Codecov token not found multiple tries

[Kohulan]

Hi All,

We have set CODECOV_TOKEN under repository secret. and for some reason whatever we are trying the upload is not working.
yml file: https://github.com/Steinbeck-Lab/cheminformatics-microservice/blob/main/.github/workflows/test.yml
PR: Steinbeck-Lab/cheminformatics-microservice#499
workflow run: https://github.com/Steinbeck-Lab/cheminformatics-microservice/actions/runs/9303645699/job/25608525393
Is it a problem from outside or some bug from codecov?

I also tested this #1425 but not working

Kind regards,
Kohulan

[slayoo]

Same issue here (nothing changed in the repo or settings, failures started yesterday): https://github.com/open-atmos/PySDM/actions/runs/9304455645/job/25625735958?pr=1335
log:

==> Running version latest
gpg: directory '/home/runner/.gnupg' created
gpg: keybox '/home/runner/.gnupg/pubring.kbx' created
gpg: /home/runner/.gnupg/trustdb.gpg: trustdb created
gpg: key 806BB28AED779869: public key "Codecov Uploader (Codecov Uploader Verification Key) <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1

gpg: Signature made Wed May  8 17:49:27 2024 UTC
gpg:                using RSA key 27034E7FDB850E0BBC2C62FF806BB28AED779869
gpg: Good signature from "Codecov Uploader (Codecov Uploader Verification Key) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2703 4E7F DB85 0E0B BC2C  62FF 806B B28A ED77 9869

==> Running version v0.6.0
==> Running git config --global --add safe.directory /home/runner/work/PySDM/PySDM
/usr/bin/git config --global --add safe.directory /home/runner/work/PySDM/PySDM
==> Running command '/home/runner/work/_actions/codecov/codecov-action/v4.1.0/dist/codecov -v create-commit'
/home/runner/work/_actions/codecov/codecov-action/v4.1.0/dist/codecov -v create-commit --git-service github -C cc1e4d4cdda4dd45d16d5a4c2b2e02252a578fd4 -Z
==> Uploader SHASUM verified (209d13481be406d6a2aa9519fa61c84883e3213308b5628c43a5e94cae75b8e6  codecov)
info - 2024-05-30 22:03:17,699 -- ci service found: github-actions
debug - 2024-05-30 22:03:17,702 -- versioning system found: <class 'codecov_cli.helpers.versioning_systems.GitVersioningSystem'>
debug - 2024-05-30 22:03:17,705 -- versioning system found: <class 'codecov_cli.helpers.versioning_systems.GitVersioningSystem'>
debug - 2024-05-30 22:03:17,708 -- Loading config from /home/runner/work/PySDM/PySDM/.codecov.yml
debug - 2024-05-30 22:03:17,710 -- Starting create commit process --- {"commit_sha": "cc1e4d4cdda4dd45d16d5a4c2b2e02252a578fd4", "parent_sha": null, "pr": "1335", "branch": "dependabot/pip/pypartmc-1.3.1", "slug": "open-atmos/PySDM", "token": null, "service": "github", "enterprise_url": null}
Error: Codecov token not found. Please provide Codecov token with -t flag.
Error: Codecov: Failed to properly create commit: The process '/home/runner/work/_actions/codecov/codecov-action/v4.1.0/dist/codecov' failed with exit code 1

[pllim]

I think I have the same problem. Repo secret is set. We use reusable workflow from https://github.com/OpenAstronomy/github-actions-workflows/blob/7d299a4ef6a655f79dabe1c147c3b095ef69cacd/.github/workflows/tox.yml#L253-L260

[slayoo]

In our case, the problem was that the Dependabot secret was not set (https://github.com/codecov/codecov-action/?tab=readme-ov-file#dependabot)

[Kohulan]

@slayoo We did set everything nothing was working. I am not sure what went wrong here

[nbari]

Same here, I added token to Dependabot tried with token: ${{ secrets.CODECOV_TOKEN }} and env but still get same error:

Error: Codecov token not found. Please provide Codecov token with -t flag.

[Kohulan]

Hi @thomasrockhu-codecov ,

I thought of asking you directly since this is an issue seen predominantly on most of our repositories. Could you kindly let us know what could be the problem?

[skaengus2012]

PR created by dependabot is failing for the same reason. 🥲
#1463 (comment)

[drazisil-codecov]

@Kohulan and @skaengus2012

Have you added the secret in the Dependabot secrets section? That is different from a normal report secret, Dependabot does not have access to regular secrets.

[Kohulan]

@drazisil-codecov

Yes, It is already in place.

[skaengus2012]

@drazisil-codecov

I've �checked that my repo only exists in Actions.

But v3, and v4 until recently, it worked well.
What changes have been made recently?

[marcosschroh]

Same problem!

[gsilvapt]

@drazisil-codecov

I've �checked that my repo only exists in Actions.

But v3, and v4 until recently, it worked well. What changes have been made recently?

It's likely related to 4.4.1, as it was released 3 weeks ago and this issue was created 2 weeks ago. Furthermore, there's #1447 which is this issue specifically for said version.
Going to try pinning 4.4.0 and will edit the response afterwards to let you know whether it worked or not.

---

Edit: Downgrade didn't work. Will try suggestion in the linked issue. Would recommend moderators/maintainers to close this issue so discussions about this issue are kept in a single place though.

[KomachiSion]

Same problem, But same yml can run when code push, and I ask for github, get the answer like:

Thank you for reaching out to GitHub Support!
 
The security feature mentioned in the Copilot response applies only to pull requests opened by forks. For these PRs, secrets are not accessible and GITHUB_TOKEN is limited to read-only for workflows triggered by the pull_request event.
 
https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#accessing-secrets
Workflows triggered from a forked repository using the pull_request event have read-only permissions and have no access to secrets.

 
The [working example](https://github.com/codecov/codecov-action/actions/runs/10242748255) you shared was triggered from a non-fork PR - so the secret was accessible, unlike in this [example](https://github.com/alibaba/nacos/actions/runs/10243765296) where the PR was opened by a fork.
 
There isn't any way to disable this security measure for public repositories. Shifting to the [pull_request_target](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) triggering event as mentioned would be a way to have secrets be accessible - but as you've noted, this event executes from the base of the PR, and also comes with possible risks of the added access to fork PRs.
 
Please let me know if you have any additional questions or concerns!
Best,

Arthur
GitHub Support

I think some changes in github action workflow during these weeks so that pull request from others might can't get secret.
How to solve it?

[skaengus2012]

I added tokens to dependabot, and from then on my repo works fine.
#1463 (comment)