Closed Bug 1784913 Opened 2 years ago Closed 2 years ago

Assess use of external addon codecov v3 in Mozilla's GitHub organization mozilla/sccache

Categories

(mozilla.org :: Github: Administration, task)

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: Sylvestre, Assigned: cknowles)

References

Details

+++ This bug was initially created as a clone of Bug #1743848 +++

+++ This bug was initially created as a clone of Bug #1684536 +++

codecov v3 isn't activated

codecov/codecov-action@v3 is not allowed to be used in mozilla/sccache. Actions in this workflow must be: within a repository that belongs to your Enterprise account, created by GitHub, or matching the following: !/mozilla/, !mozilla/, ./**, 10up/wpcs-action@, aws-actions/, codecov/codecov-action@v2, docker/, pypa/gh-action-pypi-publish@v1.4.2, slackapi/slack-github-action@, google-github-actions/, erlef/setup-beam@v1, yesolutions/mirror-action@.

https://github.com/mozilla/sccache/pull/1285

Correct, per the bug 1743848 secops only allowed @v2 to be enabled.

NI'd Secops - Can I remove the restriction to v2, or should I add another line explicitly allowing v3? (Or some other scheme?)

Flags: needinfo?(hwine)
Flags: needinfo?(asargent)

Go ahead and remove the version restriction -- codecov is a known commodity. When we did the first round of approval, I wasn't sure how actions were going to play out, so went with ultra conservatism.

Flags: needinfo?(hwine)
Flags: needinfo?(asargent)

codecov/codecov-action@v2, changed to codecov/codecov-action, In the allow actions list

You should be good to go. Let me know if there's problems.

Assignee: nobody → cknowles
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED

Are you sure? I still see:

codecov/codecov-action@v3 is not allowed to be used in mozilla/sccache. Actions in this workflow must be: within a repository that belongs to your Enterprise account, created by GitHub, or matching the following: !/mozilla/**, !mozilla/**, ./**, 10up/wpcs-action@*, aws-actions/*, docker/*, pypa/gh-action-pypi-publish@v1.4.2, slackapi/slack-github-action@*, google-github-actions/*, erlef/setup-beam@v1, yesolutions/mirror-action@*, codecov/codecov-action.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

While I'm certain that is what I changed, I assumed not mentioning the version would mean any is allowed - I have now modified it to explicitly allow any version.

codecov/codecov-action, -> codecov/codecov-action@*,

This does match some other action permit string styles I see - so I'm much more confident this will work.

Apologies for the runaround.

Let me know if that starts working, or if we need to adjust further.

yeah, fixed, thanks :)

Status: REOPENED → RESOLVED
Closed: 2 years ago2 years ago
Resolution: --- → FIXED

Just a quick follow-up. I have it integrated now but when Codecov posts a report on a PR it says:

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

Example PR here: https://github.com/mozmeao/basket/pull/1024

In that "Learn more" link, it says, "If you see this notification and you are not an administrator, we ask that you inform your organization administrator of the need to install the Codecov GitHub App Integration." and "Once we are confident that a switch would negatively impact less than 5% of our user base, we will announce a timeline for full deprecation of the GitHub Oauth App."

Thanks!

Sorry, the above comment was intended to be a comment on bug 1827707 for mozmeao/basket.

(Responded in the intended bug)

You need to log in before you can comment on or make changes to this bug.