Migrating from vx -> v5

[thomasrockhu-codecov]

v5 Release

v5 of the Codecov GitHub Action will use the Codecov Wrapper to encapsulate the CLI. This will help ensure that the Action gets updates quicker.

Migration Guide

The v5 release also coincides with the opt-out feature for tokens for public repositories. In the Global Upload Token section of the settings page of an organization in codecov.io, you can set the ability for Codecov to receive a coverage reports from any source. This will allow contributors or other members of a repository to upload without needing access to the Codecov token. For more details see how to upload without a token.

Warning

The following arguments have been changed

• file (this has been deprecated in favor of files)
• plugin (this has been deprecated in favor of plugins)

The following arguments have been added:

• binary
• gcov_args
• gcov_executable
• gcov_ignore
• gcov_include
• report_type
• skip_validation
• swift_project

You can see their usage in the action.yml file.

---

If you are having troubles with the migration, please open a new issue and tag @codecov/report-upload

[pellared]

In the repository settings page in codecov.io, you can set the ability for Codecov to receive a coverage report from ANY souce.

Where can I find it for a "single repository"? I can find only a global "Token authentication" option for the whole organization under /org-upload-token. What about organizations where some repositories are public and other are internal/private?

Related PR: signalfx/splunk-otel-go#3496

I also noticed that the v4 action seems still able to work tokenless on forks without enabling "Not required" token authentication. This does not apply to v5.

[pellared]

From https://docs.codecov.com/docs/codecov-tokens#uploading-without-a-token:

the upload is for a commit that is on an unprotected branch (like forkname:main)

I find this description not clear.

1. Does it mean that a codecov action on main branch will not work if the branch is protected?
2. Does it mean that a codecov action running in a fork on pull request will not work if it targets a protected branch (e.g. main) in upstream?

Besides, both of these scenarios are not well suited for public open-source repositories.

(2) does not seem to be true.

Reference PR: open-telemetry/opentelemetry-go#5979

I noticed that for forks it does not seem to be a problem for v4.

[thomasrockhu-codecov]

@pellared

Where can I find it for a "single repository"? I can find only a global "Token authentication" option for the whole organization under /org-upload-token. What about organizations where some repositories are public and other are internal/private?

This was my mistake. It is in fact for the whole organization. However, private repositories will always need a token to authenticate. I have updated this issue and the README. I apologize for the misinformation.

I also noticed that the v4 action seems still able to work tokenless on forks without enabling "Not required" token authentication. This does not apply to v5.

That is strange, can you link me to corresponding CI runs here? It shouldn't be different.

---

the upload is for a commit that is on an unprotected branch (like forkname:main)

To clear things up, we do not mean protected from a GitHub perspective.

For public repositories, a token is required to send uploads to commits on protected branches. A protected branch corresponds to an actual branch in your repository (like main or master). An unprotected branch is any branch with a colon-separated prefix on it (like forkname:main or pr300:master).

docs:where-do-i-need-a-token