Is there really a need to protect the Codecov upload token?

ggilley · January 10, 2020, 11:27pm

Is there a reason to protect the Codecov upload token?

What I read on the site says it’s “required to identify which project the coverage belongs to”. The only worry I see is that someone could upload bogus results.

It’s a private source code repo, so if it gets out, I have much worse problems that someone being able to add bogus results to codecov. Is there anything I’m missing?

Thanks,

   Greg

drazisil · January 13, 2020, 3:13pm

You are correct that the only risk would be someone uploading incorrect coverage.

The warning is in place because it is needed in some cases for public repos if I recall. For a private repo you have less need for concern.

Topic		Replies	Views
Security issues regarding upload token Support python , circleci	6	866	August 21, 2019
Upload Issues (`Unable to locate build via Github Actions API`) Support	22	5190	March 23, 2023
Failed to upload the report with CodecovFallbackUploader \| (400) Bad Request Support	8	420	December 1, 2021
Result upload marked as "upload expired" Support	6	136	January 16, 2023
ERROR 500 when authentication error should be thrown Support	3	270	September 16, 2022

Is there really a need to protect the Codecov upload token?

Related Topics