From e847d68c2665d471912d66250990937b73787dc6 Mon Sep 17 00:00:00 2001
From: shahar-h <shahar.harari@sap.com>
Date: Mon, 20 May 2024 05:49:19 +0300
Subject: [PATCH] ci: fix codecov upload issue (#3421)

* ci: fix codecov upload issue

Signed-off-by: Shahar Harari <shahar.harari@sap.com>

* remove trailing space

Signed-off-by: Shahar Harari <shahar.harari@sap.com>

* simplify condition

Signed-off-by: Shahar Harari <shahar.harari@sap.com>

---------

Signed-off-by: Shahar Harari <shahar.harari@sap.com>
---
 .github/dependabot.yml                |  2 --
 .github/workflows/build_and_test.yaml | 11 +++++++++--
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 2f37284cf4a..c7a5bee84ff 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -20,8 +20,6 @@ updates:
     ignore:
       # skip to update retest, because it won't work with the latest version
       - dependency-name: "envoyproxy/toolshed/gh-actions/retest"
-      # skip until https://github.com/codecov/feedback/issues/112 is resolved
-      - dependency-name: "codecov/codecov-action"
   - package-ecosystem: github-actions
     directory: /tools/github-actions/setup-deps
     schedule:
diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml
index e812062f329..4f53f7f30a8 100644
--- a/.github/workflows/build_and_test.yaml
+++ b/.github/workflows/build_and_test.yaml
@@ -44,6 +44,9 @@ jobs:
 
   coverage-test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read   #  for actions/checkout
+      id-token: write  #  for fetching OIDC token
     steps:
     - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b  # v4.1.5
     - uses: ./tools/github-actions/setup-deps
@@ -52,12 +55,16 @@ jobs:
     - name: Run Coverage Tests
       run: make go.test.coverage
     - name: Upload coverage to Codecov
-      uses: codecov/codecov-action@4fe8c5f003fae66aa5ebb77cfd3e7bfbbda0b6b0  # v3.1.5
+      uses: codecov/codecov-action@6d798873df2b1b8e5846dba6fb86631229fbcb17  # v4.4.0
       with:
-        fail_ci_if_error: false
+        fail_ci_if_error: true
         files: ./coverage.xml
         name: codecov-envoy-gateway
         verbose: true
+        # only use oidc for push events or PRs from the same repo, since PRs from forks cannot fetch an OIDC token
+        # Codecov supports Token-less Uploads for PRs from forks:
+        # https://docs.codecov.com/docs/codecov-uploader#supporting-token-less-uploads-for-forks-of-open-source-repos-using-codecov
+        use_oidc: ${{ github.event_name == 'push' }}
 
   build:
     runs-on: ubuntu-latest