Merge pull request #8681 from bluetech/ci-permissions

ci: few security/permissions improvements (cherry picked from commit ff6d29717c) Conflicts: .github/workflows/main.yml .github/workflows/prepare-release-pr.yml .github/workflows/update-plugin-list.yml scripts/prepare-release-pr.py scripts/report-coverage.sh
2021-05-18 22:21:25 +03:00
parent 8317542c9e
commit 733f8027d2
4 changed files with 55 additions and 8 deletions
--- a/scripts/report-coverage.sh
+++ b/scripts/report-coverage.sh
@@ -1,18 +1,30 @@
 #!/usr/bin/env bash

-set -e
+set -euo pipefail
 set -x

-if [ -z "$TOXENV" ]; then
+# Install coverage.
+if [[ -z ${TOXENV+x} || -z $TOXENV ]]; then
  python -m pip install coverage
 else
  # Add last TOXENV to $PATH.
  PATH="$PWD/.tox/${TOXENV##*,}/bin:$PATH"
 fi

+# Run coverage.
 python -m coverage combine
 python -m coverage xml
 python -m coverage report -m
+
+# Download and verify latest Codecov bash uploader.
 # Set --connect-timeout to work around https://github.com/curl/curl/issues/4461
-curl -S -L --connect-timeout 5 --retry 6 -s https://codecov.io/bash -o codecov-upload.sh
-bash codecov-upload.sh -Z -X fix -f coverage.xml "$@"
+curl --silent --show-error --location --connect-timeout 5 --retry 6 -o codecov https://codecov.io/bash
+VERSION=$(grep --only-matching 'VERSION=\"[0-9\.]*\"' codecov | cut -d'"' -f2)
+if command -v sha256sum; then
+    sha256sum --check --strict --ignore-missing --quiet <(curl --silent "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA256SUM")
+else
+    shasum --algorithm 256 --check --strict --ignore-missing --quiet <(curl --silent "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA256SUM")
+fi
+
+# Upload coverage.
+bash codecov -Z -X fix -f coverage.xml "$@"