[BUG] "Token required because branch is protected" since 4/8

[rix0rrr]

Describe the bug

Since April 8, we are seeing the following behavior:

 -> Token of length 0 detected
...
error - 2025-04-08 13:34:06,401 -- Upload failed: {"message":"Token required because branch is protected"}

The day before, we saw the following behavior:

 -> Token of length 1881 detected
...
info - 2025-04-07 14:30:42,158 -- Process Upload complete

• Successful run: https://github.com/aws/aws-cdk-cli/actions/runs/14311744680/job/40108208138
• Failed run: https://github.com/aws/aws-cdk-cli/actions/runs/14334759454/job/40178848048

We haven't changed our workflow file in between those runs. It was:

      # No environment variables configured anywhere
      - name: Upload results to Codecov
        uses: codecov/codecov-action@v5
        with:
          disable_search: true
          files: packages/aws-cdk/coverage/cobertura-coverage.xml
          fail_ci_if_error: true
          flags: suite.unit
          use_oidc: true

One change that I could observe was that during the successful run it used CLI 10.3.0 and in the failed run it used CLI 10.4.0.

We have since then downgraded to 10.3.0, but that didn't make a difference, we are still seeing the same error with this:

          version: v10.3.0

Both workflows are running on the main repo, neither was running on a fork. From these examples, one was running on push: main and one on pull_request, but subsequent pushes to main are equally failing so that's not the root cause.

The

CC_TOKEN=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=$CC_OIDC_AUDIENCE" | cut -d\" -f6)

Command is the same between the successful and failing run, but in the failing run it just doesn't seem to produce a value:

env:
  CC_FORK: false
  CC_TOKEN: 
  CC_BRANCH: 
  GITHUB_EVENT_PULL_REQUEST_HEAD_LABEL: aws:otaviom/refactor-dry-run-2
  GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME: aws/aws-cdk-cli

I am noticing that the URLs are different.

# Successful run
Requesting OIDC token from 'https://pipelinesghubeus11.actions.githubusercontent.com/6r4pB3oz06wurvpuMXICQv7JYqVnUznWGi08mnV1GH0cJu1Ggh/00000000-0000-0000-0000-000000000000/_apis/distributedtask/hubs/Actions/plans/0402ab11-b877-40f0-afbd-dad1cb027099/jobs/e1e0d67c-baad-5ced-d187-d69c8e34c3de/idtoken?api-version=2.0'

# Failing run
Requesting OIDC token from 'https://run-actions-1-azure-eastus.actions.githubusercontent.com/57//idtoken/ac8d1c3c-872f-437f-941e-220a69cfa0c5/190542f2-31ce-5c47-9e98-07da740aaa19?api-version=2.0'

[thomasrockhu-codecov]

@rix0rrr I pushed a fix for this in 5.4.1, can you see if that's working for you?

[HarelM]

I think this fix just broke my build:
https://github.com/maplibre/maplibre-gl-js/actions/runs/14453535108/job/40531520271?pr=5719

==> Fork detected
Run actions/github-script@v7
Error: Error message: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable

[thomasrockhu-codecov]

@HarelM sorry, 5.4.2 should be working now

[HarelM]

Thanks for the quick turnaround @thomasrockhu-codecov! This seems to have solved the build failure I was facing.