build(deps): bump codecov/codecov-action from 5 to 6#740
Conversation
|
Hi @dependabot[bot]. Thanks for your PR. I'm waiting for a codeready-toolchain member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✅ Files skipped from review due to trivial changes (1)
WalkthroughUpdated the Codecov GitHub Actions workflow step from Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/upload-coverage.yml (1)
22-22: Pin the action to a commit SHA instead of a mutable tag.Using
@v6is mutable and weaker for supply-chain integrity. Prefer pinning to the exact release commit SHA.🔒 Proposed hardening change
- uses: codecov/codecov-action@v6 + uses: codecov/codecov-action@<full-length-v6-release-commit-sha>You can fetch the correct SHA from the v6 release page/compare link before applying.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/upload-coverage.yml at line 22, Replace the mutable tag usage in the workflow step that currently reads "uses: codecov/codecov-action@v6" with the repository@<commit-sha> form pinned to the exact commit SHA from the v6 release; locate the "uses: codecov/codecov-action@v6" line in the upload-coverage.yml step, fetch the corresponding commit SHA from the v6 release/compare page on GitHub, and update the value to "uses: codecov/codecov-action@<SHA>" to ensure the action is pinned to an immutable commit.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/upload-coverage.yml:
- Line 22: Update the GitHub Action reference string used in the workflow:
replace the non-existent "codecov/codecov-action@v6" with a valid v5 release
(e.g., "codecov/codecov-action@v5" or pin to "codecov/[email protected]") so
the workflow uses the supported Codecov action version; ensure the rest of the
step (inputs like token, files, flags, fail_ci_if_error) remains unchanged.
---
Nitpick comments:
In @.github/workflows/upload-coverage.yml:
- Line 22: Replace the mutable tag usage in the workflow step that currently
reads "uses: codecov/codecov-action@v6" with the repository@<commit-sha> form
pinned to the exact commit SHA from the v6 release; locate the "uses:
codecov/codecov-action@v6" line in the upload-coverage.yml step, fetch the
corresponding commit SHA from the v6 release/compare page on GitHub, and update
the value to "uses: codecov/codecov-action@<SHA>" to ensure the action is pinned
to an immutable commit.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 5c279472-e299-44c0-a913-a9967f1169c2
📒 Files selected for processing (1)
.github/workflows/upload-coverage.yml
|
|
||
| - name: Upload to Codecov | ||
| uses: codecov/codecov-action@v5 | ||
| uses: codecov/codecov-action@v6 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
What are the official runtime/platform requirements for codecov/codecov-action v6 (Node.js runtime, minimum GitHub Actions runner version, and GitHub Enterprise Server compatibility), and what breaking changes from v5 to v6 affect existing inputs like token, files, flags, or fail_ci_if_error?
💡 Result:
No official v6 release of codecov/codecov-action exists as of 2026-03-26. The latest version is v5.5.3 (released March 2026). All references are to v5 as the current major version. Node.js runtime: Node.js 20 (updated via PR #1228 merged Jan 2024; v3 used Node 16 before, transitioned to 20 to address deprecation). Note: Node 20 actions deprecated; dependency actions/github-script uses Node 20 (Issue #1919, Mar 2026), but GitHub will force Node 24 by June 2026. Minimum GitHub Actions runner version: No specific minimum stated beyond standard GitHub-hosted runners (ubuntu-latest, etc.). Requires bash, curl, git, gpg (pre-installed on GitHub runners). Self-hosted runners must be v2.329.0+ by Mar 16, 2026 (GitHub changelog). GitHub Enterprise Server compatibility: Yes, auto-detects GHES usage (PR #1356, Apr 2024); supports github_enterprise git_service; works with self-hosted Codecov Enterprise (use_legacy_upload_endpoint: true may be needed). Breaking changes v5 to v6: No v6 exists, so none. v4 to v5 changes (for context): file -> files, plugin -> plugins; removed gcov_* args, skip_validation, etc.; added binary, gcov_args, etc.; uses Codecov Wrapper. Inputs like token, files, flags, fail_ci_if_error unchanged/supported in v5. Use @v5 (points to latest v5.x).
Citations:
- 1: https://github.com/codecov/codecov-action
- 2: action.yml: Update to Node.js 20 codecov/codecov-action#1228
- 3: Node.js 20 deprecation warning caused by actions/github-script dependency codecov/codecov-action#1919
- 4: Use Node.js 20 for v3 codecov/codecov-action#1289
- 5: https://github.com/codecov/codecov-action/blob/master/CHANGELOG.md
- 6: https://github.com/marketplace/actions/codecov
- 7: https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md
- 8: https://github.com/codecov/codecov-action/releases
- 9: fix: automatically detect if using GitHub enterprise codecov/codecov-action#1356
- 10: [BUG] latest codecov-action is broken codecov/codecov-action#1766
Change @v6 to @v5 — v6 does not exist.
codecov/codecov-action@v6 does not have an official release as of March 2026. The latest version is v5.5.3. Update the action reference to @v5 to use the latest v5.x release, or pin to a specific release like @v5.5.3. Inputs like token, files, flags, and fail_ci_if_error are fully supported in v5 with no compatibility issues on ubuntu-24.04.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/upload-coverage.yml at line 22, Update the GitHub Action
reference string used in the workflow: replace the non-existent
"codecov/codecov-action@v6" with a valid v5 release (e.g.,
"codecov/codecov-action@v5" or pin to "codecov/[email protected]") so the
workflow uses the supported Codecov action version; ensure the rest of the step
(inputs like token, files, flags, fail_ci_if_error) remains unchanged.
There was a problem hiding this comment.
Incorrect. It's there.
There was a problem hiding this comment.
@alexeykazakov, you are correct, and I apologize for the incorrect review comment. v6.0.0 does exist, with a full changelog at https://github.com/codecov/codecov-action/compare/v5.5.4...v6.0.0. v6 requires node24. The upgrade from v5 to v6 in this PR is valid. I was wrong to flag it.
(╯°□°)╯
|
/ok-to-test |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alexeykazakov, dependabot[bot], MatousJobanek The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5 to 6. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@v5...v6) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
2a7a50e to
b3ecc3a
Compare
|
|
/lgtm |
Bumps codecov/codecov-action from 5 to 6.
Release notes
Sourced from codecov/codecov-action's releases.
... (truncated)
Changelog
Sourced from codecov/codecov-action's changelog.
... (truncated)
Commits
57e3a13Th/6.0.0 (#1928)f67d33dRevert "Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0""...Summary by CodeRabbit