Update/Add bwwl approved actions for actions/upload-code-coverage#241
Conversation
bw-ghapp
Bot
commented
May 26, 2026
Dependency Review:
|
| Check | Result |
|---|---|
| Owner | actions (official GitHub org, id=44036562) ✅ |
| Action exists on Marketplace | Yes (actions/upload-code-coverage) ✅ |
| Repo created | 2026-04-24 — ~1 month old |
| Repo size / activity | 38 KB, 38 stars, 4 forks, 29 commits, 3 watchers |
| Tag SHA matches PR | v1.2.0 → b51da2c… ✅ |
Tag SHA matches v1 |
Yes — currently moves with v1.2.0, but v1 is a moving tag (don't consume it; we are pinning the immutable SHA, so this is fine for us) ✅ |
| Releases page | Empty — tags only, no GitHub Releases / release notes |
| License | None declared |
| Code-signing on tagged commit | Verified PGP signature on the merge commit, author joshhale@github.com (verified GitHub employee email) ✅ |
| Commit-author chain | Joshua Hale, Jakob Schmid, Taj Singh — earlier commits originated from code-quality-org before being moved to actions/ (commit ca786bc notes the temporary location) ✅ |
| Recent unsigned commits | ~14 of 29 commits unverified (no GPG); typical for solo developer flow, but worth noting |
What The Action Does
Composite action (not a JS/container action — runs as inline bash + python3 on the runner):
- Validates event context (skips fork PRs, skips merge queue runs)
- Resolves
commit_oid/ref/pr_numberfrom event - Reads the Cobertura XML file passed in
inputs.file, gzip + base64 encodes it - PUTs JSON to
${GITHUB_API_URL}/repos/${repo}/code-coverage/reportusing the workflow'sGITHUB_TOKEN(requires the newcode-quality: writepermission)
No third-party endpoints. Traffic goes only to the configured GITHUB_API_URL.
Supply-Chain Surface
| Check | Result |
|---|---|
| Runtime dependencies | None. Pure Python stdlib (urllib.request, json, gzip, base64, pathlib, os, sys) ✅ |
| Bundled binaries / vendored deps | None ✅ |
| Node/JS runtime | N/A (composite, not a JS action) ✅ |
| Docker base image | N/A ✅ |
Network calls outside GITHUB_API_URL |
None ✅ |
| Auditable codebase size | upload_coverage.py (~6.5 KB) + action.yml (~2.7 KB) — fully reviewable ✅ |
Code-Quality / Minor Findings
- Script injection (low):
action.ymlinterpolates a few${{ github.* }}expressions directly into bash — including${{ github.ref_name }}passed togh pr list --head "${{ github.ref_name }}". Branch names can contain shell metacharacters; a pathological branch name on a repo using this action could in principle break quoting. Severity is low because (a) the resultinggh pr listruns in a fresh runner context withGITHUB_TOKEN, (b) the other interpolated values (pull_request.head.repo.full_name,pull_request.head.sha,pull_request.number) are GitHub-validated, and (c) the action exits before doing anything sensitive if the lookup fails. Not a blocker for approval; worth flagging upstream. - Pre-GA acknowledgement in source:
upload_coverage.pycontainsTODO(GA): Once docs are live, consider including documentation_url in output.— confirms the action is shipped against a preview API surface. Behavior could change before GA. v1is mutable: Common GitHub convention but worth restating —bwwlpolicy of pinning to immutable SHA is exactly the mitigation here.
Bitwarden Context
- Originating use case: bitwarden/server#7720 (draft, by @withinfocus) — additive coverage upload alongside the existing
codecov/codecov-action. Existing codecov path is preserved unchanged. - Required new permission scope:
code-quality: write— must be granted per-job in consuming workflows. This is a brand-new permission tied to the preview feature and not previously seen in our workflows.
Recommendation
✅ Approve actions/upload-code-coverage@b51da2c3c1b23e04d2d6477cfc34350b1f5cd3e9 # v1.2.0 for inclusion in default_actions.json, on the basis that:
- It is a first-party
actions/*action by verified GitHub employees. - The implementation is small, dependency-free, SHA-pinned, and reviewable end-to-end.
- The only external endpoint is the GitHub API.
Caveats to track:
- Re-review after GA. Add a follow-up to revisit this entry once GitHub promotes the feature out of public preview — confirm the API contract, expect a new tag (likely
v2orv1.x+), and update the pin. - Watch for a declared LICENSE. Re-evaluate compliance posture once the repo adds one (most
actions/*repos are MIT). - Consider opening an upstream issue about the
github.ref_nameshell interpolation inaction.yml. - Document the new
code-quality: writepermission in our internal workflow-permissions guidance so teams adopting this action grant it correctly (and only on the upload job).