Skip to content

ci: use OIDC for codecov-action #2411

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
njzjz-bot wants to merge 1 commit into
base: master
Choose a base branch
from
Open

ci: use OIDC for codecov-action #2411

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions .github/workflows/push.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
on:
push:
branches:
- master
- master
tags:
- v*
- v*
Comment on lines 3 to +6
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

GitHub Actions workflow YAML on.push branches tags list indentation syntax

💡 Result:

In a GitHub Actions workflow, branches and tags under on: push: are YAML sequences (lists), so each pattern is a - item indented under the key:

on:
  push:
    branches:
      - main
      - "releases/**"
    tags:
      - "v1.*"
      - "v2.*"

Key points:

  • onpushbranches/tags are nested mappings, so indentation must reflect that nesting. GitHub’s docs show branches: and tags: as lists under push:. [1]
  • You can use branches / branches-ignore and tags / tags-ignore (but not both of each pair for the same event). [2]
  • If you only define branches (and no tags), the workflow runs for branch pushes and not tag pushes; similarly, only defining tags makes it run only for tag pushes. [2]

Alternative inline-list form (same meaning, just different YAML style):

on:
  push:
    branches: [main, "releases/**"]
    tags: ["v1.*", "v2.*"]

Sources: GitHub Docs on push filters and examples. [1] [2]

🏁 Script executed:

cat -n .github/workflows/push.yml | head -40

Repository: deepmodeling/reacnetgenerator

Length of output: 884

Fix YAML list indentation for branches/tags.

List items must be indented under their parent key. GitHub Actions documentation shows the correct format with list items indented 2 spaces further than their parent keys.

🛠️ Suggested fix 
 on:
   push:
     branches:
-    - master
+      - master
     tags:
-    - v*
+      - v*
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
branches:
- master
- master
tags:
- v*
- v*
on:
push:
branches:
- master
tags:
- v*
🤖 Prompt for AI Agents 
In @.github/workflows/push.yml around lines 3 - 6, The YAML lists for the
workflow are mis-indented; fix by placing the list items under their parent keys
with proper indentation so that the 'branches' key has its items (e.g.,
"master") indented beneath it and the 'tags' key has its items (e.g., "v*")
indented beneath it; update the entries related to the 'branches' and 'tags'
keys in the push workflow so each list item is nested correctly under its parent
key.

pull_request:
merge_group:

Expand All @@ -26,4 +26,6 @@ jobs:
- run: tox
- uses: codecov/codecov-action@v5
with:
token: ${{ secrets.CODECOV_TOKEN }}
use_oidc: true
permissions:
id-token: write
Comment on lines 27 to +31
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/push.yml

Repository: deepmodeling/reacnetgenerator

Length of output: 884

🌐 Web query:

GitHub Actions permissions behavior when permissions is explicitly set defaults

💡 Result:

  • If you do not set permissions in the workflow/job, the GITHUB_TOKEN uses the repository default (which may be inherited from the org/enterprise). Repos in orgs inherit org defaults. (codeql.github.com)
  • If you set permissions (at workflow or job level), GitHub does not “merge” with the repo/org default. Instead, the token gets only what you specify, and any permission you don’t specify becomes none (so “explicitly setting defaults” is actually an explicit allow-list). (docs.github.com)
  • You can use the shorthand presets: permissions: read-all or permissions: write-all. (docs.github.com)
  • Precedence: enterprise/org/repo “Workflow permissions” default applies only when there’s no permissions: block; within a workflow, job-level permissions override workflow-level. (docs.github.com)
  • Defaults changed for new orgs/enterprises on Feb 2, 2023 (new ones default to read-only; older ones may still default to read/write unless changed in settings). (docs.github.com)
  • Fork PRs are a special case: PRs from public forks still receive a read token regardless of these settings. (github.blog)

Citations:

🌐 Web query:

actions/checkout required permissions GITHUB_TOKEN

💡 Result:

actions/checkout only needs the GITHUB_TOKEN to read repository contents (unless you override auth with token or ssh-key). Configure:

permissions:
  contents: read

This is the action’s documented “recommended permissions.” [1][2]

Notes:

  • Your org/repo may already default GITHUB_TOKEN to read-only (common for orgs/repos created on or after Feb 2, 2023), but it’s still best practice to set permissions: explicitly in the workflow. [3][4]

Add contents: read to permissions.

When permissions is explicitly set, it replaces the default; actions/checkout requires contents: read to access the repository.

