-
Notifications
You must be signed in to change notification settings - Fork 57
chore(deps): update codecov/codecov-action action to v7 #1705
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -18,7 +18,7 @@ jobs: | |
| - name: Run tests | ||
| run: make test | ||
| - name: Codecov | ||
| uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v6.0.2 | ||
| uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] logic-error The commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is identical before and after the change in both workflow files. Only the trailing version comment changed from # v6.0.2 to # v7.0.0. The workflow will continue executing the exact same action code — the action has NOT been updated to v7.0.0. The version comment is now misleading. Suggested fix: Update the commit hash to the actual v7.0.0 release commit of codecov/codecov-action. The current hash does not correspond to v7.0.0. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] version-pinning-consistency The version comment is updated from v6.0.2 to v7.0.0 but the pinned commit SHA (fb8b3582c8e4def4969c97caa2f19720cb33a72f) is unchanged. GitHub Actions resolves by SHA, so the workflow will still run v6.0.2. The upgrade has not taken effect. Suggested fix: Update the SHA to the commit that the codecov/codecov-action v7.0.0 tag points to, or revert the comment to v6.0.2 if the old version is intended. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] version-comment-accuracy The version comment was changed from # v6.0.2 to # v7.0.0 but the pinned commit SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f was not updated. The PR claims to be a dependency upgrade but no actual code change occurs -- the action continues running v6.0.2 code. Suggested fix: Update the commit SHA to the actual v7.0.0 release SHA of codecov/codecov-action. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] scope-version-mismatch The PR claims to update codecov/codecov-action from v6.0.2 to v7.0.0, but the commit SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f is identical in both the old and new versions. Only the trailing comment text changed. This means either: (a) the SHA does not actually correspond to v7.0.0 and the comment is now misleading, or (b) the SHA was already correct for v7.0.0 and the old v6.0.2 comment was wrong. The same issue applies to .github/workflows/pr.yml line 98. Suggested fix: Verify the correct commit SHA for codecov/codecov-action v7.0.0 from https://github.com/codecov/codecov-action/releases/tag/v7.0.0. If the SHA differs, update both files to pin to the correct v7.0.0 SHA. If the SHA is already correct for v7.0.0, this PR is a legitimate comment-only fix and can proceed. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] version-comment-mismatch The version comment is updated from v6.0.2 to v7.0.0, but the pinned SHA (fb8b3582c8e4def4969c97caa2f19720cb33a72f) is unchanged. GitHub Actions resolves by SHA, not comment, so no actual upgrade occurs. The comment is misleading and could mask the fact that the intended v7 upgrade never happened. Suggested fix: Update the commit hash to the actual commit corresponding to codecov/codecov-action v7.0.0, or revert the comment back to v6.0.2 to match the pinned SHA. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] api-contract The commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged while the version comment changes from v6.0.2 to v7.0.0. GitHub Actions resolves the action from the pinned SHA, not the comment. The workflow will continue running v6.0.2 code while the comment falsely claims v7.0.0. Suggested fix: Update the SHA to the actual commit hash for codecov/codecov-action v7.0.0, or revert the comment to v6.0.2 if the upgrade is not intended. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] logic-error The commit SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged while the version comment is updated from v6.0.2 to v7.0.0. GitHub Actions resolves the action by the pinned SHA, not the comment. Since a single SHA cannot point to two different release tags, the comment is now incorrect and no actual upgrade to v7.0.0 occurs. The same issue applies to .github/workflows/pr.yml line 98. Suggested fix: Update the SHA to the commit corresponding to the codecov/codecov-action v7.0.0 release tag, or revert the comment to v6.0.2 if no upgrade is intended. Apply the fix in both codecov.yml and pr.yml. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [medium] version-comment-mismatch The version comment is updated from v6.0.2 to v7.0.0, but the pinned commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged. GitHub Actions resolves the action by the SHA, not the comment, so this will still run v6.0.2. The misleading comment may cause maintainers to believe they are running v7.0.0 and skip a future real upgrade. Suggested fix: Update the commit hash to the actual commit corresponding to codecov/codecov-action v7.0.0, or revert the comment to v6.0.2 if no upgrade is intended. