[google/syzkaller] 6281dd: .github/workflows: secure Codecov uploads for fork...
0 views
Skip to first unread message
Taras Madan
Apr 21, 2026, 4:02:49 AM (3 days ago) Apr 21
to syzk...@googlegroups.com
Branch: refs/heads/gh-readonly-queue/master/pr-7084-3f2e655b2741ba770abc65f58ac94b7e897edae8
Home: https://github.com/google/syzkaller
Commit: 6281dda4d79b12b9a7a531e2e50c265f099785ec
https://github.com/google/syzkaller/commit/6281dda4d79b12b9a7a531e2e50c265f099785ec
Author: Taras Madan <taras...@google.com>
Date: 2026-04-21 (Tue, 21 Apr 2026)
Changed paths:
M .github/workflows/ci.yml
A .github/workflows/upload-coverage.yml
Log Message:
-----------
.github/workflows: secure Codecov uploads for forks via workflow_run
Implement the workflow_run pattern to securely support Codecov coverage
uploads for Pull Requests from forks. This separates untrusted test
execution from trusted coverage upload using repository secrets.
- Update codecov/codecov-action to v5.5.4 (pinned to hash 75cd1169) and
use 'files' and 'slug' parameters
- Use actions/upload-artifact to capture hidden coverage files (with
include-hidden-files: true)
- Pin upload-artifact, download-artifact, and checkout actions to full
commit SHAs for supply chain security
- Split uploads in the new workflow to preserve 'after_n_builds: 2'
behavior and report flags
To unsubscribe from these emails, change your notification settings at https://github.com/google/syzkaller/settings/notifications
Home: https://github.com/google/syzkaller
Commit: 6281dda4d79b12b9a7a531e2e50c265f099785ec
https://github.com/google/syzkaller/commit/6281dda4d79b12b9a7a531e2e50c265f099785ec
Author: Taras Madan <taras...@google.com>
Date: 2026-04-21 (Tue, 21 Apr 2026)
Changed paths:
M .github/workflows/ci.yml
A .github/workflows/upload-coverage.yml
Log Message:
-----------
.github/workflows: secure Codecov uploads for forks via workflow_run
Implement the workflow_run pattern to securely support Codecov coverage
uploads for Pull Requests from forks. This separates untrusted test
execution from trusted coverage upload using repository secrets.
- Update codecov/codecov-action to v5.5.4 (pinned to hash 75cd1169) and
use 'files' and 'slug' parameters
- Use actions/upload-artifact to capture hidden coverage files (with
include-hidden-files: true)
- Pin upload-artifact, download-artifact, and checkout actions to full
commit SHAs for supply chain security
- Split uploads in the new workflow to preserve 'after_n_builds: 2'
behavior and report flags
To unsubscribe from these emails, change your notification settings at https://github.com/google/syzkaller/settings/notifications
Taras Madan
Apr 21, 2026, 4:15:14 AM (3 days ago) Apr 21
to syzk...@googlegroups.com
Branch: refs/heads/master
Reply all
Reply to author
Forward
0 new messages