Skip to content

Update/Add bwwl approved actions for actions/upload-code-coverage#241

Merged
withinfocus merged 1 commit into
mainfrom
add-action-actions-upload-code-coverage-
May 26, 2026
Merged

Update/Add bwwl approved actions for actions/upload-code-coverage#241
withinfocus merged 1 commit into
mainfrom
add-action-actions-upload-code-coverage-

Conversation

@bw-ghapp

@bw-ghapp bw-ghapp Bot commented May 26, 2026

Copy link
Copy Markdown
Contributor
## Type of change
- [ ] Bug fix
- [ ] New feature development
- [X] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [ ] Other

## Initiated by
withinfocus

## Artifact Reference
https://github.com/bitwarden/server/pull/7720

## Description
- This PR updates the approved actions for the Bitwarden Workflow Linter.

@bw-ghapp bw-ghapp Bot requested a review from a team as a code owner May 26, 2026 17:32
@withinfocus

Copy link
Copy Markdown
Contributor

Dependency Review: actions/upload-code-coverage@v1.2.0

Reviewed SHA: b51da2c3c1b23e04d2d6477cfc34350b1f5cd3e9 (tag v1.2.0, also currently pointed to by moving v1 tag)

TL;DR

Recommend approval, with caveats. This is an official actions/* composite action backing GitHub's new code-coverage-in-PRs public preview feature (announced 2026-05-26 — same day as this review). Source is small, has no third-party runtime dependencies, and is SHA-pinned per bwwl policy. However, the repo is brand-new, pre-GA, and unlicensed, so the usual maturity signals we lean on for actions/* are absent. Re-evaluate after GA.

Provenance & Identity

Check Result
Owner actions (official GitHub org, id=44036562) ✅
Action exists on Marketplace Yes (actions/upload-code-coverage) ✅
Repo created 2026-04-24 — ~1 month old ⚠️
Repo size / activity 38 KB, 38 stars, 4 forks, 29 commits, 3 watchers ⚠️
Tag SHA matches PR v1.2.0b51da2c…
Tag SHA matches v1 Yes — currently moves with v1.2.0, but v1 is a moving tag (don't consume it; we are pinning the immutable SHA, so this is fine for us) ✅
Releases page Empty — tags only, no GitHub Releases / release notes ⚠️
License None declared ⚠️
Code-signing on tagged commit Verified PGP signature on the merge commit, author joshhale@github.com (verified GitHub employee email) ✅
Commit-author chain Joshua Hale, Jakob Schmid, Taj Singh — earlier commits originated from code-quality-org before being moved to actions/ (commit ca786bc notes the temporary location) ✅
Recent unsigned commits ~14 of 29 commits unverified (no GPG); typical for solo developer flow, but worth noting ⚠️

What The Action Does

Composite action (not a JS/container action — runs as inline bash + python3 on the runner):

  1. Validates event context (skips fork PRs, skips merge queue runs)
  2. Resolves commit_oid / ref / pr_number from event
  3. Reads the Cobertura XML file passed in inputs.file, gzip + base64 encodes it
  4. PUTs JSON to ${GITHUB_API_URL}/repos/${repo}/code-coverage/report using the workflow's GITHUB_TOKEN (requires the new code-quality: write permission)

No third-party endpoints. Traffic goes only to the configured GITHUB_API_URL.

Supply-Chain Surface

Check Result
Runtime dependencies None. Pure Python stdlib (urllib.request, json, gzip, base64, pathlib, os, sys) ✅
Bundled binaries / vendored deps None ✅
Node/JS runtime N/A (composite, not a JS action) ✅
Docker base image N/A ✅
Network calls outside GITHUB_API_URL None ✅
Auditable codebase size upload_coverage.py (~6.5 KB) + action.yml (~2.7 KB) — fully reviewable ✅

Code-Quality / Minor Findings

  • Script injection (low): action.yml interpolates a few ${{ github.* }} expressions directly into bash — including ${{ github.ref_name }} passed to gh pr list --head "${{ github.ref_name }}". Branch names can contain shell metacharacters; a pathological branch name on a repo using this action could in principle break quoting. Severity is low because (a) the resulting gh pr list runs in a fresh runner context with GITHUB_TOKEN, (b) the other interpolated values (pull_request.head.repo.full_name, pull_request.head.sha, pull_request.number) are GitHub-validated, and (c) the action exits before doing anything sensitive if the lookup fails. Not a blocker for approval; worth flagging upstream.
  • Pre-GA acknowledgement in source: upload_coverage.py contains TODO(GA): Once docs are live, consider including documentation_url in output. — confirms the action is shipped against a preview API surface. Behavior could change before GA.
  • v1 is mutable: Common GitHub convention but worth restating — bwwl policy of pinning to immutable SHA is exactly the mitigation here.

Bitwarden Context

  • Originating use case: bitwarden/server#7720 (draft, by @withinfocus) — additive coverage upload alongside the existing codecov/codecov-action. Existing codecov path is preserved unchanged.
  • Required new permission scope: code-quality: write — must be granted per-job in consuming workflows. This is a brand-new permission tied to the preview feature and not previously seen in our workflows.

Recommendation

Approve actions/upload-code-coverage@b51da2c3c1b23e04d2d6477cfc34350b1f5cd3e9 # v1.2.0 for inclusion in default_actions.json, on the basis that:

  • It is a first-party actions/* action by verified GitHub employees.
  • The implementation is small, dependency-free, SHA-pinned, and reviewable end-to-end.
  • The only external endpoint is the GitHub API.

Caveats to track:

  1. Re-review after GA. Add a follow-up to revisit this entry once GitHub promotes the feature out of public preview — confirm the API contract, expect a new tag (likely v2 or v1.x+), and update the pin.
  2. Watch for a declared LICENSE. Re-evaluate compliance posture once the repo adds one (most actions/* repos are MIT).
  3. Consider opening an upstream issue about the github.ref_name shell interpolation in action.yml.
  4. Document the new code-quality: write permission in our internal workflow-permissions guidance so teams adopting this action grant it correctly (and only on the upload job).

@withinfocus withinfocus merged commit b4cf901 into main May 26, 2026
23 checks passed
@withinfocus withinfocus deleted the add-action-actions-upload-code-coverage- branch May 26, 2026 17:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant