Security issues regarding upload token

I am planning to use the upload token in the codecov yaml file so that even PRs using local builds sends the correct coverage report. That being said, I am a little concerned about its security. Is it safe to hard code the token and let the whole world see it? The other alternative seems to be using it as an env variable. But the CircleCI doc mentions there are some security issues there. You can read it here: https://circleci.com/docs/2.0/oss/#pass-secrets-to-builds-from-forked-pull-requests.

Overall, I want to ask what will the problems be if the upload token is exposed? I would really appreciate if you help me out here.

Hi @lilithxxx We recomend using an ENV to tore your upload toke, though if the repo is public one is not needed on CircleCI

The security concern mentioned by CircleCI involved if the repo was forked and secrets were shared with the fork, then someone could echo out that ENV. This would be the case on most ways.

If you need the token, and you are concerned with someone gaining access to it, I would reach out to CircleCI for more possible ways of storing that secret.

OK. Here’s the problem I am facing:
For the PRs which uses local instances of CircleCi, Codecov sends the coverage report to a different endpoint (corresponding to the contributor’s local repo) and thus the codecov checks does not start and also the coverage reports are not posted. For example, if I am using an local instance, the coverage payload is sent to https://codecov.io/github/user/org/commit/xxxxxxx while if I do not use the local instance the payload will be sent to https://codecov.io/github/org/org/commit/xxxxxxx (which is what we desire).

I figured the solution to this problem is to specify the token such that the coverage payload is always sent to the end point configured for the main repo(‘org’)

Is there any way codecov will work correctly for the local instances without specifying the token?

EDIT: Also is there a way Codecov can send the coverage info to the main repo in spite of contributors setting up their local instances.

Hey guys, any help on this? This actually comes under my GSoC project and the deadline for get it all done is 26th Aug. So I would really appreciate if you help me out here. Thanks!

Can you check if it works by setting the slug using the -r flag?

    -r SLUG      owner/repo slug used instead of the private repo token in Enterprise
                 (option) set environment variable CODECOV_SLUG=:owner/:repo
                 (option) set in your codecov.yml "codecov.slug"

Might only work on Codecov Enterprise

I tried your solution but it doesn’t work, perhaps due to the fact that we are not using Codecov Enterprise. Is there any other solution? If not, how unsafe will it be if I hard-code the upload token? Will you recommend hard-coding it?

Hard coding the token will allow anyone to upload reports as if they were your project. It will not allow anyone to make changes to your account, or change any settings.

If that is your only option, it’s probably fine.