Is there really a need to protect the Codecov upload token?

ggilley · January 10, 2020, 11:27pm

Is there a reason to protect the Codecov upload token?

What I read on the site says it’s “required to identify which project the coverage belongs to”. The only worry I see is that someone could upload bogus results.

It’s a private source code repo, so if it gets out, I have much worse problems that someone being able to add bogus results to codecov. Is there anything I’m missing?

Thanks,

   Greg

drazisil · January 13, 2020, 3:13pm

You are correct that the only risk would be someone uploading incorrect coverage.

The warning is in place because it is needed in some cases for public repos if I recall. For a private repo you have less need for concern.

Topic		Replies	Views
Security issues regarding upload token Support python , circleci	6	938	August 21, 2019
Patch for uploads via Travis CI Support	2	310	June 11, 2020
Upload Issues (`Unable to locate build via Github Actions API`) Support	22	6023	March 23, 2023
Codecov Upload Token Association	2	329	September 27, 2019
Failed to upload the report with CodecovFallbackUploader \| (400) Bad Request Support	8	471	December 1, 2021

Is there really a need to protect the Codecov upload token?

Related topics