{"id":5800668,"name":"codecov/codecov-action","ecosystem":"actions","description":"GitHub Action that uploads coverage reports for your repository to codecov.io","homepage":"https://www.codecov.io","licenses":"mit","normalized_licenses":["MIT"],"repository_url":"https://github.com/codecov/codecov-action","keywords_array":["actions","code-coverage","codecov","github"],"namespace":"codecov","versions_count":102,"first_release_published_at":"2019-08-07T02:52:50.000Z","latest_release_published_at":"2026-05-18T18:36:16.000Z","latest_release_number":"v6.0.1","last_synced_at":"2026-06-02T12:01:32.207Z","created_at":"2023-01-04T12:20:26.489Z","updated_at":"2026-06-02T12:01:32.207Z","registry_url":"https://github.com/codecov/codecov-action","install_command":null,"documentation_url":null,"metadata":{"name":"Codecov","description":"GitHub Action that uploads coverage reports for your repository to codecov.io","author":"Thomas Hu \u003c@thomasrockhu-codecov\u003e | Codecov","inputs":{"base_sha":{"description":"The base SHA to select. This is only used in the \"pr-base-picking\" run command","required":false},"binary":{"description":"The file location of a pre-downloaded version of the CLI. If specified, integrity checking will be bypassed.","required":false},"codecov_yml_path":{"description":"The location of the codecov.yml file. This is crrently ONLY used for automated test selection (https://docs.codecov.com/docs/getting-started-with-ats). Note that for all other cases, the Codecov yaml will need to be located as described here: https://docs.codecov.com/docs/codecov-yaml#can-i-name-the-file-codecovyml","required":false},"commit_parent":{"description":"SHA (with 40 chars) of what should be the parent of this commit.","required":false},"directory":{"description":"Folder to search for coverage files. Default to the current working directory","required":false},"disable_file_fixes":{"description":"Disable file fixes to ignore common lines from coverage (e.g. blank lines or empty brackets). Read more here https://docs.codecov.com/docs/fixing-reports","required":false,"default":"false"},"disable_search":{"description":"Disable search for coverage files. This is helpful when specifying what files you want to upload with the files option.","required":false,"default":"false"},"disable_safe_directory":{"description":"Disable setting safe directory. Set to true to disable.","required":false,"default":"false"},"disable_telem":{"description":"Disable sending telemetry data to Codecov. Set to true to disable.","required":false,"default":"false"},"dry_run":{"description":"Don't upload files to Codecov","required":false,"default":"false"},"env_vars":{"description":"Environment variables to tag the upload with (e.g. PYTHON | OS,PYTHON)","required":false},"exclude":{"description":"Comma-separated list of folders to exclude from search.","required":false},"fail_ci_if_error":{"description":"On error, exit with non-zero code","required":false,"default":"false"},"files":{"description":"Comma-separated list of explicit files to upload. These will be added to the coverage files found for upload. If you wish to only upload the specified files, please consider using disable_search to disable uploading other files.","required":false},"flags":{"description":"Comma-separated list of flags to upload to group coverage metrics.","required":false},"force":{"description":"Only used for empty-upload run command","required":false},"git_service":{"description":"Override the git_service (e.g. github_enterprise)","required":false,"default":"github"},"gcov_args":{"description":"Extra arguments to pass to gcov","required":false},"gcov_executable":{"description":"gcov executable to run. Defaults to 'gcov'","required":false,"default":"gcov"},"gcov_ignore":{"description":"Paths to ignore during gcov gathering","required":false},"gcov_include":{"description":"Paths to include during gcov gathering","required":false},"handle_no_reports_found":{"description":"If no coverage reports are found, do not raise an