v4 requirement for token breaks coverage reporting for Dependabot pull requests

[martincostello]

The changes in the v4 action to require an upload token break the ability for code coverage metrics to be uploaded for pull requests created by dependabot.

Dependabot PRs have not had access to secrets since March 2021 as otherwise a potentially malicious package update could execute arbitrary code with access to such secrets.

While the codecov token could be configured per repository as a duplicate Dependabot-scoped secret in addition to a normal repository secret, this is additional burden on the maintainer to configure, as well as exposing their secret to potentially untrusted code.

Pull requests from Dependabot should be treated the same as with pull requests from forks, and be permitted to upload to codecov without access to an upload token.

[marekdedic]

Hi,
I also got bit by this, but I thought this should work - the readme says "... However, PRs made from forks to the upstream public repos will support tokenless (e.g. contributors to OS projects do not need the upstream repo's Codecov token)" - I interpret this that the dependabot PR shouldn't need a token... Which it apparently does

[martincostello]

Yeah, despite dependabot not using forks, it's considered a special-case by GitHub due to the potential for a malicious package update that could then steal secrets.

[HarelM]

Do I need to downgrade to v3 in order to continue using tokenless usage of codecov?
I think it was great that it just worked out of the box without the need for an extra secret, even for regular PRs...

[ssbarnea]

Interestingly when I pushed an extra change to dependabot on PR, it did got access to the secrets, https://github.com/ansible/tox-ansible/actions/runs/7785362141/job/21227778925?pr=265

[martincostello]

When you are the instigator of the action, then it acts with the permissions you have, not dependabot's.

vs.

[thomasrockhu-codecov]

@rohan-at-sentry fyi