[ISSUE #10617] Use repository secret for Codecov upload token in coverage.yml#10619
Open
itxaiohanglover wants to merge 1 commit into
Open
[ISSUE #10617] Use repository secret for Codecov upload token in coverage.yml#10619itxaiohanglover wants to merge 1 commit into
itxaiohanglover wants to merge 1 commit into
Conversation
RockteMQ-AI
reviewed
Jul 16, 2026
RockteMQ-AI
left a comment
Contributor
There was a problem hiding this comment.
Review by github-manager-bot
Summary
This PR replaces a hardcoded Codecov upload token in .github/workflows/coverage.yml with a repository secret reference (${{ secrets.CODECOV_TOKEN }}). This is a correct and important security fix — plaintext credentials in public repositories should be treated as compromised.
Findings
- [Info] The change itself is correct and minimal (1 file, 1 line). The approach matches how other credentials in this repo's workflows are already handled (e.g.
DOCKERHUB_TOKEN,NEXUS_PW). - [Info] The PR description is well-structured and clearly documents the required maintainer actions (token rotation + secret creation).
Duplicate PR Notice
PR #10618 by @kobihikri addresses the exact same issue (#10617) with the identical one-line change, and was submitted earlier (July 14 vs July 16). Maintainers only need to merge one of these two PRs.
Suggestions
- The maintainers should pick whichever PR is more convenient. Both are functionally equivalent.
- As both PRs note, the token rotation and secret setup are maintainer-side actions that must happen regardless of which PR is merged.
- The follow-up supply-chain hardening (pinning
codecov/codecov-action@v3andactions/checkout@masterto commit SHAs) is a good idea and worth tracking separately.
Automated review by github-manager-bot
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #10617
What
.github/workflows/coverage.ymlpassed the Codecov upload token as a plaintext value. This PR replaces it with a repository secret reference, matching every other credential in this repo's workflows (e.g.DOCKERHUB_TOKEN,NEXUS_PW):Why
A credential committed to a public repo is readable by anyone and should be treated as compromised. This one line was the only workflow credential not using
${{ secrets.* }}.Maintainer action required
This code change alone is not sufficient — a maintainer needs to:
CODECOV_TOKEN.Codecov upload tokens are limited in scope (upload coverage only, not code read/push), so the blast radius is bounded, but rotation is still the standard response.
Test plan
secrets.CODECOV_TOKENonce the secret is configured.Scope kept to the token fix only (1 file, 1 line). The supply-chain hardening mentioned in the issue (pinning
codecov/codecov-action@v3andactions/checkout@masterto commit SHAs) is left as a separate follow-up to keep this PR reviewable.