Whitelist GitHub Action Servers to upload without a token

Description

Description of the issue

Travis CI e.g. are whitelisted and coverage results can be uploaded without providing a token. It would be awesome if the GitHub Action servers can also be whitelisted.

Needed documentation changes

Repository

Check

Expected behavior: It can be uploaded without specifying a token

Actual behavior: A token is required

Flakiness? It does happen always

3 Likes

Thanks for the suggestion @mxschmitt!

Tokenless uploads works by fetching and confirming the build via the API. I’m not sure if this is possible with GitHub Actions, but I’ve passed the request along to our engineering team.

1 Like

This would be awesome…are there any updates to this?

Currently, GitHub Actions does not have an API, so this will not be possible until one is created.

Tokenless uploads works by fetching and confirming the build via the API.

Couldn’t this be archived with the GITHUB_TOKEN?

EDIT:
Like for example Coveralls does here: https://github.com/coverallsapp/github-action

1 Like

This is also important for forks / pull requests.

Hi all,

Ib from Codecov here. The GitHub Actions API is set to be released on Nov 13 alongside the general public release of Actions for all GitHub users. We’ll be looking to support tokenless uploads promptly after the API comes out. Unfortunately, prior to the API being released we aren’t able to authenticate uploads without a token.

4 Likes

Any progress on this? I’m considering a switch from coveralls to codecov but I am not an owner in the organization so I’m unable to add secrets to the github repo. Being able to use the github token would make this transition possible.

1 Like

Hey @eyal0!

Thanks for your inquiry. We reached out to our GitHub contacts and it looks like the beta release of the Actions API is scheduled for early next year, around Jan/Feb. We previously anticipated that GitHub would release their API sooner, but unfortunately that’s not the case.

With regards to using the github token for authentication purposes, it doesn’t really make since the repository token provided by Codecov is different from the github token. There’s really no way for us to validate a github token if the user provided it to us in place of the Codecov token which is why we don’t use it in our action.

Ib

Yes, that makes sense. Thanks!

1 Like

I am also interested in a way of using GitHub Actions without a token.

I feel that my case might be a bit unique in which directs me in needing this ability.

I am apart of an Open Source organization that has hundreds of projects which have separate communities of contributors. The organization administrators take security and repo management very strictly. I am only a member of the repos that can contribute directly to the repo. We do not have access to GH repo or org settings.

I feel that the organization admins are willing to get the upload token and add it to our repo settings as a “secret” for GH Actions. The downside is when they attempt to login to Codecov, it requires read and write access to repository webhooks and services.

Write access is something they can not approve of for security purposes.

As of right now, we can not use Codecov with GH Actions until you can find a solution that does not require tokens or remove write access so they can log in and get the token.

In the meantime, we can continue to use Codecov with Travis CI to use the service but we would like to move away from Travis CI. Their service resources are limited across the organization and as I said earlier there are hundreds of projects which consume so much of the resources.

I hope we find some solution!

1 Like

Hi @erisu. We’ll make sure to update our community as soon as tokenless uploads for GitHub Actions are available. For the time being, there is still no public API for Actions, which means the repository token remains the only method of authentication for those repositories. We’ve been in contact with people at GitHub and their Actions API is scoped to be released early next year, so we plan on delivering this feature as soon as it comes out.

I certainly empathize with your organization’s circumstances and understand that it can be hard to manage contributors who don’t have access to secrets. In the meantime, I’m glad you’re utilizing tokenless uploads via Travis :slight_smile:

2 Likes