In this section, the codecov documentation says:
The upload token is required for all uploads, except originating from public projects using Travis-CI, Circle CI, Azure, Github Actions.
What prevents "hackers" from uploading a fake codecov file and claiming the file was uploaded from a public repository with Codecov enabled?
What makes public projects special?
CodePudding user response:
Codecov uses the status of the CI, the progress of the current job, and knowledge from the public API of both the repo and CI providers to determine whether or not a tokenless upload on a public repository should be successful
Source: I work at Codecov at the time of this answer