I just noticed that the action always switches to tokenless upload when the PR is in a forked repo.
The PR is happening in a forked repo. Using tokenless upload.
But the token is available in the forked repo, too, so the uploader could use it. It just does not seem to check this.
|
if (isPullRequestFromFork()) { |
|
core.info('==> Fork detected, tokenless uploading used'); |
|
return Promise.resolve(''); |
|
} |
|
let token = core.getInput('token'); |
Can you adjust this so that isPullRequestFromFork() is only called if there is no token?
I just noticed that the action always switches to tokenless upload when the PR is in a forked repo.
But the token is available in the forked repo, too, so the uploader could use it. It just does not seem to check this.
codecov-action/src/buildExec.ts
Lines 49 to 53 in a1504ae
Can you adjust this so that
isPullRequestFromFork()is only called if there is no token?