exception.","required":false,"default":"false"},"job_code":{"description":"","required":false},"name":{"description":"Custom defined name of the upload. Visible in the Codecov UI","required":false},"network_filter":{"description":"Specify a filter on the files listed in the network section of the Codecov report. This will only add files whose path begin with the specified filter. Useful for upload-specific path fixing.","required":false},"network_prefix":{"description":"Specify a prefix on files listed in the network section of the Codecov report. Useful to help resolve path fixing.","required":false},"os":{"description":"Override the assumed OS. Options available at cli.codecov.io","required":false},"override_branch":{"description":"Specify the branch to be displayed with this commit on Codecov","required":false},"override_build":{"description":"Specify the build number manually","required":false},"override_build_url":{"description":"The URL of the build where this is running","required":false},"override_commit":{"description":"Commit SHA (with 40 chars)","required":false},"override_pr":{"description":"Specify the pull request number manually. Used to override pre-existing CI environment variables.","required":false},"plugins":{"description":"Comma-separated list of plugins to run. Specify `noop` to turn off all plugins","required":false},"recurse_submodules":{"description":"Whether to enumerate files inside of submodules for path-fixing purposes. Off by default.","default":"false"},"report_code":{"description":"The code of the report if using local upload. If unsure, leave default. Read more here https://docs.codecov.com/docs/the-codecov-cli#how-to-use-local-upload","required":false},"report_type":{"description":"The type of file to upload, coverage by default. Possible values are \"test_results\", \"coverage\".","required":false},"root_dir":{"description":"Root folder from which to consider paths on the network section. Defaults to current working directory.","required":false},"run_command":{"description":"Choose which CLI command to run. Options are \"upload-coverage\", \"empty-upload\", \"pr-base-picking\", \"send-notifications\". \"upload-coverage\" is run by default.","required":false,"default":"upload-coverage"},"skip_validation":{"description":"Skip integrity checking of the CLI. This is NOT recommended.","required":false,"default":"false"},"slug":{"description":"[Required when using the org token] Set to the owner/repo slug used instead of the private repo token. Only applicable to some Enterprise users.","required":false},"swift_project":{"description":"Specify the swift project name. Useful for optimization.","required":false},"token":{"description":"Repository Codecov token. Used to authorize report uploads","required":false},"url":{"description":"Set to the Codecov instance URl. Used by Dedicated Enterprise Cloud customers.","required":false},"use_legacy_upload_endpoint":{"description":"Use the legacy upload endpoint.","required":false,"default":"false"},"use_oidc":{"description":"Use OIDC instead of token. This will ignore any token supplied","required":false,"default":"false"},"use_pypi":{"description":"Use the pypi version of the CLI instead of from cli.codecov.io","required":false,"default":"false"},"verbose":{"description":"Enable verbose logging","required":false,"default":"false"},"version":{"description":"Which version of the Codecov CLI to use (defaults to 'latest')","required":false,"default":"latest"},"working-directory":{"description":"Directory in which to execute codecov.sh","required":false}},"branding":{"color":"red","icon":"umbrella"},"runs":{"using":"composite","steps":[{"name":"Check system dependencies","shell":"sh","env":{"INPUT_SKIP_VALIDATION":"${{ inputs.skip_validation }}"},"run":"missing_deps=\"\"\n\n# Check for always-required commands\nfor cmd in bash git curl; do\n  if ! command -v \"$cmd\" \u003e/dev/null 2\u003e\u00261; then\n    missing_deps=\"$missing_deps $cmd\"\n  fi\ndone\n\n# Check for gpg only if validation is not being skipped\nif [ \"$INPUT_SKIP_VALIDATION\" != \"true\" ]; then\n  if ! command -v gpg \u003e/dev/null 2\u003e\u00261; then\n    missing_deps=\"$missing_deps gpg\"\n  fi\nfi\n\n# Report missing required dependencies\nif [ -n \"$missing_deps\" ]; then\n  echo \"Error: The following required dependencies are missing:$missing_deps\"\n  echo \"Please install these dependencies before using this action.\"\n  exit 1\nfi\n\necho \"All required system dependencies are available.\"\n"},{"name":"Action version","shell":"bash","run":"CC_ACTION_VERSION=$(cat ${GITHUB_ACTION_PATH}/src/version)\necho -e \"\\033[0;32m==\u003e\\033[0m Running Action version $CC_ACTION_VERSION\"\n"},{"name":"Set safe directory","if":"${{ inputs.disable_safe_directory != 'true' }}","shell":"bash","run":"git config --global --add safe.directory \"${{ github.workspace }}\"\ngit config --global --add safe.directory \"$GITHUB_WORKSPACE\"\n"},{"name":"Set fork","shell":"bash","run":"CC_FORK=\"false\"\nif [ -n \"$GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME\" ] \u0026\u0026 [ \"$GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME\" != \"$GITHUB_REPOSITORY\" ];\nthen\n  echo -e \"\\033[0;32m==\u003e\\033[0m Fork detected\"\n  CC_FORK=\"true\"\nfi\necho \"CC_FORK=$CC_FORK\" \u003e\u003e \"$GITHUB_ENV\"\n","env":{"GITHUB_EVENT_PULL_REQUEST_HEAD_LABEL":"${{ github.event.pull_request.head.label }}","GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME":"${{ github.event.pull_request.head.repo.full_name }}","GITHUB_REPOSITORY":"${{ github.repository }}"}},{"name":"Get OIDC token","uses":"actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd","id":"oidc","with":{"script":"if (process.env.CC_USE_OIDC === 'true' \u0026\u0026 process.env.CC_FORK != 'true') {\n  const id_token = await core.getIDToken(process.env.CC_OIDC_AUDIENCE)\n  return id_token\n}\n"},"env":{"CC_OIDC_AUDIENCE":"${{ inputs.url || 'https://codecov.io' }}","CC_USE_OIDC":"${{ inputs.use_oidc }}"}},{"name":"Get and set token","shell":"bash","run":"if [ \"$INPUT_USE_OIDC\" == 'true' ] \u0026\u0026 [ \"$CC_FORK\" != 'true' ];\nthen\n  echo \"CC_TOKEN=$CC_OIDC_TOKEN\" \u003e\u003e \"$GITHUB_ENV\"\nelif [ -n \"$INPUT_CODECOV_TOKEN\" ];\nthen\n  echo -e \"\\033[0;32m==\u003e\\033[0m Token set from env\"\n    echo \"CC_TOKEN=$INPUT_CODECOV_TOKEN\" \u003e\u003e \"$GITHUB_ENV\"\nelse\n  if [ -n \"$INPUT_TOKEN\" ];\n  then\n    echo -e \"\\033[0;32m==\u003e\\033[0m Token set from input\"\n    CC_TOKEN=$(echo \"$INPUT_TOKEN\" | tr -d '\\n')\n    echo \"CC_TOKEN=$CC_TOKEN\" \u003e\u003e \"$GITHUB_ENV\"\n  fi\nfi\n","env":{"CC_OIDC_TOKEN":"${{ steps.oidc.outputs.result }}","CC_OIDC_AUDIENCE":"${{ inputs.url || 'https://codecov.io' }}","INPUT_USE_OIDC":"${{ inputs.use_oidc }}","INPUT_TOKEN":"${{ inputs.token }}","INPUT_CODECOV_TOKEN":"${{ env.CODECOV_TOKEN }}"}},{"name":"Override branch for forks","shell":"bash","run":"if [ -z \"$CC_BRANCH\" ] \u0026\u0026 [ -z \"$CC_TOKEN\" ] \u0026\u0026 [ \"$CC_FORK\" == 'true' ]\nthen\n  echo -e \"\\033[0;32m==\u003e\\033[0m Fork detected, setting branch to $GITHUB_EVENT_PULL_REQUEST_HEAD_LABEL\"\n  TOKENLESS=\"$GITHUB_EVENT_PULL_REQUEST_HEAD_LABEL\"\n  CC_BRANCH=\"$GITHUB_EVENT_PULL_REQUEST_HEAD_LABEL\"\n  echo \"TOKENLESS=$TOKENLESS\" \u003e\u003e \"$GITHUB_ENV\"\nfi\n\necho \"CC_BRANCH=$CC_BRANCH\" \u003e\u003e \"$GITHUB_ENV\"\n","env":{"CC_BRANCH":"${{ inputs.override_branch }}","GITHUB_EVENT_PULL_REQUEST_HEAD_LABEL":"${{ github.event.pull_request.head.label }}","GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME":"${{ github.event.pull_request.head.repo.full_name }}","GITHUB_REPOSITORY":"${{ github.repository }}"}},{"name":"Override commits and pr for pull requests","shell":"bash","run":"if [ -z \"$CC_SHA\" ];\nthen\n  CC_SHA=\"$GITHUB_EVENT_PULL_REQUEST_HEAD_SHA\"\nfi\nif [ -z \"$CC_PR\" ] \u0026\u0026 [ \"$CC_FORK\" == 'true' ];\nthen\n  CC_PR=\"$GITHUB_EVENT_NUMBER\"\nfi\n\necho \"CC_SHA=$CC_SHA\" \u003e\u003e \"$GITHUB_ENV\"\necho \"CC_PR=$CC_PR\" \u003e\u003e \"$GITHUB_ENV\"\n","env":{"CC_PR":"${{ inputs.override_pr }}","CC_SHA":"${{ inputs.override_commit }}","GITHUB_EVENT_NAME":"${{ github.event_name }}","GITHUB_EVENT_NUMBER":"${{ github.event.number }}","GITHUB_EVENT_PULL_REQUEST_HEAD_SHA":"${{ github.event.pull_request.head.sha }}"}},{"name":"Upload coverage to Codecov","run":"${GITHUB_ACTION_PATH}/dist/codecov.sh","shell":"bash","working-directory":"${{ inputs.working-directory }}","env":{"CC_BASE_SHA":"${{ inputs.base_sha }}","CC_BINARY":"${{ inputs.binary }}","CC_BUILD":"${{ inputs.override_build }}","CC_BUILD_URL":"${{ inputs.override_build_url }}","CC_CODE":"${{ inputs.report_code }}","CC_DIR":"${{ inputs.directory }}","CC_DISABLE_FILE_FIXES":"${{ inputs.disable_file_fixes }}","CC_DISABLE_SEARCH":"${{ inputs.disable_search }}","CC_DISABLE_TELEM":"${{ inputs.disable_telem }}","CC_DRY_RUN":"${{ inputs.dry_run }}","CC_ENTERPRISE_URL":"${{ inputs.url }}","CC_ENV":"${{ inputs.env_vars }}","CC_EXCLUDES":"${{ inputs.exclude }}","CC_FAIL_ON_ERROR":"${{ inputs.fail_ci_if_error }}","CC_FILES":"${{ inputs.files }}","CC_FLAGS":"${{ inputs.flags }}","CC_FORCE":"${{ inputs.force }}","CC_GCOV_ARGS":"${{ inputs.gcov_args }}","CC_GCOV_EXECUTABLE":"${{ inputs.gcov_executable }}","CC_GCOV_IGNORE":"${{ inputs.gcov_ignore }}","CC_GCOV_INCLUDE":"${{ inputs.gcov_include }}","CC_GIT_SERVICE":"${{ inputs.git_service }}","CC_HANDLE_NO_REPORTS_FOUND":"${{ inputs.handle_no_reports_found }}","CC_JOB_CODE":"${{ inputs.job_code }}","CC_LEGACY":"${{ inputs.use_legacy_upload_endpoint }}","CC_NAME":"${{ inputs.name }}","CC_NETWORK_FILTER":"${{ inputs.network_filter }}","CC_NETWORK_PREFIX":"${{ inputs.network_prefix }}","CC_NETWORK_ROOT_FOLDER":"${{ inputs.root_dir }}","CC_OS":"${{ inputs.os }}","CC_PARENT_SHA":"${{ inputs.commit_parent }}","CC_PLUGINS":"${{ inputs.plugins }}","CC_RECURSE_SUBMODULES":"${{ inputs.recurse_submodules }}","CC_REPORT_TYPE":"${{ inputs.report_type }}","CC_RUN_CMD":"${{ inputs.run_command }}","CC_SERVICE":"${{ inputs.git_service }}","CC_SKIP_VALIDATION":"${{ inputs.skip_validation }}","CC_SLUG":"${{ inputs.slug }}","CC_SWIFT_PROJECT":"${{ inputs.swift_project }}","CC_USE_PYPI":"${{ inputs.use_pypi }}","CC_VERBOSE":"${{ inputs.verbose }}","CC_VERSION":"${{ inputs.version }}","CC_YML_PATH":"${{ inputs.codecov_yml_path }}"}}]},"default_branch":"main","path":null},"repo_metadata":{"id":38123758,"uuid":"200299178","full_name":"codecov/codecov-action","owner":"codecov","description":"GitHub Action that uploads coverage to Codecov :open_umbrella: ","archived":false,"fork":false,"pushed_at":"2026-05-25T05:56:44.000Z","size":16381,"stargazers_count":1678,"open_issues_count":65,"forks_count":250,"subscribers_count":15,"default_branch":"main","last_synced_at":"2026-05-28T23:26:25.523Z","etag":null,"topics":["actions","code-coverage","codecov","github"],"latest_commit_sha":null,"homepage":"https://www.codecov.io","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/codecov.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2019-08-02T21:20:56.000Z","updated_at":"2026-05-26T15:53:17.000Z","dependencies_parsed_at":"2023-12-11T18:30:21.054Z","dependency_job_id":"cf7cbe26-f2fc-4551-866c-5628927332ce","html_url":"https://github.com/codecov/codecov-action","commit_stats":{"total_commits":947,"total_committers":59,"mean_commits":"16.050847457627118","dds":0.5923970432946146,"last_synced_commit":"015f24e6818733317a2da2edd6290ab26238649a"},"previous_names":[],"tags_count":103,"template":false,"template_full_name":null,"purl":"pkg:github/codecov/codecov-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codecov%2Fcodecov-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codecov%2Fcodecov-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codecov%2Fcodecov-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codecov%2Fcodecov-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/codecov","download_url":"https://codeload.github.com/codecov/codecov-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/codecov%2Fcodecov-action/sbom","scorecard":{"id":296126,"data":{"date":"2025-06-25T15:59:21Z","repo":{"name":"github.com/codecov/codecov-action","commit":"2db07e317924c76f654a414629d71c65876882e2"},"scorecard":{"version":"v5.1.1","commit":"cd152cb6742c5b8f2f3d2b5193b41d9c50905198"},"score":7.5,"checks":[{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#dependency-update-tool"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#dangerous-workflow"}},{"name":"Pinned-Dependencies","score":2,"reason":"dependency