[BREAKING INCOMPATIBLE CHANGES] In the official Codecov GitHub Action — codecov/codecov-action@v4

[webknjaz]

GitHub Actions Advisory for @achimnol @bdraco @Dreamsorcerer @jettify @Nothing4You @mjpieters @aio-libs/admins and anybody setting up CI across the org

TL;DR Postpone upgrading / accepting Dependabot version bumps: here be dragons 🐲

There are a lot of bugs discovered following the yesterday's major version bump of $sbj. Some are related to the complete rewrite of the underlying CLI tool, others are related to bugs in the action itself.

One of the documented changes (additionally to the undocumented and sometimes accidental breaking behaviors!) is that the upload token becomes mandatory. It's also important to provision a secret for the Dependabot runs. When used with reusable workflows, this means implementing an explicit way of passing secrets from the calling workflows.

[webknjaz]

UPD: Sam added an org-global secret called CODECOV_TOKEN so anybody updating the action has to add token: ${{ secrets.CODECOV_TOKEN }} to the respective invocations.

The Codecov service is still flaky for PRs from forks that don't have access to secrets, though. I've seen recommendations to just hardcode the token so that those also use authenticated uploads which should make it more stable. I implemented this in pytest the other day (pytest-dev/pytest#12516).

[webknjaz]

UPD 2: Looks like v4 is still not in a good enough shape for us — aio-libs/yarl#1026 (comment).

[webknjaz]

aio-libs/yarl#1074 fixed that in yarl.

[webknjaz]

UPD 3: It seems fine to upgrade now.

Here are the working configs for coverage.py and Codecov you can copy-and-paste:

• https://github.com/aio-libs/yarl/blob/2ead948/.coveragerc
• https://github.com/aio-libs/yarl/blob/2ead948/.codecov.yml (the token is hard-coded to reduce GH API-related flakiness in PRs)