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] version-hash-mismatch The commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged between the old and new lines. Only the trailing comment was updated from v6.0.2 to v7.0.0. The action is not actually upgraded to v7 — the workflow will continue running the v6.0.2 version, while the comment will be misleading. Suggested fix: Update the commit hash to the actual commit corresponding to codecov/codecov-action v7.0.0. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] logic-error The commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged between the old and new versions while the version comment was updated from v6.0.2 to v7.0.0. GitHub Actions resolves the action by the pinned commit hash, not the comment. If this hash does not correspond to the v7.0.0 tag, the workflow will still execute the v6.0.2 code despite the comment claiming v7.0.0. Suggested fix: Verify the commit SHA for the v7.0.0 tag of codecov/codecov-action. If it differs from fb8b3582c8e4def4969c97caa2f19720cb33a72f, update the uses: line to the correct hash. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] version-hash-mismatch The PR changes only the version comment from v6.0.2 to v7.0.0 but leaves the pinned SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f unchanged. Since the SHA is authoritative, the action still runs v6.0.2 code. The comment is now misleading, and the intended upgrade did not actually occur. Suggested fix: Update the SHA to the actual commit hash for the codecov/codecov-action v7.0.0 release tag, or revert the comment to v6.0.2. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] version-comment-mismatch The version comment is updated from v6.0.2 to v7.0.0, but the commit SHA pin (fb8b3582c8e4def4969c97caa2f19720cb33a72f) is identical in both old and new lines. GitHub Actions resolves the pinned SHA, not the comment, so the runtime behavior is unchanged. The same issue applies to .github/workflows/pr.yml line 98. Suggested fix: Verify which version SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f corresponds to in codecov/codecov-action. If it is v6.0.2, update the SHA to the correct v7.0.0 commit hash. If it is already v7.0.0, the change is a valid comment correction. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] version-pinning-consistency The SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged while the trailing comment is updated from v6.0.2 to v7.0.0. GitHub Actions resolves the action by the SHA, not the comment, so the action will still run v6.0.2 code. The comment will be misleading, undermining the auditability of pinned dependencies. Suggested fix: Update the SHA to the actual commit corresponding to the codecov/codecov-action v7.0.0 release tag. Obtain it with: git ls-remote https://github.com/codecov/codecov-action.git v7.0.0 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] protected-path Both modified files (.github/workflows/codecov.yml and .github/workflows/pr.yml) are under .github/, a protected path requiring human approval. This PR has no linked issue justifying changes to governance/infrastructure files. The change itself is safe — both v6.0.2 and v7.0.0 tags resolve to the same upstream commit SHA — but human review is always required for protected-path modifications. Suggested fix: A human maintainer should review and approve this PR. No code changes are needed — the version comment update is accurate. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] dependency-pinning-consistency Version comment updated from v6.0.2 to v7.0.0 but the pinned commit SHA (fb8b3582c8e4def4969c97caa2f19720cb33a72f) is unchanged. The workflow will still execute v6.0.2 code while the comment claims v7.0.0, breaking the SHA-to-version-comment correspondence that is the point of commit pinning. Suggested fix: Update the SHA to the actual commit corresponding to the codecov/codecov-action v7.0.0 release tag. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [medium] logic-error The PR changes only the version comment from # v6.0.2 to # v7.0.0 while the pinned SHA (fb8b3582c8e4def4969c97caa2f19720cb33a72f) remains unchanged. If this SHA does not correspond to the v7.0.0 tag of codecov/codecov-action, the comment will be misleading and the intended version upgrade will not take effect. Suggested fix: Verify that the SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f corresponds to codecov/codecov-action v7.0.0. If it does not, update the SHA to the correct commit hash for v7.0.0. |
||
| with: | ||
| token: ${{ secrets.CODECOV_TOKEN }} | ||
| flags: unit-tests | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -95,7 +95,7 @@ jobs: | |
| - name: Run Go Tests | ||
| run: make test | ||
| - name: Upload coverage to Codecov | ||
| uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v6.0.2 | ||
| uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] logic-error Same SHA/comment mismatch: the pinned hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged while the comment changed from v6.0.2 to v7.0.0. No functional upgrade occurs. Suggested fix: Update the commit hash to the actual commit SHA for codecov/codecov-action v7.0.0. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] version-pinning-consistency The version comment is updated from v6.0.2 to v7.0.0 but the pinned commit SHA (fb8b3582c8e4def4969c97caa2f19720cb33a72f) is unchanged. GitHub Actions resolves by SHA, so the workflow will still run v6.0.2. The upgrade has not taken effect. Suggested fix: Update the SHA to the commit that the codecov/codecov-action v7.0.0 tag points to, or revert the comment to v6.0.2 if the old version is intended. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] version-comment-accuracy Same issue: the pinned commit SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f was not updated while the version comment changed from # v6.0.2 to # v7.0.0. No actual dependency update occurs. Suggested fix: Update the commit SHA to the actual v7.0.0 release SHA of codecov/codecov-action. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] version-comment-mismatch The version comment is updated from v6.0.2 to v7.0.0, but the pinned SHA (fb8b3582c8e4def4969c97caa2f19720cb33a72f) is unchanged. GitHub Actions resolves by SHA, not comment, so no actual upgrade occurs. The comment is misleading. Suggested fix: Update the commit hash to the actual commit corresponding to codecov/codecov-action v7.0.0, or revert the comment back to v6.0.2 to match the pinned SHA. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] api-contract Same issue: the commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged while the version comment changes from v6.0.2 to v7.0.0. The actual action executed will remain v6.0.2. Suggested fix: Update the SHA to the actual commit hash for codecov/codecov-action v7.0.0, or revert the comment to v6.0.2. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [medium] version-comment-mismatch The version comment is updated from v6.0.2 to v7.0.0, but the pinned commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged. GitHub Actions resolves the action by the SHA, not the comment, so this will still run v6.0.2. No actual upgrade occurs. Suggested fix: Update the commit hash to the actual commit corresponding to codecov/codecov-action v7.0.0, or revert the comment to v6.0.2 if no upgrade is intended. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] version-hash-mismatch Same issue: the commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged while the comment was updated from v6.0.2 to v7.0.0. The action is not actually being upgraded. Suggested fix: Update the commit hash to the actual commit corresponding to codecov/codecov-action v7.0.0. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] logic-error Same issue: the commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged while the version comment was updated from v6.0.2 to v7.0.0. The PR does not actually change which version of codecov-action is executed unless this SHA genuinely corresponds to the v7.0.0 tag. Suggested fix: Verify the commit SHA for the v7.0.0 tag of codecov/codecov-action. If it differs, update the hash accordingly. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] version-hash-mismatch The PR changes only the version comment from v6.0.2 to v7.0.0 but the pinned SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged. The action still runs v6.0.2 code. Suggested fix: Update the SHA to the actual commit hash for the codecov/codecov-action v7.0.0 release tag, or revert the comment to v6.0.2. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] version-pinning-consistency Same issue as codecov.yml: the SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged while the comment is updated from v6.0.2 to v7.0.0. The action will not actually be upgraded to v7. Suggested fix: Update the SHA to the actual commit corresponding to the codecov/codecov-action v7.0.0 release tag. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [high] dependency-pinning-consistency Same SHA/comment mismatch. Version comment updated to v7.0.0 but the pinned SHA (fb8b3582c8e4def4969c97caa2f19720cb33a72f) still points to v6.0.2 code. Suggested fix: Update the SHA to the actual commit corresponding to the codecov/codecov-action v7.0.0 release tag. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [medium] logic-error Same issue as codecov.yml: the PR changes only the version comment from # v6.0.2 to # v7.0.0 while the pinned SHA (fb8b3582c8e4def4969c97caa2f19720cb33a72f) remains unchanged. If this SHA does not correspond to the v7.0.0 tag, the comment is misleading and the upgrade has not actually occurred. Suggested fix: Verify that the SHA fb8b3582c8e4def4969c97caa2f19720cb33a72f corresponds to codecov/codecov-action v7.0.0. If it does not, update the SHA to the correct commit hash for v7.0.0. |
||
| with: | ||
| flags: unit-tests | ||
| token: ${{ secrets.CODECOV_TOKEN }} | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[high] logic-error
The commit hash fb8b3582c8e4def4969c97caa2f19720cb33a72f is unchanged between the old and new version. Only the trailing version comment is updated from v6.0.2 to v7.0.0. GitHub Actions resolves the action version from the pinned commit hash, not the comment, so the action will continue to run v6.0.2. The PR claims to update to v7 but performs no functional change.
Suggested fix: Update the commit hash to the actual commit SHA that corresponds to codecov/codecov-action v7.0.0. Verify the correct tag SHA from the codecov/codecov-action repository.