This repository contains automation and helper scripts for Codecov coverage inspection and setup.
Security-sensitive areas include:
- credential/token handling
- fallback API calls that can use non-GET methods
- workflow automation that can post comments or update repository state
If you discover a vulnerability, please avoid opening a public issue with exploit details.
Instead, contact the maintainer privately (for example via GitHub security reporting or direct private channel) and include:
- affected file(s) / workflow(s)
- reproducible steps
- impact assessment
- any suggested mitigation
- Never hardcode Codecov tokens.
- Never include tokens in command arguments.
- Use environment variables (e.g.
CODECOV_TOKEN). - Prefer secret manager retrieval into environment variables.
PowerShell example:
$env:CODECOV_TOKEN = Get-Secret CODECOV_TOKEN_TYPEFEST -AsPlainText- Use
--dry-runfor non-GET fallback API calls before applying changes. - Verify target service, owner, repository, and base URL before running fallback calls.
- Re-check state after changes with
summary,repo,commits,flags, or the relevant detail command.