Question: OIDC auth and tokenless

[cidrblock]

We are getting the following errors:

error - 2024-05-29 17:06:07,758 -- Commit creating failed: {"detail":"Tokenless has reached GitHub rate limit. Please upload using a token: https://docs.codecov.com/docs/adding-the-codecov-token. Expected available in 1808 seconds."}

We have oidc auth configured and have confirmed that id-token: write is configured.

Example: https://github.com/ansible/ansible-dev-tools/blob/1905e099f98b3df29c51174c626383cbaaca0ea4/.github/workflows/tox.yml#L148

We were under the impression that OIDC would work fine with coverage from a fork, although it appears the coverage CLI is unaware that OIDC is configured and does not take that into account:

https://github.com/codecov/codecov-cli/blob/7432bad76c619e34d6617b578e039e7d733e3f00/codecov_cli/helpers/git.py#L100

Is this a bug or a misunderstanding?

Thanks- Brad

[ssbarnea]

I keep seeing the same more and more often. When OIDC was introduced we were not told that it does not work as real token replacement and that is affected by api limitations of the tokenless option.

https://github.com/ansible/vscode-ansible/actions/runs/9454363931/job/26041754863?pr=1348

@thomasrockhu-codecov If you can take a look, we will really appreciate.

[cidrblock]

Here's a more recent example of the same issue if needed:

https://github.com/ansible/molecule/actions/runs/9465727251/job/26076225688?pr=4222#step:9:48

[thomasrockhu-codecov]

@ssbarnea @cidrblock would you mind trying 4.5.0? I think this will fix the issue

[ssbarnea]

@thomasrockhu-codecov Based on results I seen on https://github.com/ansible/ansible-creator/actions/runs/9609497816/job/26504809239?pr=233#step:9:51 i believe that is does not fully work. Workflow uses v4 tag, which means it should taked latest v4.

The job is defined inside https://github.com/ansible/ansible-creator/blob/main/.github/workflows/tox.yml and reuses workflow from
https://github.com/ansible/team-devtools/blob/main/.github/workflows/tox.yml

I doubt this has anything to do with the use of reusable workflows because I use the same workflow on other projects and the codecov upload succeeded there, like https://github.com/ansible/vscode-ansible/actions/runs/9611712751/job/26510856390?pr=1318

One thing that worries me is that is see this while oidc is configured. Maybe the oidc does not work for forks?

==> Fork detected, tokenless uploading used

[cidrblock]

Yup, thank you for updating the repo so v4 points to 4.5.0, that'll save us some work.

That being saide, @ssbarnea is right, we're seeing different errors now:

https://github.com/ansible/ansible-creator/actions/runs/9615967343/job/26524494680?pr=235#step:9:46

[cidrblock]

I just noticed it appears to be running the same command twice, I'm not sure if that is intentional:

==> Running command '/home/runner/work/_actions/codecov/codecov-action/v4/dist/codecov create-commit'
/home/runner/work/_actions/codecov/codecov-action/v4/dist/codecov create-commit --git-service github -C 50401634ae07f13974b176395b9[43](https://github.com/ansible/ansible-creator/actions/runs/9615967343/job/26524494680?pr=235#step:9:44)4540b3ff370 -Z
info - 2024-06-21 15:24:36,697 -- ci service found: github-actions
info - 2024-06-21 15:24:36,707 -- The PR is happening in a forked repo. Using tokenless upload.
info - 2024-06-21 15:24:36,910 -- Process Commit creating complete
==> Running command '/home/runner/work/_actions/codecov/codecov-action/v4/dist/codecov create-report'
/home/runner/work/_actions/codecov/codecov-action/v4/dist/codecov create-report --git-service github -C 50401634ae07f13974b176395b943[45](https://github.com/ansible/ansible-creator/actions/runs/9615967343/job/26524494680?pr=235#step:9:46)40b3ff370 -Z
info - 2024-06-21 15:24:37,657 -- ci service found: github-actions
Error: Codecov token not found. Please provide Codecov token with -t flag.
Error: Codecov:
                        Failed to properly create report: The process '/home/runner/work/_actions/codecov/codecov-action/v4/dist/codecov' failed with exit code 1

[webknjaz]

FWIW GitHub only allows the id-token: write privilege to be set within upstream repositories, never from forks. Even if it's set in the GitHub Actions CI/CD workflow definition, it's reset to whatever GitHub deems to be safe enough: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token#changing-the-permissions-in-a-forked-repository / https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#controlling-changes-from-forks-to-workflows-in-public-repositories. It'd allow contributors to impersonate trusted envs, otherwise. It might work for pull_request_target (instead of pull_request), I suppose. But then, you're taking full responsibility for opening up a new attack surface.

[webknjaz]

The tokenless uploads you see in the logs don't use OIDC, they use the old-style mechanism as an exception. And then, the Codecov platform needs to verify the authenticity of such an upload because it's not coming from a trusted place (and isn't signed via OIDC).