Skip to content

ci: use OIDC for codecov-action #94

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
njzjz merged 2 commits into from
Feb 17, 2026
Merged

ci: use OIDC for codecov-action #94

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a0604e5
ci: use OIDC for codecov-action
njzjz-bot Jan 24, 2026
a64b25d
Fix indentation in GitHub Actions workflow
njzjz Feb 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,3 +24,7 @@ jobs:
- uses: codecov/codecov-action@v5
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
with:
use_oidc: true
permissions:
id-token: write
Comment on lines +29 to +30
Copy link
Contributor

@coderabbitai coderabbitai bot Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cd .github/workflows && pwd && ls -la

Repository: deepmodeling/dargs

Length of output: 466

🏁 Script executed:

cat -n .github/workflows/test.yml

Repository: deepmodeling/dargs

Length of output: 920

🌐 Web query:

GitHub Actions permissions default none when workflow-level permissions set

💡 Result:

In GitHub Actions, if you set workflow-level permissions and specify any scope (e.g., contents: read), then all other GITHUB_TOKEN permission scopes that you do not explicitly list are automatically set to none. Those workflow-level permissions apply to all jobs, unless a job overrides them with jobs.<job_id>.permissions. [1]

If you want to set everything to none, use:

permissions: {}

which disables all available permissions for GITHUB_TOKEN. [1]

If you don’t set permissions at all (no workflow-level and no job-level permissions), then the token permissions come from the repository/org/enterprise default settings. [1][2]

Sources: [1] GitHub Docs – Workflow syntax (permissions) [2] CodeQL query help (“missing-workflow-permissions”)

🌐 Web query:

actions/checkout@v4 actions/checkout@v6 permissions contents read required

💡 Result:

actions/checkout (including @v4 and @v6) uses GITHUB_TOKEN to fetch your repository contents, so if your workflow/job sets explicit token permissions you should grant at least:

permissions:
  contents: read

This is the action’s documented recommended permission (unless you use alternate auth via token or ssh-key). [1]

Example:

name: CI
on: [push, pull_request]

permissions:
  contents: read

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6

If you need to git push from the workflow, you’ll need broader permissions (e.g., contents: write) instead of read. [1]

Sources:
[1] actions/checkout README – “Recommended permissions” section.

🌐 Web query:

codecov-action use_oidc true permissions id-token write

💡 Result:

To use codecov/codecov-action with OIDC (use_oidc: true), your workflow/job must grant GitHub Actions permission to mint an OIDC ID token:

permissions:
  id-token: write
  contents: read   # commonly needed for checkout; keep least-privilege for your workflow

Then call the action with OIDC enabled (any token: you provide will be ignored):

- uses: codecov/codecov-action@v5
  with:
    use_oidc: true

Sources: Codecov Action “Using OIDC” docs (requires permissions: id-token: write) [1]; GitHub docs on OIDC (the id-token: write permission allows requesting the OIDC token) [2].

Critical: workflow-level permissions with only id-token: write will break the checkout step.

When you set permissions at the workflow level, all unspecified permissions default to none. This means contents: read (required by actions/checkout@v6) is revoked, and the workflow will fail.

Either add contents: read, or scope the permissions to the job level:

Option 1: Add contents: read at workflow level 
 permissions:
   id-token: write
+  contents: read
Option 2: Move permissions to job level (under build:) 
 jobs:
   build:
     runs-on: ubuntu-22.04
+    permissions:
+      id-token: write
+      contents: read
     strategy:

And remove the workflow-level permissions block.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
id-token: write
permissions:
id-token: write
contents: read
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test.yml around lines 29 - 30, The workflow-level
permissions currently set only "id-token: write" will revoke all other
permissions (including contents: read required by actions/checkout@v6); fix by
either adding "contents: read" alongside "id-token: write" in the workflow-level
permissions block or remove the workflow-level permissions block and instead add
a job-level permissions block under the job (e.g., the build job) that includes
both "id-token: write" and "contents: read" so actions/checkout can run
successfully.