Token-free upload for public repositories

[ark120202]

Are there plans to support commit-status-based uploads like on other CI providers?
Besides UX improvements, the recommended way of storing token as a secret doesn't seem to work on pull requests originating from forks, because secrets aren't available there.

[hugovk]

Yes please, it's especially important to get coverage for PRs from forks.

Azure Pipelines has a workaround to "Make secrets available to builds of forks", but GitHub Actions not:

• https://hynek.me/articles/simple-python-azure-pipelines/#coverage

I guess the workaround for GitHub Actions is to just put the token as plaintext. As that link says, "However, the token is worthless for anything except uploading coverage and it’s easy to see when someone does it."

[glmn]

Same problem with Github Actions.

[hootener]

We're currently actively working to support tokenless upload from azure pipelines. However, this feature in general is strongly driven by what's available in public rest apis from the CI providers we integrate with.

AFAIK there is no GitHub actions API we can leverage to support tokenless upload for GitHub actions. When that happens, we will work to get tokenless upload for GitHub actions supported.

Closing now since we cannot do anything about this issue until an api is available.

[hugovk]

I suggest posting a request in https://github.community/t5/GitHub-Actions/bd-p/actions detailing what sort of API is needed. Actions is in beta and they're taking a look at another request I posted.

Thanks!

[ark120202]

@hootener as a temporary solution could it use a standard GITHUB_TOKEN secret? Also, I think at least it makes sense to update docs to note that providing token as a secret wouldn't work for forks, and maybe consider recommending to provide it as plaintext assuming that note on token page is true:

The token below is used exclusively for uploading coverage reports.