Is there really a need to protect the Codecov upload token?

Is there a reason to protect the Codecov upload token?

What I read on the site says it’s “required to identify which project the coverage belongs to”. The only worry I see is that someone could upload bogus results.

It’s a private source code repo, so if it gets out, I have much worse problems that someone being able to add bogus results to codecov. Is there anything I’m missing?



You are correct that the only risk would be someone uploading incorrect coverage.

The warning is in place because it is needed in some cases for public repos if I recall. For a private repo you have less need for concern.