Whitelist GitHub Action Servers to upload without a token


Description of the issue

Travis CI e.g. are whitelisted and coverage results can be uploaded without providing a token. It would be awesome if the GitHub Action servers can also be whitelisted.

Needed documentation changes



Expected behavior: It can be uploaded without specifying a token

Actual behavior: A token is required

Flakiness? It does happen always


Thanks for the suggestion @mxschmitt!

Tokenless uploads works by fetching and confirming the build via the API. I’m not sure if this is possible with GitHub Actions, but I’ve passed the request along to our engineering team.


This would be awesome…are there any updates to this?

Currently, GitHub Actions does not have an API, so this will not be possible until one is created.

1 Like

Tokenless uploads works by fetching and confirming the build via the API.

Couldn’t this be archived with the GITHUB_TOKEN?

Like for example Coveralls does here: https://github.com/coverallsapp/github-action

1 Like

This is also important for forks / pull requests.

Hi all,

Ib from Codecov here. The GitHub Actions API is set to be released on Nov 13 alongside the general public release of Actions for all GitHub users. We’ll be looking to support tokenless uploads promptly after the API comes out. Unfortunately, prior to the API being released we aren’t able to authenticate uploads without a token.


Any progress on this? I’m considering a switch from coveralls to codecov but I am not an owner in the organization so I’m unable to add secrets to the github repo. Being able to use the github token would make this transition possible.

1 Like

Hey @eyal0!

Thanks for your inquiry. We reached out to our GitHub contacts and it looks like the beta release of the Actions API is scheduled for early next year, around Jan/Feb. We previously anticipated that GitHub would release their API sooner, but unfortunately that’s not the case.

With regards to using the github token for authentication purposes, it doesn’t really make since the repository token provided by Codecov is different from the github token. There’s really no way for us to validate a github token if the user provided it to us in place of the Codecov token which is why we don’t use it in our action.


1 Like

Yes, that makes sense. Thanks!

1 Like

I am also interested in a way of using GitHub Actions without a token.

I feel that my case might be a bit unique in which directs me in needing this ability.

I am apart of an Open Source organization that has hundreds of projects which have separate communities of contributors. The organization administrators take security and repo management very strictly. I am only a member of the repos that can contribute directly to the repo. We do not have access to GH repo or org settings.

I feel that the organization admins are willing to get the upload token and add it to our repo settings as a “secret” for GH Actions. The downside is when they attempt to login to Codecov, it requires read and write access to repository webhooks and services.

Write access is something they can not approve of for security purposes.

As of right now, we can not use Codecov with GH Actions until you can find a solution that does not require tokens or remove write access so they can log in and get the token.

In the meantime, we can continue to use Codecov with Travis CI to use the service but we would like to move away from Travis CI. Their service resources are limited across the organization and as I said earlier there are hundreds of projects which consume so much of the resources.

I hope we find some solution!

1 Like

Hi @erisu. We’ll make sure to update our community as soon as tokenless uploads for GitHub Actions are available. For the time being, there is still no public API for Actions, which means the repository token remains the only method of authentication for those repositories. We’ve been in contact with people at GitHub and their Actions API is scoped to be released early next year, so we plan on delivering this feature as soon as it comes out.

I certainly empathize with your organization’s circumstances and understand that it can be hard to manage contributors who don’t have access to secrets. In the meantime, I’m glad you’re utilizing tokenless uploads via Travis :slight_smile:


Hope you seen https://github.blog/changelog/2020-01-27-github-actions-api-beta/ :heart_eyes:


We have! Tokenless uploads for GitHub Actions is in the works :slight_smile:


That’s wonderful! Is there a specific tracking issue for that work that we can watch in the meantime?

1 Like

Hi all,

We’ve officially deployed tokenless for GitHub Actions as of today (2/4)! I’m sorry about the long wait time - there were lots of components on the backend that needed to be synchronized for this to come together.

Keep in mind however that tokenless uploads will only work for repositories that are public.

Happy (tokenless) uploading!



