Is the verbose mode (-v) supposed to let the clear-text token into the output of codecov -v create-commit?
#469
Assignees
Labels
bug
Something isn't working
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Here https://github.com/pytest-dev/pytest/actions/runs/9746387730/job/26896668869?pr=12553#step:9:66 I noticed that one debug log entry has it sanitized, and the other reveals the token value within an escaped JSON string. I haven't attempted debugging why this is happening, but it seems it might be related to said escaping.
It's not very problematic in this specific project, though.
P.S. Your own dogfooding step @ https://github.com/codecov/codecov-cli/actions/runs/9715039688/job/26815507245#step:6:2 does not manifest this problem since it only invokes
do-uploadand doesn't runcreate-commitas the action wrapper does.P.P.S. Many people use
${{ secrets.CODECOV_TOKEN }}in the GHA realm, so GHA masks the value for them, on a different level. But when the value is not coming from a secret, it's not hidden by the platform.The text was updated successfully, but these errors were encountered: