fix: bypass token checks for forks and OIDC

[thomasrockhu-codecov]

For users running forks to upstream and OIDC, tokenless may be broken. This ensures that if it is a fork, to pass in an empty string as the token.

[codecov]

Codecov Report

Attention: Patch coverage is 50.00000% with 6 lines in your changes are missing coverage. Please review.

Project coverage is 92.58%. Comparing base (dad251d) to head (2189dc5).

Files	Patch %	Lines
src/buildExec.ts	50.00%	6 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1404      +/-   ##
==========================================
- Coverage   93.28%   92.58%   -0.71%     
==========================================
  Files           4        4              
  Lines         298      310      +12     
  Branches       81       84       +3     
==========================================
+ Hits          278      287       +9     
- Misses         18       21       +3     
  Partials        2        2              

Flag	Coverage Δ
demo	92.58% <50.00%> (-0.71%)	⬇️
macos-latest	92.58% <50.00%> (-0.71%)	⬇️
macos-latest-xlarge	92.58% <50.00%> (-0.71%)	⬇️
script	92.58% <50.00%> (-0.71%)	⬇️
ubuntu-latest	92.58% <50.00%> (-0.71%)	⬇️
version	92.58% <50.00%> (-0.71%)	⬇️
windows-latest	92.58% <50.00%> (-0.71%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[matt-codecov]

is this actually using your new functions? it appears to still he calling core.getIDToken() which will fail

also is empty string the right behavior? shouldn't we just not include a token header on the request to codecov?

[nora-codecov]

we need it to be evaluated as True when it hits if is_fork_pr(pull_dict): here
if it's True there it does the header replacement to route it to Tokenless. With these changes, can it get to that point in cli?

[thomasrockhu-codecov]

Perhaps this needs to be explained better. The Action is just a wrapper over the CLI and this PR is just passing in a token value to the CLI. The check it's doing at the Action level is to determine whether or not we are on a fork. If we are, then override any token passed to the CLI with an empty string. It's on the CLI to figure out what to do with the token.

@matt-codecov not sure what you mean. It should still call core.getIDToken() when not on fork and if useOIDC is true.

@nora-codecov the CLI runs that code separately from the Action already. You can see that it's making it's own GitHub api call here. Since we are passing in an empty token, it will pull the pull request data and determine whether or not it's a fork

[matt-codecov]

oh i read it wrong when i was looking on my phone this morning, sorry! i thought you added a two new functions that never got called, but some of those green lines were inside the existing getToken

to address my point about whether returning an empty string is right, it looks like the CLI uses the CODECOV_TOKEN env var as the default value for -t which will be an empty string if it's not set. and code like this in the action will pass the token via env var. i think it will behave the same whether '' is treated as falsey or not

tl;dr i think this change will fix the bug then