Whitelist GitHub Action Servers to upload without a token


Description of the issue

Travis CI e.g. are whitelisted and coverage results can be uploaded without providing a token. It would be awesome if the GitHub Action servers can also be whitelisted.

Needed documentation changes



Expected behavior: It can be uploaded without specifying a token

Actual behavior: A token is required

Flakiness? It does happen always


Thanks for the suggestion @mxschmitt!

Tokenless uploads works by fetching and confirming the build via the API. I’m not sure if this is possible with GitHub Actions, but I’ve passed the request along to our engineering team.

1 Like

This would be awesome…are there any updates to this?

Currently, GitHub Actions does not have an API, so this will not be possible until one is created.

Tokenless uploads works by fetching and confirming the build via the API.

Couldn’t this be archived with the GITHUB_TOKEN?

Like for example Coveralls does here: https://github.com/coverallsapp/github-action

1 Like

This is also important for forks / pull requests.

Hi all,

Ib from Codecov here. The GitHub Actions API is set to be released on Nov 13 alongside the general public release of Actions for all GitHub users. We’ll be looking to support tokenless uploads promptly after the API comes out. Unfortunately, prior to the API being released we aren’t able to authenticate uploads without a token.


Any progress on this? I’m considering a switch from coveralls to codecov but I am not an owner in the organization so I’m unable to add secrets to the github repo. Being able to use the github token would make this transition possible.

1 Like

Hey @eyal0!

Thanks for your inquiry. We reached out to our GitHub contacts and it looks like the beta release of the Actions API is scheduled for early next year, around Jan/Feb. We previously anticipated that GitHub would release their API sooner, but unfortunately that’s not the case.

With regards to using the github token for authentication purposes, it doesn’t really make since the repository token provided by Codecov is different from the github token. There’s really no way for us to validate a github token if the user provided it to us in place of the Codecov token which is why we don’t use it in our action.


Yes, that makes sense. Thanks!