chore(release): 6.0.1 (#1949)

Replace direct ${{ inputs.skip_validation }}, ${{ inputs.use_oidc }},
${{ inputs.token }}, and ${{ env.CODECOV_TOKEN }} interpolation inside
run: shell scripts with env-var indirection. GitHub Actions resolves
template expressions before the shell sees the script, so any consumer
workflow that passes user-controlled data into these inputs could
achieve arbitrary command execution on the runner. Moving the values
into env: entries and referencing them as $INPUT_* shell variables
ensures the shell always treats them as data, not code.

Makefile

@@ -1,7 +1,7 @@
 deploy:
 	$(eval VERSION := $(shell cat src/version))
-	git tag -d v5
-	git push origin :v5
-	git tag v5
+	git tag -d v6
+	git push origin :v6
+	git tag v6
 	git tag v$(VERSION) -s -m ""
 	git push origin --tags

README.md

@@ -6,6 +6,10 @@
 
 ### Easily upload coverage reports to Codecov from GitHub Actions
 
+## v6 Release
+
+`v6` of the Codecov GitHub Action support node24
+
 ## v5 Release
 
 `v5` of the Codecov GitHub Action will use the [Codecov Wrapper](https://github.com/codecov/wrapper) to encapsulate the [CLI](https://github.com/codecov/codecov-cli). This will help ensure that the Action gets updates quicker.

action.yml

@@ -177,6 +177,8 @@ runs:
   steps:
     - name: Check system dependencies
       shell: sh
+      env:
+        INPUT_SKIP_VALIDATION: ${{ inputs.skip_validation }}
       run: |
         missing_deps=""
 
@@ -188,7 +190,7 @@ runs:
         done
 
         # Check for gpg only if validation is not being skipped
-        if [ "${{ inputs.skip_validation }}" != "true" ]; then
+        if [ "$INPUT_SKIP_VALIDATION" != "true" ]; then
           if ! command -v gpg >/dev/null 2>&1; then
             missing_deps="$missing_deps gpg"
           fi
@@ -230,7 +232,7 @@ runs:
         GITHUB_REPOSITORY: ${{ github.repository }}
 
     - name: Get OIDC token
-      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
       id: oidc
       with:
         script: |
@@ -245,24 +247,27 @@ runs:
     - name: Get and set token
       shell: bash
       run: |
-        if [ "${{ inputs.use_oidc }}" == 'true' ] && [ "$CC_FORK" != 'true' ];
+        if [ "$INPUT_USE_OIDC" == 'true' ] && [ "$CC_FORK" != 'true' ];
         then
           echo "CC_TOKEN=$CC_OIDC_TOKEN" >> "$GITHUB_ENV"
-        elif [ -n "${{ env.CODECOV_TOKEN }}" ];
+        elif [ -n "$INPUT_CODECOV_TOKEN" ];
         then
           echo -e "\033[0;32m==>\033[0m Token set from env"
-            echo "CC_TOKEN=${{ env.CODECOV_TOKEN }}" >> "$GITHUB_ENV"
+            echo "CC_TOKEN=$INPUT_CODECOV_TOKEN" >> "$GITHUB_ENV"
         else
-          if [ -n "${{ inputs.token }}" ];
+          if [ -n "$INPUT_TOKEN" ];
           then
             echo -e "\033[0;32m==>\033[0m Token set from input"
-            CC_TOKEN=$(echo "${{ inputs.token }}" | tr -d '\n')
+            CC_TOKEN=$(echo "$INPUT_TOKEN" | tr -d '\n')
             echo "CC_TOKEN=$CC_TOKEN" >> "$GITHUB_ENV"
           fi
         fi
       env:
         CC_OIDC_TOKEN: ${{ steps.oidc.outputs.result }}
         CC_OIDC_AUDIENCE: ${{ inputs.url || 'https://codecov.io' }}
+        INPUT_USE_OIDC: ${{ inputs.use_oidc }}
+        INPUT_TOKEN: ${{ inputs.token }}
+        INPUT_CODECOV_TOKEN: ${{ env.CODECOV_TOKEN }}
 
