codecov/codecov-action
Upload test coverage reports to Codecov from a workflow.
What it does
codecov/codecov-action finds your coverage report (or one you point it at) and uploads it to Codecov, which then posts coverage on the pull request.
Since v4 the uploader was rewritten and a token is required for uploads, including on public repos using tokenless upload limits.
Usage
workflow (.yml)
steps:
- uses: actions/checkout@v4
- run: npm test -- --coverage
- uses: codecov/codecov-action@v4
with:
token: ${{ secrets.CODECOV_TOKEN }}
fail_ci_if_error: trueInputs
| Input | Description | Default | Required |
|---|---|---|---|
token | Codecov upload token (from repo secret). | - | No |
files | Explicit coverage file(s) to upload. | auto-detect | No |
flags | Flags to group coverage (e.g. per package). | - | No |
fail_ci_if_error | Fail the job if the upload errors. | false | No |
Notes
Generate coverage in a step before this one (for example jest/pytest with a coverage flag).
Common errors
Token requiredor rate-limit errors on v4 mean notokenwas provided. AddCODECOV_TOKEN.- An empty upload usually means no coverage file was produced; run your tests with coverage enabled first.
Security and pinning
- Pin codecov-action to a commit SHA. Codecov had a supply-chain incident in the past, so a movable tag is a real risk here.
- Store the upload token as a secret, never inline.
Frequently asked questions
Do I need a token for public repos?
v4 generally requires a token for reliable uploads. Add CODECOV_TOKEN from your Codecov project settings.