Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC doesn't work #1378

Open
nfx opened this issue Apr 19, 2024 · 8 comments
Open

OIDC doesn't work #1378

nfx opened this issue Apr 19, 2024 · 8 comments
Assignees
@nora-codecov
Labels
bug Something isn't working

Comments

@nfx
Copy link

nfx commented Apr 19, 2024

This commit added OIDC - d820d60 but it doesn't work:

error - 2024-04-19 15:53:12,230 -- Upload failed: {"detail":"Github OIDC Token Auth: Invalid token."}

and config:

permissions:
  id-token: write

jobs:
  ci:
     # ...
      - name: Publish test coverage
        uses: codecov/codecov-action@v4
        with:
          use_oidc: true
@nfx nfx mentioned this issue Apr 19, 2024
Merged
nfx added a commit to databrickslabs/ucx that referenced this issue Apr 19, 2024
@nfx
Use managed upload token for codecov.io (#1463)
6a5e4f6 
v4 of codecov-action no longer supports tokenless upload. ~Let's try
avoiding tokens altogether by using OIDC.~ OIDC doesn't seem to work:
codecov/codecov-action#1378, using managed
`CODECOV_TOKEN` secrets.
@thomasrockhu-codecov
Copy link
Contributor

@nfx can you provide some more details? Specifically the rest of the logs?

@thomasrockhu-codecov thomasrockhu-codecov added the bug Something isn't working label Apr 23, 2024
@G-Rath
Copy link

G-Rath commented Apr 25, 2024
edited

@thomasrockhu-codecov we're getting that over at eslint-plugin-jest - I've been trying a few things to see if I can get it unblocked and/or more information out of it so the latest failings might not be the ones you want (though they are at time of post), but here's a few runs that have the failing:

Note the last couple are using v4.1.1 specifically which is before OIDC support was landed - technically I can't verify this isn't user error as I don't have permissions to set secrets on the repository, but even if it is it seems like a very confusing error message to get if the problem is the codecov token is plain wrong.

(I have tried giving a known bad token and gotten the same error - would be good to get confirmed if that is because the token is bad or that something related to OIDC is done before the token is validated)

@jsoref
Copy link
Contributor

jsoref commented May 3, 2024

@G-Rath you're missing the permission -- I've added it in check-spelling-sandbox/eslint-plugin-jest@1ccd95e

But even with that it isn't working:
https://github.com/check-spelling-sandbox/eslint-plugin-jest/actions/runs/8944401881/job/24571265618#step:6:32

@G-Rath
Copy link

G-Rath commented May 3, 2024

@jsoref we're not trying to use OIDC though so the permission should not be needed

@thomasrockhu-codecov
Copy link
Contributor

@G-Rath ok, we made a change here, would you be able to see if you run into that log again?

@jsoref
Copy link
Contributor

jsoref commented May 6, 2024
edited

@thomasrockhu-codecov, so, I'm forcing OIDC (https://github.com/check-spelling-sandbox/eslint-plugin-jest/blob/0e44095625c00fc931da2120f756788342f4b4f6/.github/workflows/nodejs.yml#L64, https://github.com/check-spelling-sandbox/eslint-plugin-jest/blob/0e44095625c00fc931da2120f756788342f4b4f6/.github/workflows/nodejs.yml#L113) and I've added enough logging (d09da3a) to show that OIDC is being used, but it still fails: https://github.com/check-spelling-sandbox/eslint-plugin-jest/actions/runs/8986717338/job/24683540548

==> Got an OIDC token
==> Got an OIDC token
==> Got an OIDC token
...
==> Uploader SHASUM verified (e70beb7c9e3d894678e7d4d0fcb94e59133212dbda5ca7406b625a0167ce4ca8  codecov)
info - 2024-05-07 14:00:41,045 -- ci service found: github-actions
debug - 2024-05-07 14:00:41,048 -- versioning system found: <class 'codecov_cli.helpers.versioning_systems.GitVersioningSystem'>
debug - 2024-05-07 14:00:41,0[51](https://github.com/check-spelling-sandbox/eslint-plugin-jest/actions/runs/8986717338/job/24683540548#step:6:52) -- versioning system found: <class 'codecov_cli.helpers.versioning_systems.GitVersioningSystem'>
debug - 2024-05-07 14:00:41,054 -- Loading config from /home/runner/work/eslint-plugin-jest/eslint-plugin-jest/.codecov.yml
debug - 2024-05-07 14:00:41,055 -- Starting create commit process --- {"commit_sha": "a07975eaa2b0aeb8af59[53](https://github.com/check-spelling-sandbox/eslint-plugin-jest/actions/runs/8986717338/job/24683540548#step:6:54)8d8f62e91c35d72739", "parent_sha": null, "pr": null, "branch": "my-repo-is-not-a-fork", "slug": "check-spelling-sandbox/eslint-plugin-jest", "token": "e******************", "service": "github", "enterprise_url": null}
info - 2024-05-07 14:00:41,270 -- Process Commit creating complete
debug - 2024-05-07 14:00:41,271 -- Commit creating result --- {"result": "RequestResult(error=RequestError(code='HTTP Error 400', params={}, description='[\"Repository not found\"]'), warnings=[], status_code=400, text='[\"Repository not found\"]')"}
error - 2024-05-07 14:00:41,271 -- Commit creating failed: ["Repository not found"]
Error: Codecov: Failed to properly create commit: The process '/home/runner/work/_actions/check-spelling-sandbox/codecov-action/my-repo-is-not-a-fork/dist/codecov' failed with exit code 1

@thomasrockhu-codecov
Copy link
Contributor

@jsoref will take it with you on this issue

@thomasrockhu-codecov
Copy link
Contributor

@nfx just wanted to circle back and see if a fix we made is working for you now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nora-codecov nora-codecov

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@nfx @jsoref @G-Rath @thomasrockhu-codecov @nora-codecov