-
-
Notifications
You must be signed in to change notification settings - Fork 423
Commit ff1ad36
Publish token for arduino-cli main repo.
PRs from forks do not have access to repository secrets. The same intermittent spurious
workflow run failures will continue to occur for PRs from forks.
https://community.codecov.com/t/upload-issues-unable-to-locate-build-via-github-actions-api/3954
> Public repositories that rely on PRs via forks will find that they cannot effectively
> use Codecov if the token is stored as a GitHub secret. The scope of the Codecov token
> is only to confirm that the coverage uploaded comes from a specific repository, not to
> pull down source code or make any code changes.
>
> For this reason, we recommend that teams with public repositories that rely on PRs via
> forks consider the security ramifications of making the Codecov token available as
> opposed to being in a secret.
>
> A malicious actor would be able to upload incorrect or misleading coverage reports to
> a specific repository if they have access to your upload token, but would not be able
> to pull down source code or make any code changes.1 parent 4372221 commit ff1ad36
1 file changed
+1
-1
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
197 | 197 | | |
198 | 198 | | |
199 | 199 | | |
200 | - | ||
200 | + | ||
201 | 201 | | |
202 | 202 | | |
203 | 203 | | |
0 commit comments