not pinned by hash detected -- score normalized to 2","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/codecov/codecov-action/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/codecov/codecov-action/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/codecov/codecov-action/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:69: update your workflow using https://app.stepsecurity.io/secureworkflow/codecov/codecov-action/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/codecov/codecov-action/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/codecov/codecov-action/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:106: update your workflow using https://app.stepsecurity.io/secureworkflow/codecov/codecov-action/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:147: update your workflow using https://app.stepsecurity.io/secureworkflow/codecov/codecov-action/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:178: update your workflow using https://app.stepsecurity.io/secureworkflow/codecov/codecov-action/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:215: update your workflow using https://app.stepsecurity.io/secureworkflow/codecov/codecov-action/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecards-analysis.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/codecov/codecov-action/scorecards-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecards-analysis.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/codecov/codecov-action/scorecards-analysis.yml/main?enable=pin","Warn: pipCommand not pinned by hash: dist/codecov.sh:62","Warn: pipCommand not pinned by hash: .github/workflows/main.yml:20","Warn: pipCommand not pinned by hash: .github/workflows/main.yml:62","Info:   1 out of  13 GitHub-owned GitHubAction dependencies pinned","Info:   2 out of   2 third-party GitHubAction dependencies pinned","Info:   0 out of   3 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#pinned-dependencies"}},{"name":"Maintained","score":9,"reason":"11 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 9","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#maintained"}},{"name":"Code-Review","score":8,"reason":"Found 15/17 approved changesets -- score normalized to 8","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#code-review"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#binary-artifacts"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:27","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:28","Info: jobLevel 'actions' permission set to 'read': .github/workflows/scorecards-analysis.yml:23","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecards-analysis.yml:24","Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1","Warn: no topLevel permission defined: .github/workflows/enforce-license-compliance.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/main.yml:6","Info: topLevel permissions set to 'read-all': .github/workflows/scorecards-analysis.yml:11","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#vulnerabilities"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#cii-best-practices"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#signed-releases"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#fuzzing"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/codecov/.github/SECURITY.md:1","Info: Found linked content: github.com/codecov/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/codecov/.github/SECURITY.md:1","Info: Found text in security policy: github.com/codecov/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#security-policy"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#license"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#branch-protection"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: