feat: allow for authentication via OIDC token (#1330)

* fix: allow for oidc token

* chore(docs): update docs with use_oidc argument

* Update action.yml

Co-authored-by: Cristian Le <[email protected]>

* chore(release): 4.2.0

---------

Co-authored-by: Cristian Le <[email protected]>

Author: thomasrockhu-codecov

.eslintrc.json

@@ -17,6 +17,7 @@
         "@typescript-eslint"
     ],
     "rules": {
+        "max-len": ["error", { "code": 120 }],
         "linebreak-style": 0
     }
 }

README.md

@@ -64,44 +64,56 @@ steps:
 > [!NOTE]
 > This assumes that you've set your Codecov token inside *Settings > Secrets* as `CODECOV_TOKEN`. If not, you can [get an upload token](https://docs.codecov.io/docs/frequently-asked-questions#section-where-is-the-repository-upload-token-found-) for your specific repo on [codecov.io](https://www.codecov.io). Keep in mind that secrets are *not* available to forks of repositories.
 
+### Using OIDC
+For users with [OpenID Connect(OIDC) enabled](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect), the Codecov token is not necessary. You can use OIDC with the `use_oidc` argument as following.
+
+```yaml
+- uses: codecov/codecov-action@v4
+  with:
+    use_oidc: true
+```
+
+Any token supplied will be ignored, as Codecov will default to the OIDC token for verification.
+
 ## Arguments
 
 Codecov's Action supports inputs from the user. These inputs, along with their descriptions and usage contexts, are listed in the table below:
 
 | Input  | Description | Required |
 | :---       |     :---     |    :---:   |
-| `token` | Repository Codecov token. Used to authorize report uploads | *Required 
-| `codecov_yml_path` | Specify the path to the Codecov YML | Optional 
-| `commit_parent` | Override to specify the parent commit SHA | Optional 
-| `directory` | Directory to search for coverage reports. | Optional 
-| `disable_search` | Disable search for coverage files. This is helpful when specifying what files you want to upload with the --file option. | Optional 
-| `disable_file_fixes` | Disable file fixes to ignore common lines from coverage (e.g. blank lines or empty brackets) | Optional 
-| `dry_run` | Don't upload files to Codecov | Optional 
-| `env_vars` | Environment variables to tag the upload with (e.g. PYTHON \| OS,PYTHON) | Optional 
-| `exclude` | Folders to exclude from search | Optional 
-| `fail_ci_if_error` | Specify whether or not CI build should fail if Codecov runs into an error during upload | Optional 
-| `file` | Path to coverage file to upload | Optional 
-| `files` | Comma-separated list of files to upload | Optional 
-| `flags` | Flag upload to group coverage metrics (e.g. unittests \| integration \| ui,chrome) | Optional 
-| `handle_no_reports_found` | Raise no exceptions when no coverage reports found | Optional 
-| `job_code` | The job code | Optional 
-| `name` | User defined upload name. Visible in Codecov UI | Optional 
-| `os` | Override the assumed OS. Options are linux \| macos \| windows \| . | Optional 
-| `override_branch` | Specify the branch name | Optional 
-| `override_build` | Specify the build number | Optional 
-| `override_build_url` | The URL of the build where this is running | Optional 
-| `override_commit` | Specify the commit SHA | Optional 
-| `override_pr` | Specify the pull request number | Optional 
-| `plugin` | plugins to run. Options: xcode, gcov, pycoverage. The default behavior runs them all. | Optional 
-| `plugins` | Comma-separated list of plugins for use during upload. | Optional 
-| `report_code` | The code of the report. If unsure, do not include | Optional 
-| `root_dir` | Used to specify the location of your   .git   root to identify project root directory | Optional 
-| `slug` | Specify the slug manually (Enterprise use) | Optional 
-| `url` | Specify the base url to upload (Enterprise use) | Optional 
-| `use_legacy_upload_endpoint` | Use the legacy upload endpoint | Optional 
-| `verbose` | Specify whether the Codecov output should be verbose | Optional 
-| `version` | Specify which version of the Codecov CLI should be used. Defaults to `latest` | Optional 
-| `working-directory` | Directory in which to execute codecov.sh | Optional 
+| `token` | Repository Codecov token. Used to authorize report uploads | *Required
+| `codecov_yml_path` | Specify the path to the Codecov YML | Optional
+| `commit_parent` | Override to specify the parent commit SHA | Optional
+| `directory` | Directory to search for coverage reports. | Optional
+| `disable_search` | Disable search for coverage files. This is helpful when specifying what files you want to upload with the --file option. | Optional
+| `disable_file_fixes` | Disable file fixes to ignore common lines from coverage (e.g. blank lines or empty brackets) | Optional
+| `dry_run` | Don't upload files to Codecov | Optional
+| `env_vars` | Environment variables to tag the upload with (e.g. PYTHON \| OS,PYTHON) | Optional
+| `exclude` | Folders to exclude from search | Optional
+| `fail_ci_if_error` | Specify whether or not CI build should fail if Codecov runs into an error during upload | Optional
+| `file` | Path to coverage file to upload | Optional
+| `files` | Comma-separated list of files to upload | Optional
+| `flags` | Flag upload to group coverage metrics (e.g. unittests \| integration \| ui,chrome) | Optional
+| `handle_no_reports_found` | Raise no exceptions when no coverage reports found | Optional
+| `job_code` | The job code | Optional
+| `name` | User defined upload name. Visible in Codecov UI | Optional
+| `os` | Override the assumed OS. Options are linux \| macos \| windows \| . | Optional
+| `override_branch` | Specify the branch name | Optional
+| `override_build` | Specify the build number | Optional
+| `override_build_url` | The URL of the build where this is running | Optional
+| `override_commit` | Specify the commit SHA | Optional
+| `override_pr` | Specify the pull request number | Optional
+| `plugin` | plugins to run. Options: xcode, gcov, pycoverage. The default behavior runs them all. | Optional
+| `plugins` | Comma-separated list of plugins for use during upload. | Optional
+| `report_code` | The code of the report. If unsure, do not include | Optional
+| `root_dir` | Used to specify the location of your   .git   root to identify project root directory | Optional
+| `slug` | Specify the slug manually (Enterprise use) | Optional
+| `url` | Specify the base url to upload (Enterprise use) | Optional
+| `use_legacy_upload_endpoint` | Use the legacy upload endpoint | Optional
+| `use_oidc` | Use OpenID Connect for verification instead of token. This will ignore any token supplied. Please see [GitHub documentation](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) for details.
+| `verbose` | Specify whether the Codecov output should be verbose | Optional
+| `version` | Specify which version of the Codecov CLI should be used. Defaults to `latest` | Optional
+| `working-directory` | Directory in which to execute codecov.sh | Optional
 
 ### Example `workflow.yml` with Codecov Action
 

action.yml

@@ -95,6 +95,9 @@ inputs:
   use_legacy_upload_endpoint:
     description: 'Use the legacy upload endpoint'
     required: false
+  use_oidc:
+    description: 'Use OIDC instead of token. This will ignore any token supplied'
+    default: false
   verbose:
     description: 'Specify whether the Codecov output should be verbose'
     required: false