Hello @ibrahim0814,

Thanks for great work! Could you check this out? Can’t make it work, see logs:

2020-03-05T00:39:32.6719483Z ==> Uploading reports
2020-03-05T00:39:32.6720264Z     url: https://codecov.io
2020-03-05T00:39:32.6721158Z     query: branch=refs%2Fpull%2F1012%2Fmerge&commit=e18e2477631ebc1671c7b922b9c9c810c180c32d&build=&build_url=http%3A%2F%2Fgithub.com%2Fjazzband%2Fpip-tools%2Factions%2Fruns%2F&name=py3.8-piplatest-coverage-ubuntu-latest&tag=&slug=jazzband%2Fpip-tools&service=github-actions&flags=&pr=&job=
2020-03-05T00:39:32.6752802Z     -> Pinging Codecov
2020-03-05T00:39:32.6754859Z https://codecov.io/upload/v4?package=bash-20200303-bc4d7e6&token=secret&branch=refs%2Fpull%2F1012%2Fmerge&commit=e18e2477631ebc1671c7b922b9c9c810c180c32d&build=&build_url=http%3A%2F%2Fgithub.com%2Fjazzband%2Fpip-tools%2Factions%2Fruns%2F&name=py3.8-piplatest-coverage-ubuntu-latest&tag=&slug=jazzband%2Fpip-tools&service=github-actions&flags=&pr=&job=
2020-03-05T00:39:32.7627225Z     -> Sleeping for 30s and trying again...
2020-03-05T00:40:02.7643836Z     -> Pinging Codecov
2020-03-05T00:40:02.7645132Z https://codecov.io/upload/v4?package=bash-20200303-bc4d7e6&token=secret&branch=refs%2Fpull%2F1012%2Fmerge&commit=e18e2477631ebc1671c7b922b9c9c810c180c32d&build=&build_url=http%3A%2F%2Fgithub.com%2Fjazzband%2Fpip-tools%2Factions%2Fruns%2F&name=py3.8-piplatest-coverage-ubuntu-latest&tag=&slug=jazzband%2Fpip-tools&service=github-actions&flags=&pr=&job=
2020-03-05T00:40:02.8475796Z     -> Sleeping for 30s and trying again...
2020-03-05T00:40:32.8487595Z     -> Pinging Codecov
2020-03-05T00:40:32.8489200Z https://codecov.io/upload/v4?package=bash-20200303-bc4d7e6&token=secret&branch=refs%2Fpull%2F1012%2Fmerge&commit=e18e2477631ebc1671c7b922b9c9c810c180c32d&build=&build_url=http%3A%2F%2Fgithub.com%2Fjazzband%2Fpip-tools%2Factions%2Fruns%2F&name=py3.8-piplatest-coverage-ubuntu-latest&tag=&slug=jazzband%2Fpip-tools&service=github-actions&flags=&pr=&job=
2020-03-05T00:40:32.9530438Z     -> Sleeping for 30s and trying again...
2020-03-05T00:41:02.9545893Z     -> Pinging Codecov
2020-03-05T00:41:02.9546971Z https://codecov.io/upload/v4?package=bash-20200303-bc4d7e6&token=secret&branch=refs%2Fpull%2F1012%2Fmerge&commit=e18e2477631ebc1671c7b922b9c9c810c180c32d&build=&build_url=http%3A%2F%2Fgithub.com%2Fjazzband%2Fpip-tools%2Factions%2Fruns%2F&name=py3.8-piplatest-coverage-ubuntu-latest&tag=&slug=jazzband%2Fpip-tools&service=github-actions&flags=&pr=&job=
2020-03-05T00:41:03.0286967Z     -> Sleeping for 30s and trying again...
2020-03-05T00:41:33.0298074Z     -> Uploading to Codecov
2020-03-05T00:41:33.1516954Z     -> Sleeping for 30s and trying again...
2020-03-05T00:42:03.2385328Z     -> Sleeping for 30s and trying again...
2020-03-05T00:42:33.3304531Z     -> Sleeping for 30s and trying again...
2020-03-05T00:43:03.4040178Z     -> Sleeping for 30s and trying again...
2020-03-05T00:43:33.4090726Z     X> Failed to upload coverage reports

Hi @atugushev, I just released a new version of our Codecov Action which addresses some bugs with tokenless. My hunch is that it should fix your issue here.

I encountered the same problem while I was testing on a sample repository - the problem turned out to be that we weren’t passing the correct environment variables in our Action to make tokenless work. Should be okay now with the new version of the Action


1 Like

Does this mean that token-less upload only works with the GitHub Action and does not work with the Bash uploader?

No, it should work on both! Have you encountered issues with tokenless uploads on the bash uploader?

1 Like