We have recently seen an influx in issues regarding uploading with the error message
Unable to locate build via Github Actions API. The reason for the failed uploads is due to Codecov’s inability to check the validity of a coverage upload when using tokenless uploads. The underlying issue is rate-limiting from GitHub.
Am I having this problem?
If you are not using GitHub Actions, this problem should not affect you. The best way to find out is to see if you have had any failed GitHub Actions checks with the following error message
Unable to locate build via Github Actions API in the Codecov upload step.
What should I do about it?
Although there is no 100% way of guaranteeing success, we recommend two ways of dramatically increasing successful uploads:
- Add in the Codecov upload token even if your project is public. It is recommended to add it as an environment secret as opposed to hard-coding.
- Re-trying the upload step in CI/CD.
What is Codecov doing about it?
Right now, we are exploring various options to decrease our use of GitHub’s API. We anticipate a longer-term solution in the next few weeks.
The issue is still ongoing, and we are taking steps to decrease our GitHub API use. At this point, we strongly recommend using the Codecov upload token to upload to Codecov.
Public repositories that rely on PRs via forks will find that they cannot effectively use Codecov if the token is stored as a GitHub secret. The scope of the Codecov token is only to confirm that the coverage uploaded comes from a specific repository, not to pull down source code or make any code changes.
For this reason, we recommend that teams with public repositories that rely on PRs via forks consider the security ramifications of making the Codecov token available as opposed to being in a secret.
A malicious actor would be able to upload incorrect or misleading coverage reports to a specific repository if they have access to your upload token, but would not be able to pull down source code or make any code changes.