Private repos shown for set up

If you are using GitHub, have you tried adding the Codecov GitHub app? No
All fields below are required.

Description

After authorizing Codecov, and sync, the landing page shows private repos ready for set up. The default is public only, why are private repos shown?

Also, why is this option not presented to me when asking for GitHub authorization? I should be able to grant access to public repos only. There’s a support article to enable access to private repos, but it doesn’t state the obvious, how not to provide access to private repos.

CI/CD URL

N/A

Codecov Output

N/A

Expected Results

Private repos shouldn’t be shown by default.

Actual Results

Private repos shown by default.

Is this bug report pending triage?

@bruce-wayne private repos do not show up unless they have been specifically granted during a GitHub oauth flow.

If you want to revert this, you will need to revoke oauth access for Codecov in your GitHub settings and log back into Codecov again. If you see the request for both public and private in the GitHub oauth flow, you may need to remove private=true or something similar from the URL.

I didn’t grant private repo access specifically, simply clicked on login. I have also revoked permission and logged in again, to no avail.

@bruce-wayne can you confirm that you revoked permissions from here?

AFAIK, that’s the only way to revoke permissions.

@bruce-wayne can you show me a screenshot of the GitHub oauth flow when you sign in to Codecov after revoking permissions? it should look like

There is no option to opt out private repos, which is why this ticket exists. I also tried by manipulating the URL (instead of clicking on the login button), to no avail.

https://codecov.io/login/github?private=false&redirect=github/<username>

This is a security issue.

@bruce-wayne, we are working on a UI update that will more explicitly show private scope as a selection.

To opt out of private scope, you can update the login URL of the oath screen from

https://github.com/login/oauth/authorize?response_type=code&scope=user%3Aemail%2Cread%3Aorg%2Crepo%3Astatus%2Cwrite%3Arepo_hook%2Crepo&client_id=...

to

https://github.com/login/oauth/authorize?response_type=code&scope=user%3Aemail%2Cread%3Aorg%2Crepo%3Astatus%2Cwrite%3Arepo_hook&client_id=...

Note the removal of %2Crepo near the end of the URL. You should see a screen that looks like
image

That doesn’t help. It removes the repository access request, but after logging in, private repos are still shown. What’s even more ridiculous is that the screen claims to show public repos only.
I’ve revoked Codecov access from GitHub, because I can’t allow an app that’s sneaky.

@bruce-wayne my fault, this definitely shouldn’t be happening for you.

Can you send me send me a DM with proof of ownership to the GitHub username asakar and we will delete your private repos.

On sign-in after that, please remove all Codecov cookies and be sure to set public only in this dropdown
image

Also, from our security FAQ

Does Codecov store source code?

We do not store source code. Some archived raw uploads may contain source code, which you can elect to disable.

There is only one opportunity for source code to be stored: while uploading reports. Coverage reporting tools for some languages, gcov for C++ for example, produce reports that include source code in the report data in order to apply report fixes. Codecov scrubs some source code out (and we plan to support this effort more) but may not find it all. These uploads, by default, are archived for 1 month. You may elect to prevent all uploads from archiving by disabling this feature.

Isn’t a screenshot of having set up GH integration sufficient proof of ownership? How’d a random user without admin access allow or revoke the app permission?

@bruce-wayne I cannot confirm that the app permissions for the above org or user were revoked or not given the screenshots above.

These should help.