fix: prevent oidc on tokenless due to permissioning (#1724)

Author: thomasrockhu-codecov

CHANGELOG.md

@@ -993,4 +993,4 @@ for the full list.
 ### Dependencies and Misc
 - #166 Bump requestretry from 4.1.1 to 4.1.2
 - #169 Bump typescript from 4.0.5 to 4.1.2
-- #178 Bump @types/jest from 26.0.15 to 26.0.19
+- #178 Bump @types/jest from 26.0.15 to 26.0.19

Makefile

@@ -1,5 +1,5 @@
 deploy:
-	$(eval VERSION := $(shell cat src/version | grep 'CODECOV_ACTION_VERSION=' | cut -d\" -f2))
+	$(eval VERSION := $(shell cat src/version))
 	git tag -d v5
 	git push origin :v5
 	git tag v5

action.yml

@@ -157,28 +157,46 @@ runs:
     - name: Action version
       shell: bash
       run: |
-        CC_ACTION_VERSION=$(cat ${GITHUB_ACTION_PATH}/src/version | grep 'CODECOV_ACTION_VERSION=' | cut -d\" -f2)
+        CC_ACTION_VERSION=$(cat ${GITHUB_ACTION_PATH}/src/version)
         echo -e "\033[0;32m==>\033[0m Running Action version $CC_ACTION_VERSION"
     - name: Set safe directory
       if: ${{ inputs.disable_safe_directory != 'true' }}
       shell: bash
       run: |
         git config --global --add safe.directory ${{ github.workspace }}
 
+    - name: Set fork
+      shell: bash
+      run: |
+        if [ -n "$GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME" ] && [ "${GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME}" != "$GITHUB_REPOSITORY" ];
+        then
+          echo -e "\033[0;32m==>\033[0m Fork detected"
+          CC_FORK="true"
+          echo "CC_FORK=$CC_FORK" >> "$GITHUB_ENV"
+        fi
+      env:
+        GITHUB_EVENT_PULL_REQUEST_HEAD_LABEL: ${{ github.event.pull_request.head.label }}
+        GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }}
+        GITHUB_REPOSITORY: ${{ github.repository }}
+
+
     - name: Get and set token
       shell: bash
       run: |
-        if [ "${{ inputs.use_oidc }}" == 'true' ];
+        if [ "${{ inputs.use_oidc }}" == 'true' && "$CC_FORK" != 'true'];
         then
           # {"count":1984,"value":"***"}
+          echo -e "\033[0;32m==>\033[0m Requesting OIDC token from ${ACTION_ID_TOKEN_REQUEST_URL}"
           CC_TOKEN=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=https://codecov.io" | cut -d\" -f6)
           echo "CC_TOKEN=$CC_TOKEN" >> "$GITHUB_ENV"
         elif [ -n "${{ env.CODECOV_TOKEN }}" ];
         then
+          echo -e "\033[0;32m==>\033[0m Token from from env"
             echo "CC_TOKEN=${{ env.CODECOV_TOKEN }}" >> "$GITHUB_ENV"
         else
           if [ -n "${{ inputs.token }}" ];
           then
+            echo -e "\033[0;32m==>\033[0m Token set from input"
             CC_TOKEN=$(echo "${{ inputs.token }}" | tr -d '\n')
             echo "CC_TOKEN=$CC_TOKEN" >> "$GITHUB_ENV"
           fi
@@ -187,7 +205,7 @@ runs:
     - name: Override branch for forks
       shell: bash
       run: |
-        if [ -z "$CC_BRANCH" ] && [ -z "$CC_TOKEN" ] && [ -n "$GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME" ] && [ "${GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME}" != "$GITHUB_REPOSITORY" ];
+        if [ -z "$CC_BRANCH" ] && [ -z "$CC_TOKEN" ] && [ "$CC_FORK" == 'true' ]
         then
           echo -e "\033[0;32m==>\033[0m Fork detected, tokenless uploading used"
           TOKENLESS="$GITHUB_EVENT_PULL_REQUEST_HEAD_LABEL"

changelog.py

@@ -4,8 +4,7 @@
 
 def update_changelog():
     with open('src/version', 'r') as f:
-        raw_version = f.read()
-    version = re.search('\"(.*)\"', raw_version).groups()[0]
+        version = f.read()
     changelog = [f"## v{version}"]
     changelog.append("### What\'s Changed")
 

src/version

@@ -1 +1 @@
-CODECOV_ACTION_VERSION="5.1.1"
+5.1.1