential in this repo's workflows (e.g. DOCKERHUB_TOKEN, NEXUS_PW):

-          token: cf0cba0a-22f8-4580-89ab-4f1dec3bda6f
+          token: ${{ secrets.CODECOV_TOKEN }}

Why

A credential committed to a public repo is readable by anyone and should be treated as compromised. This one line was the only workflow credential not using ${{ secrets.* }}.

Maintainer action required

This code change alone is not sufficient — a maintainer needs to:

  1. Rotate the exposed Codecov upload token (treat the old one as compromised).
  2. Add the new token as a repository secret named CODECOV_TOKEN.

Codecov upload tokens are limited in scope (upload coverage only, not code read/push), so the blast radius is bounded, but rotation is still the standard response.

Test plan

  • Change is a single line in an existing workflow; no source/build impact.
  • Coverage job will read secrets.CODECOV_TOKEN once the secret is configured.

Scope kept to the token fix only (1 file, 1 line). The supply-chain hardening mentioned in the issue (pinning codecov/codecov-action@v3 and actions/checkout@master to commit SHAs) is left as a separate follow-up to keep this PR reviewable.

@RockteMQ-AI RockteMQ-AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review by github-manager-bot

Summary

This PR replaces a hardcoded Codecov upload token in .github/workflows/coverage.yml with a repository secret reference (${{ secrets.CODECOV_TOKEN }}). This is a correct and important security fix — plaintext credentials in public repositories should be treated as compromised.

Findings

  • [Info] The change itself is correct and minimal (1 file, 1 line). The approach matches how other credentials in this repo's workflows are already handled (e.g. DOCKERHUB_TOKEN, NEXUS_PW).
  • [Info] The PR description is well-structured and clearly documents the required maintainer actions (token rotation + secret creation).

Duplicate PR Notice

PR #10618 by @kobihikri addresses the exact same issue (#10617) with the identical one-line change, and was submitted earlier (July 14 vs July 16). Maintainers only need to merge one of these two PRs.

Suggestions

  • The maintainers should pick whichever PR is more convenient. Both are functionally equivalent.
  • As both PRs note, the token rotation and secret setup are maintainer-side actions that must happen regardless of which PR is merged.
  • The follow-up supply-chain hardening (pinning codecov/codecov-action@v3 and actions/checkout@master to commit SHAs) is a good idea and worth tracking separately.

Automated review by github-manager-bot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security: Codecov upload token committed in plaintext in .github/workflows/coverage.yml (please rotate + move to a secret)

2 participants