Private repos shown for set up

bruce-wayne · April 22, 2022, 6:57am

If you are using GitHub, have you tried adding the Codecov GitHub app? No
All fields below are required.

Description

After authorizing Codecov, and sync, the landing page shows private repos ready for set up. The default is public only, why are private repos shown?

Also, why is this option not presented to me when asking for GitHub authorization? I should be able to grant access to public repos only. There’s a support article to enable access to private repos, but it doesn’t state the obvious, how not to provide access to private repos.

CI/CD URL

N/A

Codecov Output

N/A

Expected Results

Private repos shouldn’t be shown by default.

Actual Results

Private repos shown by default.

bruce-wayne · April 26, 2022, 7:03pm

Is this bug report pending triage?

tom · May 2, 2022, 11:55pm

@bruce-wayne private repos do not show up unless they have been specifically granted during a GitHub oauth flow.

If you want to revert this, you will need to revoke oauth access for Codecov in your GitHub settings and log back into Codecov again. If you see the request for both public and private in the GitHub oauth flow, you may need to remove private=true or something similar from the URL.

bruce-wayne · May 4, 2022, 3:31am

I didn’t grant private repo access specifically, simply clicked on login. I have also revoked permission and logged in again, to no avail.

tom · May 4, 2022, 9:08pm

@bruce-wayne can you confirm that you revoked permissions from here?

bruce-wayne · May 5, 2022, 3:10am

AFAIK, that’s the only way to revoke permissions.

tom · May 5, 2022, 3:23am

@bruce-wayne can you show me a screenshot of the GitHub oauth flow when you sign in to Codecov after revoking permissions? it should look like

bruce-wayne · May 6, 2022, 3:38am

There is no option to opt out private repos, which is why this ticket exists. I also tried by manipulating the URL (instead of clicking on the login button), to no avail.

https://codecov.io/login/github?private=false&redirect=github/<username>

This is a security issue.

tom · May 17, 2022, 4:24am

@bruce-wayne, we are working on a UI update that will more explicitly show private scope as a selection.

To opt out of private scope, you can update the login URL of the oath screen from

https://github.com/login/oauth/authorize?response_type=code&scope=user%3Aemail%2Cread%3Aorg%2Crepo%3Astatus%2Cwrite%3Arepo_hook%2Crepo&client_id=...

to

https://github.com/login/oauth/authorize?response_type=code&scope=user%3Aemail%2Cread%3Aorg%2Crepo%3Astatus%2Cwrite%3Arepo_hook&client_id=...

Note the removal of %2Crepo near the end of the URL. You should see a screen that looks like

bruce-wayne · May 18, 2022, 6:53am

That doesn’t help. It removes the repository access request, but after logging in, private repos are still shown. What’s even more ridiculous is that the screen claims to show public repos only.
I’ve revoked Codecov access from GitHub, because I can’t allow an app that’s sneaky.

tom · May 24, 2022, 6:04pm

@bruce-wayne my fault, this definitely shouldn’t be happening for you.

Can you send me send me a DM with proof of ownership to the GitHub username asakar and we will delete your private repos.

On sign-in after that, please remove all Codecov cookies and be sure to set public only in this dropdown

tom · May 24, 2022, 6:07pm

Also, from our security FAQ

Does Codecov store source code?

We do not store source code. Some archived raw uploads may contain source code, which you can elect to disable.

There is only one opportunity for source code to be stored: while uploading reports. Coverage reporting tools for some languages, gcov for C++ for example, produce reports that include source code in the report data in order to apply report fixes. Codecov scrubs some source code out (and we plan to support this effort more) but may not find it all. These uploads, by default, are archived for 1 month. You may elect to prevent all uploads from archiving by disabling this feature.

bruce-wayne · May 24, 2022, 6:58pm

Isn’t a screenshot of having set up GH integration sufficient proof of ownership? How’d a random user without admin access allow or revoke the app permission?

tom · May 24, 2022, 8:10pm

@bruce-wayne I cannot confirm that the app permissions for the above org or user were revoked or not given the screenshots above.

bruce-wayne · May 24, 2022, 8:57pm

These should help.

tom · August 23, 2023, 2:53am

@bruce-wayne I never got a chance to get back to this post. We switched to a GitHub app over an Oauth app which should help have more granular permissions.

I don’t know if this was still an issue for you, but if so, let me know if I can help.

Topic		Replies	Views
Unable to see Org private repos - Issue with github app vs oAuth app Support github	1	178	June 15, 2023
How to revoke private repo access Support	2	356	October 21, 2021
Access granted but repo does not appear Support	3	280	August 16, 2022
No repos detected Support	2	282	August 18, 2021
Can't see organization private repos Support	2	314	July 7, 2021