     - name: Override branch for forks
       shell: bash

dist/codecov.sh

@@ -71,11 +71,6 @@ then
   fi
   CC_COMMAND="${CC_CLI_TYPE}"
 else
-  CC_DOWNLOAD_DIR=$(mktemp -d)
-  cleanup_downloads() {
-    rm -rf "$CC_DOWNLOAD_DIR"
-  }
-  trap cleanup_downloads EXIT
   if [ -n "$CC_OS" ];
   then
     say "$g==>$x Overridden OS: $b${CC_OS}$x"
@@ -92,7 +87,7 @@ else
   fi
   CC_FILENAME="${CC_CLI_TYPE%-cli}"
   [[ $CC_OS == "windows" ]] && CC_FILENAME+=".exe"
-  CC_COMMAND="$CC_DOWNLOAD_DIR/$CC_FILENAME"
+  CC_COMMAND="./$CC_FILENAME"
   [[ $CC_OS == "macos" ]]  && \
     ! command -v gpg 2>&1 >/dev/null && \
     HOMEBREW_NO_AUTO_UPDATE=1 brew install gpg
@@ -100,7 +95,7 @@ else
   CC_URL="$CC_URL/${CC_VERSION}"
   CC_URL="$CC_URL/${CC_OS}/${CC_FILENAME}"
   say "$g ->$x Downloading $b${CC_URL}$x"
-  curl -o "$CC_DOWNLOAD_DIR/$CC_FILENAME" $retry "$CC_URL"
+  curl -O $retry "$CC_URL"
   say "$g==>$x Finishing downloading $b${CC_OS}:${CC_VERSION}$x"
   v_url="https://cli.codecov.io/api/${CC_OS}/${CC_VERSION}"
   v=$(curl $retry --retry-all-errors -s "$v_url" -H "Accept:application/json" | tr \{ '\n' | tr , '\n' | tr \} '\n' | grep "\"version\"" | awk  -F'"' '{print $4}' | tail -1)
@@ -115,19 +110,9 @@ then
     chmod +x "$CC_COMMAND"
   fi
 else
-  gpg_key_url="https://keybase.io/codecovsecurity/pgp_keys.asc"
-  gpg_import_ok=false
-  for gpg_attempt in 1 2 3; do
-    if curl -sf $retry "$gpg_key_url" | gpg --no-default-keyring --import 2>/dev/null; then
-      gpg_import_ok=true
-      break
-    fi
-    say "$r ->$x GPG key import attempt $gpg_attempt failed, retrying..."
-    sleep 2
-  done
-  if [ "$gpg_import_ok" != "true" ]; then
-    exit_if_error "Could not import GPG verification key after 3 attempts. Please contact Codecov if problem continues"
-  fi
+  echo "$(curl -s https://keybase.io/codecovsecurity/pgp_keys.asc)" | \
+    gpg --no-default-keyring --import
+  # One-time step
   say "$g==>$x Verifying GPG signature integrity"
   sha_url="https://cli.codecov.io"
   sha_url="${sha_url}/${CC_VERSION}/${CC_OS}"
@@ -135,14 +120,14 @@ else
   say "$g ->$x Downloading $b${sha_url}$x"
   say "$g ->$x Downloading $b${sha_url}.sig$x"
   say " "
-  curl -o "$CC_DOWNLOAD_DIR/${CC_FILENAME}.SHA256SUM" -s $retry --connect-timeout 2 "$sha_url"
-  curl -o "$CC_DOWNLOAD_DIR/${CC_FILENAME}.SHA256SUM.sig" -s $retry --connect-timeout 2 "${sha_url}.sig"
-  if ! gpg --verify "$CC_DOWNLOAD_DIR/${CC_FILENAME}.SHA256SUM.sig" "$CC_DOWNLOAD_DIR/${CC_FILENAME}.SHA256SUM";
+  curl -Os $retry --connect-timeout 2 "$sha_url"
+  curl -Os $retry --connect-timeout 2 "${sha_url}.sig"
+  if ! gpg --verify "${CC_FILENAME}.SHA256SUM.sig" "${CC_FILENAME}.SHA256SUM";
   then
     exit_if_error "Could not verify signature. Please contact Codecov if problem continues"
   fi
-  if ! (cd "$CC_DOWNLOAD_DIR" && (shasum -a 256 -c "${CC_FILENAME}.SHA256SUM" 2>/dev/null || \
-    sha256sum -c "${CC_FILENAME}.SHA256SUM"));
+  if ! (shasum -a 256 -c "${CC_FILENAME}.SHA256SUM" 2>/dev/null || \
+    sha256sum -c "${CC_FILENAME}.SHA256SUM");
   then
     exit_if_error "Could not verify SHASUM. Please contact Codecov if problem continues"
   fi
@@ -152,16 +137,11 @@ else
 fi
 if [ -n "$CC_BINARY_LOCATION" ];
 then
-  mkdir -p "$CC_BINARY_LOCATION" && mv "$CC_COMMAND" "$CC_BINARY_LOCATION/$CC_FILENAME"
-  CC_COMMAND="$CC_BINARY_LOCATION/$CC_FILENAME"
+  mkdir -p "$CC_BINARY_LOCATION" && mv "$CC_FILENAME" $_
   say "$g==>$x ${CC_CLI_TYPE} binary moved to ${CC_BINARY_LOCATION}"
 fi
 if [ "$CC_DOWNLOAD_ONLY" = "true" ];
 then
-  if [ -n "$CC_DOWNLOAD_DIR" ] && [ -z "$CC_BINARY_LOCATION" ]; then
-    cp "$CC_COMMAND" "./$CC_FILENAME"
-    CC_COMMAND="./$CC_FILENAME"
-  fi
   say "$g==>$x ${CC_CLI_TYPE} download only called. Exiting..."
   exit
 fi

src/version

@@ -1 +1 @@
-5.5.2
+6.0.1