[GH Request] need a codecov token for frontend-app-learner-record

[deborahgu]

Repository

frontend-app-learner-record

Urgency

Low (2 weeks)

Requested Change

It looks like the repository might be missing a codecov access token.

Reasoning

The PR to update codecov failed, even though the token is called for in the action.

https://github.com/openedx/frontend-app-learner-record/actions/runs/11883989894/job/33164769383?pr=443

gpg:                using RSA key 27034E7FDB850E0BBC2C62FF806BB28AED779869
gpg: Good signature from "Codecov Uploader (Codecov Uploader Verification Key) <security@codecov.io>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2703 4E7F DB85 0E0B BC2C  62FF 806B B28A ED77 9869
codecov: OK
==> CLI integrity verified

 -> Token of length 0 detected
==> Running create-commit
      ./codecov  create-commit --fail-on-error --git-service github
info - 2024-11-18 21:40:16,776 -- ci service found: github-actions
info - 2024-11-18 21:40:17,195 -- Process Commit creating complete
error - 2024-11-18 21:40:17,195 -- Commit creating failed: {"message":"Token required because branch is protected"}
==> Failed to create-commit
    Exiting...
Error: Process completed with exit code 1.

[github-actions]

Thank you for your report! @openedx/axim-oncall will triage within a business day. Simple requests usually take 2-3 business days to resolve; more complex requests could take longer.

[sarina]

@deborahgu I notice our reference codecov (https://openedx.atlassian.net/wiki/spaces/COMM/pages/3438280709/Adding+Codecov#1.-Code-Changes-(done-by-any-developer%2C-merged-by-someone-with-repo-write-access)) defines some stuff that's not defined in https://github.com/openedx/frontend-app-learner-record/blob/master/codecov.yml, like enabled or target above 0%. Perhaps it's never run before? I'll look into the token when I have free time tomorrow, but wanted to flag this as I don't really know if this makes a difference.

[sarina]

OK, as per https://openedx.atlassian.net/wiki/spaces/COMM/pages/3438280709/Adding+Codecov#4.-Add-a-CodeCov-repository-secret-(done-by-a-GitHub-org-admin%2C-at-Axim-for-openedx), we have codecov token globally so I shouldn't have to add something specific to your repo. Could you check that codecov has ever run? Do you know how codecov is working on other repos?

[deborahgu]

Thanks for looking into this. So here's what I can find debugging this:

• this PR with the failing action is the upgrade from the codecov-action to v5 from v4. I can verify that codecov runs fine on v4 for this repo, and has been doing so
• I wanted to see if the action v5 is running correctly on other repositories, and moreover, on other MFEs, so I looked at learner dashboard, and verified that it is

So I pulled the raw logs from the failing run (on learner record) and the successful run (on learner dashboard) and diffed them. The very first difference in the raw logs is that the run on learner dashboard which succeeds, says

 -> Token of length 36 detected

while the run on learner record, which fails, says

 -> Token of length 0 detected

And then later reports

error - 2024-11-25 21:19:21,059 -- Commit creating failed: {"message":"Token required because branch is protected"}

after which the logs obviously diverge.

Is there a chance there's a repo setting preventing the token from being read, here? Th actions on the two repos look identical for this part.

[sarina]

Huh, that's weird. I don't see anything in settings or branch protection rules that are different between the two repos. @feanil is on call today and may be more familiar with this than I am - Feanil, any ideas?

[feanil]

The only difference I could spot is that the learner record repo has a custom codecov config file which the other example does not. I confirmed that both should have access to the same token value and that the codecov app has the same level of access to both. The next thing to try is to probably make the PR yourself instead of via the github action bot and see if it's something to do with the dependabot related permissions which are different from standard users.

If that doesn't work, we can reach out to codecov support and see if they can shed some light on what's going on.

[deborahgu]

The next thing to try is to probably make the PR yourself instead of via the github action bot and see if it's something to do with the dependabot related permissions which are different from standard users.

that seems to have worked. Computers, amirite?

Thanks so much to both of you!

[deborahgu]

actually I suppose there is a follow-up question which is, now that codecov is about to be on version 5, will the rest of our dependbot fail for lack of permissions, or was this a one-time problem because of the version change? Should I leave this ticket open until we have verified or should I just reopen if it comes back for new dependabot PRs?