all commits (28) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#sast"}},{"name":"CI-Tests","score":10,"reason":"28 out of 28 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#ci-tests"}},{"name":"Contributors","score":10,"reason":"project has 13 contributing companies or organizations","details":["Info: found contributions from: aio-libs, annotated-types, codecov, conda-forge, logfire, microsoft, modelcontextprotocol, pydantic, pytest-dev, python-arq, rq, sdjamaat, tutorcruncher"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#contributors"}}]},"last_synced_at":"2025-08-17T19:33:10.781Z","repository_id":38123758,"created_at":"2025-08-17T19:33:10.781Z","updated_at":"2025-08-17T19:33:10.781Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33692997,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-30T02:00:06.278Z","response_time":92,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"},"tags":[]},"repo_metadata_updated_at":"2026-05-30T13:26:18.554Z","dependent_packages_count":0,"downloads":null,"downloads_period":null,"dependent_repos_count":74347,"rankings":{"downloads":null,"dependent_repos_count":0.0316906987799081,"dependent_packages_count":0.0,"stargazers_count":0.15211535414355887,"forks_count":0.2218348914593567,"docker_downloads_count":0.041197908413880525,"average":0.08936777055934084},"purl":"pkg:githubactions/codecov/codecov-action","advisories":[],"docker_usage_url":"https://docker.ecosyste.ms/usage/actions/codecov/codecov-action","docker_dependents_count":25,"docker_downloads_count":1575237592,"usage_url":"https://repos.ecosyste.ms/usage/actions/codecov/codecov-action","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/actions/codecov/codecov-action/dependencies","status":null,"funding_links":[],"critical":true,"issue_metadata":{"last_synced_at":"2026-03-30T07:00:35.868Z","issues_count":357,"pull_requests_count":780,"avg_time_to_close_issue":11580291.655462185,"avg_time_to_close_pull_request":551794.2759124087,"issues_closed_count":238,"pull_requests_closed_count":685,"pull_request_authors_count":59,"issue_authors_count":290,"avg_comments_per_issue":3.787114845938375,"avg_comments_per_pull_request":0.9871794871794872,"merged_pull_requests_count":466,"bot_issues_count":1,"bot_pull_requests_count":484,"past_year_issues_count":45,"past_year_pull_requests_count":63,"past_year_avg_time_to_close_issue":1278271.0,"past_year_avg_time_to_close_pull_request":919617.6136363636,"past_year_issues_closed_count":19,"past_year_pull_requests_closed_count":44,"past_year_pull_request_authors_count":10,"past_year_issue_authors_count":42,"past_year_avg_comments_per_issue":2.533333333333333,"past_year_avg_comments_per_pull_request":0.7777777777777778,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":33,"past_year_merged_pull_requests_count":27,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/codecov%2Fcodecov-action/issues","maintainers":[{"login":"dana-yaish","count":6,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/dana-yaish"},{"login":"whdgur5717","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/whdgur5717"},{"login":"tnagatomi","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/tnagatomi"}],"active_maintainers":[{"login":"whdgur5717","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/whdgur5717"}]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/github%20actions/packages/codecov%2Fcodecov-action/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/github%20actions/packages/codecov%2Fcodecov-action/version_numbers","latest_version_url":"https://packages.ecosyste.ms/api/v1/registries/github%20actions/packages/codecov%2Fcodecov-action/latest_version","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/github%20actions/packages/codecov%2Fcodecov-action/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/github%20actions/packages/codecov%2Fcodecov-action/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/github%20actions/packages/codecov%2Fcodecov-action/codemeta","maintainers":[]}