From 8e270c9fbecf706895775e78c4862e362cad0e72 Mon Sep 17 00:00:00 2001
From: Frederic BIDON <fredbi@yahoo.com>
Date: Mon, 4 Mar 2024 18:32:40 +0100
Subject: [PATCH] ci: reenacted codecov secret token

With codecov action v3 or v4, even with _official_ tokenless support
for open source repos,
our CI sometimes fails because codecov hits a rate limit on github API.

See issues with codecov action:
* https://github.com/codecov/codecov-action/issues/1292
* https://github.com/codecov/codecov-action/issues/1274

The safest way to securely send our test coverage without failures
is to configure the token as a github action secret and use that
token to connect to codecov.

More explanations can be found:
* [here](https://about.codecov.io/blog/january-product-update-updating-the-codecov-ci-uploaders-to-the-codecov-cli/)

Signed-off-by: Frederic BIDON <fredbi@yahoo.com>
---
 .github/workflows/test.yaml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 3926b2133..d2120fb19 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -10,7 +10,7 @@ on:
     branches:
       - master
 
-  pull_request:
+  pull_request_target:
 
 permissions:
   contents: write
@@ -107,13 +107,17 @@ jobs:
           ./...
 
       - name: Publish To Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
         with:
           files: 'coverage-${{ matrix.os }}-${{ matrix.go }}.txt'
           flags: 'unit-${{ matrix.go }}'
           os: '${{ matrix.os }}'
           fail_ci_if_error: true
           verbose: true
+          # This secret is not passed on when triggered by PR from a fork: in this case,
+          # tokenless upload is used by the codecov CLI.
+          # It is used when running the workflow from pushed commits or tags on master.
+          token: ${{ secrets.CODECOV_TOKEN }}
 
   codegen_test:
     # description: |
@@ -167,13 +171,14 @@ jobs:
           -o "codegen-coverage-${{ matrix.os }}-${{ matrix.go }}-${{ matrix.fixture }}.txt"
 
       - name: Publish To Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
         with:
           files: 'codegen-coverage-${{ matrix.os }}-${{ matrix.go }}-${{ matrix.fixture }}.txt'
           flags: 'codegen-${{ matrix.go }}-${{ matrix.fixture }}'
           os: '${{ matrix.os }}'
           fail_ci_if_error: true
           verbose: true
+          token: ${{ secrets.CODECOV_TOKEN }} # <- this secret is not passed on when triggered by PR from a fork
 
   docker_dev:
     needs: [lint, build, test, codegen_test]