feat: GitHub actions upload via OIDC token

[scott-codecov]

Purpose/Motivation

GitHub actions workflows have an implicitly available OIDC token that can be used to identify the repository corresponding to an upload. This alleviates the need to explicitly use a Codecov upload token in GitHub actions.

Thanks to @juho9000 for doing all the hard work here - I just added some tests.

Links to relevant tickets

Closes #90

What does this PR do?

If an upload token is a UUID then the logic remains the same as it was previously. Otherwise if the service making the upload is github-actions then we assume the token is the OIDC JWT and decode it in order to get information about the repository.

[codecov]

Codecov Report

Merging #177 (cc4f90d) into main (c1cd5f9) will decrease coverage by 0.02%.
The diff coverage is 88.37%.

Changes have been made to critical files, which contain lines commonly executed in production. Learn more

@@           Coverage Diff           @@
##            main    #177     +/-   ##
=======================================
- Coverage   95.53   95.51   -0.02     
=======================================
  Files        714     714             
  Lines      15551   15584     +33     
=======================================
+ Hits       14856   14884     +28     
- Misses       695     700      +5     

Flag	Coverage Δ
unit	95.61% <88.37%> (-0.03%)	⬇️
unit-latest-uploader	95.61% <88.37%> (-0.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files	Coverage Δ
billing/helpers.py	100.00% <100.00%> (ø)
conftest.py	100.00% <100.00%> (ø)
utils/__init__.py	100.00% <100.00%> (ø)
upload/helpers.py Critical	93.39% <82.14%> (-1.71%)	⬇️

[codecov-staging]

Codecov Report

Attention: 5 lines in your changes are missing coverage. Please review.

Files	Patch %	Lines
upload/helpers.py	82.14%	5 Missing ⚠️

📢 Thoughts on this report? Let us know!.

[codecov-qa]

Codecov Report

Attention: 5 lines in your changes are missing coverage. Please review.

Comparison is base (c1cd5f9) 95.63% compared to head (cc4f90d) 95.61%.

Files	Patch %	Lines
upload/helpers.py	82.14%	5 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #177      +/-   ##
==========================================
- Coverage   95.63%   95.61%   -0.03%     
==========================================
  Files         599      600       +1     
  Lines       15150    15183      +33     
==========================================
+ Hits        14489    14517      +28     
- Misses        661      666       +5     

Flag	Coverage Δ
unit	95.61% <88.37%> (-0.03%)	⬇️
unit-latest-uploader	95.61% <88.37%> (-0.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[codecov-public-qa]

Codecov Report

Merging #177 (cc4f90d) into main (c1cd5f9) will decrease coverage by 0.03%.
The diff coverage is 88.37%.

@@            Coverage Diff             @@
##             main     #177      +/-   ##
==========================================
- Coverage   95.63%   95.61%   -0.03%     
==========================================
  Files         599      600       +1     
  Lines       15150    15183      +33     
==========================================
+ Hits        14489    14517      +28     
- Misses        661      666       +5     

Flag	Coverage Δ
unit	95.61% <88.37%> (-0.03%)	⬇️
unit-latest-uploader	95.61% <88.37%> (-0.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files	Coverage Δ
billing/helpers.py	100.00% <100.00%> (ø)
conftest.py	100.00% <100.00%> (ø)
utils/__init__.py	100.00% <100.00%> (ø)
upload/helpers.py	93.39% <82.14%> (-1.71%)	⬇️

[webknjaz]

Hi, I have some OIDC experience coming from the Python ecosystem / PyPI so I wanted to leave a comment regarding some misconceptions.

GitHub actions workflows have an implicitly available OIDC token

That's not exactly right. The end-users have to opt-in explicitly by tweaking their GHA job privileges. This is achieved by specifying the following:

permissions:
  id-token: write

Note that setting this globally is dangerous as it gives OIDC access to untrusted third party code. This might not be a big deal for Codecov itself but could be harmful in the context of other services that an end-user' project uses.

This is why, in the guides for PyPI we emphasize that the packages should be built in a separate low-privileges job, not in the upload job that has OIDC set:

• https://github.com/marketplace/actions/pypi-publish#trusted-publishing
• https://docs.pypi.org/trusted-publishers/using-a-publisher/#the-easy-way
• https://docs.pypi.org/trusted-publishers/security-model/

For Codecov, though, this would mean the need to discourage people from uploading coverage from the test jobs to prevent privilege escalation through the test deps. They'd need to store coverage as GHA artifacts in the test jobs and download+upload that from an isolated one.

[scott-codecov]

@webknjaz Thanks for the clarifications! Storing the coverage as a GHA artifact and then only giving our uploader access to the OIDC token makes a lot of sense. Your PyPI documentation around this looks really great and I may suggest we use some of it as inspiration for our own documentation of this feature.

[webknjaz]

You're welcome! There's also more concrete examples @
https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/ & https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-pypi#updating-your-github-actions-workflow in case that'd be useful to you.