🛠️ Suggested fix 
 permissions:
+  contents: read
   id-token: write
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: codecov/codecov-action@v5
with:
token: ${{ secrets.CODECOV_TOKEN }}
use_oidc: true
permissions:
id-token: write
- uses: codecov/codecov-action@v5
with:
use_oidc: true
permissions:
contents: read
id-token: write
🤖 Prompt for AI Agents 
In @.github/workflows/push.yml around lines 27 - 31, The workflow currently
overrides permissions with only "id-token: write", which breaks
actions/checkout; update the permissions block to include "contents: read"
alongside "id-token: write" so actions like actions/checkout can access the repo
(keep the existing codecov/codecov-action@v5 step and ensure the permissions
block includes both permissions).

6 changes: 4 additions & 2 deletions .github/workflows/testjs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
on:
push:
branches:
- master
- master
Comment on lines 3 to +4
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

GitHub Actions workflow YAML indentation on.push.branches list syntax

💡 Result:

In GitHub Actions, on.push.branches is a YAML sequence (list), so each branch pattern is a - item indented under branches:

on:
  push:
    branches:
      - main
      - "releases/**"

You can also use the inline (flow) list form:

on:
  push:
    branches: [main, "releases/**"]

Common gotchas:

  • The - must be more indented than branches: (i.e., it’s a child list).
  • Quote patterns that include YAML-special characters (often safest for globs). GitHub’s docs show globs like "releases/**" under branches. [1]

Fix YAML list indentation for branches.

List items under branches must be indented more than the parent key. Move - master to the proper indentation level.

🛠️ Suggested fix 
 on:
   push:
     branches:
-    - master
+      - master
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
branches:
- master
- master
branches:
- master
🤖 Prompt for AI Agents 
In @.github/workflows/testjs.yml around lines 3 - 4, The YAML has incorrect
indentation for the list under the branches key; fix the
.github/workflows/testjs.yml by indenting the list item so the "- master" entry
is nested under the "branches:" key (ensure the list item is indented one
additional level relative to "branches:"), preserving YAML spacing rules so the
workflow correctly recognizes the branch whitelist.

pull_request:
merge_group:

Expand Down Expand Up @@ -29,4 +29,6 @@ jobs:
- run: yarn coverage
- uses: codecov/codecov-action@v5
with:
token: ${{ secrets.CODECOV_TOKEN }}
use_oidc: true
permissions:
id-token: write
Comment on lines 30 to +34
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find . -name "testjs.yml" -type f

Repository: deepmodeling/reacnetgenerator

Length of output: 103

🌐 Web query:

GitHub Actions permissions override default contents read actions/checkout documentation

💡 Result:

actions/checkout needs permission to read repository contents, so its docs recommend granting the workflow/job GITHUB_TOKEN:

permissions:
  contents: read

[1]

Why you can “lose” that permission: as soon as you set a permissions: block in your workflow/job, any scopes you don’t specify are set to none (so you may accidentally remove contents access even if the repo/org default would have allowed it). [2][4]

Notes:

  • If you don’t set permissions: in the workflow/job, the token uses the repo/org default “Workflow permissions” setting (commonly the restricted default is contents: read + packages: read). [3]
  • If you provide alternative auth to checkout (e.g., with: token: ... or ssh-key: ...), the recommended contents: read for GITHUB_TOKEN may not be necessary. [1]

Common fix when you already have a permissions block:

permissions:
  contents: read
  # keep your other scopes here...

Or, if you lock down globally, re-enable only on the job that checks out:

permissions: {}

jobs:
  build:
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@v6

Sources: actions/checkout README/Marketplace [1], GitHub “workflow syntax” permissions behavior [2], GitHub repo/org default workflow permissions setting [3], GitHub changelog on permissions defaults/unspecified=none [4].

🏁 Script executed:

cat -n .github/workflows/testjs.yml

Repository: deepmodeling/reacnetgenerator

Length of output: 1023

Add contents: read to permissions.

The workflow uses actions/checkout@master (line 21), which requires contents: read permission. When permissions is set, it overrides defaults and unspecified scopes become none. Without this permission, the checkout step will fail.

🛠️ Suggested fix 
 permissions:
+  contents: read
   id-token: write
🤖 Prompt for AI Agents 
In @.github/workflows/testjs.yml around lines 30 - 34, The workflow's explicit
permissions block currently only sets id-token: write which overrides defaults
and breaks actions/checkout@master; update the permissions block to include
contents: read alongside id-token: write so the checkout step can read the
repository (modify the permissions section to contain both "contents: read" and
"id-token: write").

Loading