Upload failed: {"detail":"Not valid tokenless upload"}

[ssbarnea]

As opposed to its older sibling https://github.com/codecov/codecov-action this action does not support use_oidc flag.

The issue here is that this happening on pull requests coming from external forks, triggered on pull_request, so they do not have access to the environment secrets.

Changing the workflow definition to trigger on pull_request_target would prevent us from testing genuine pull requests that are fixing GHA workflows themselves. A bit of a chicken and the egg kind of issue.

Should I maybe upload test results only for jobs triggered on pushes and avoid running them for pull-requests?

PS. In fact I am wondering why this action was developed separately instead of just extending codecov/codecov-action to also allow upload of test results. It would have being much easier from many points of view, including addressing the authentication challenges.

[dkmiller]

Is there any reason the PR with a fix was not merged? I agree that being able to use OIDC would be very useful.`

[benjamin-hodgson]

Any progress on this feature request? I saw #101 but seems to be a couple of months old

[Kobby-Bawuah]

Hey everyone,

Thanks for your patience on this! Here’s the latest update on tokenless uploads and OIDC support:

When it comes to OIDC Support, a new PR has been opened to improve the use_oidc functionality (PR #113). It is currently being finalized and is expected to be merged within the next week.

For tokenless Uploads for Test Analytics, recent changes in our system caused test analytics to fall out of sync with tokenless uploads. However, we’ve now merged fixes in Codecov API PR #1187 and an internal issue, which should have resolved this issue. Tokenless uploads should now be working as expected for test analytics.

If you’re still encountering issues, please let us know.

[shatakshiiii]

We are getting the below error while uploading test results to Codecov using codecov/test-results-action@v1. This error is coming up on PRs created from a forked repository -

Codecov: Failed to get OIDC token with url: https://codecov.io./ Error message: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable

Note that the coverage uploader (i.e.Upload coverage data) is not affected by this, only the junit uploader.

Upon googling this failure, the results tend to suggest changes in the permissions, but we already have all the permissions set as this:

    permissions:
      contents: read
      id-token: write
      checks: read

The related CI failures can be seen here: https://github.com/ansible/ansible-navigator/actions/runs/14512597492/job/40714524700?pr=1970

Please let me know if I need to provide any other information to debug this issue. Thanks!

[joseph-sentry]

@shatakshiiii it seems like OIDC doesn't work with forks because repos need to explicitly allow forks to have "write" permissions: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token#changing-the-permissions-in-a-forked-repository

as mentioned in this comment from another project that seemed to have the same issue there may be unintended side effects.

I think what we'll do is modify both codecov actions to skip trying to use OIDC if it's detected that the CI is running on a PR from a fork.