codecov/codecov-action
1
0
Fork 0
mirror of https://github.com/codecov/codecov-action.git synced 2026-03-28 00:45:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: download CLI to temp dir and retry GPG key import

Browse Source 
Fixes two regressions in the wrapper script:

1. Dirty git state (#1851, #1804): The binary, SHA256SUM, and
   SHA256SUM.sig files were downloaded into the working directory
   (repo root) and never cleaned up. Now downloads to a mktemp -d
   directory with an EXIT trap that removes it automatically.

2. GPG import failures (#1876): The key import used
   `echo "$(curl ...)" | gpg --import` which strips trailing newlines
   from the PGP key, had no retries, and no error checking. Now pipes
   curl directly to gpg with a 3-attempt retry loop and explicit
   failure reporting.

Made-with: Cursor
This commit is contained in:
Tom Hu
2026-02-26 06:41:35 +09:00
parent 671740ac38
commit 9dee4adabc
1 changed files with 31 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
dist/codecov.sh vendored
View File

@@ -71,6 +71,11 @@ then
fi fi
CC_COMMAND="${CC_CLI_TYPE}" CC_COMMAND="${CC_CLI_TYPE}"
else else
CC_DOWNLOAD_DIR=$(mktemp -d)
cleanup_downloads() {
rm -rf "$CC_DOWNLOAD_DIR"
}
trap cleanup_downloads EXIT
if [ -n "$CC_OS" ]; if [ -n "$CC_OS" ];
then then
say "$g==>$x Overridden OS: $b${CC_OS}$x" say "$g==>$x Overridden OS: $b${CC_OS}$x"
@@ -87,7 +92,7 @@ else
fi fi
CC_FILENAME="${CC_CLI_TYPE%-cli}" CC_FILENAME="${CC_CLI_TYPE%-cli}"
[[ $CC_OS == "windows" ]] && CC_FILENAME+=".exe" [[ $CC_OS == "windows" ]] && CC_FILENAME+=".exe"
CC_COMMAND="./$CC_FILENAME" CC_COMMAND="$CC_DOWNLOAD_DIR/$CC_FILENAME"
[[ $CC_OS == "macos" ]] && \ [[ $CC_OS == "macos" ]] && \
! command -v gpg 2>&1 >/dev/null && \ ! command -v gpg 2>&1 >/dev/null && \
HOMEBREW_NO_AUTO_UPDATE=1 brew install gpg HOMEBREW_NO_AUTO_UPDATE=1 brew install gpg
@@ -95,7 +100,7 @@ else
CC_URL="$CC_URL/${CC_VERSION}" CC_URL="$CC_URL/${CC_VERSION}"
CC_URL="$CC_URL/${CC_OS}/${CC_FILENAME}" CC_URL="$CC_URL/${CC_OS}/${CC_FILENAME}"
say "$g ->$x Downloading $b${CC_URL}$x" say "$g ->$x Downloading $b${CC_URL}$x"
curl -O $retry "$CC_URL" curl -o "$CC_DOWNLOAD_DIR/$CC_FILENAME" $retry "$CC_URL"
say "$g==>$x Finishing downloading $b${CC_OS}:${CC_VERSION}$x" say "$g==>$x Finishing downloading $b${CC_OS}:${CC_VERSION}$x"
v_url="https://cli.codecov.io/api/${CC_OS}/${CC_VERSION}" v_url="https://cli.codecov.io/api/${CC_OS}/${CC_VERSION}"
v=$(curl $retry --retry-all-errors -s "$v_url" -H "Accept:application/json" | tr \{ '\n' | tr , '\n' | tr \} '\n' | grep "\"version\"" | awk -F'"' '{print $4}' | tail -1) v=$(curl $retry --retry-all-errors -s "$v_url" -H "Accept:application/json" | tr \{ '\n' | tr , '\n' | tr \} '\n' | grep "\"version\"" | awk -F'"' '{print $4}' | tail -1)
@@ -110,9 +115,19 @@ then
chmod +x "$CC_COMMAND" chmod +x "$CC_COMMAND"
fi fi
else else
echo "$(curl -s https://keybase.io/codecovsecurity/pgp_keys.asc)" | \ gpg_key_url="https://keybase.io/codecovsecurity/pgp_keys.asc"
gpg --no-default-keyring --import gpg_import_ok=false
# One-time step for gpg_attempt in 1 2 3; do
if curl -sf $retry "$gpg_key_url" | gpg --no-default-keyring --import 2>/dev/null; then
gpg_import_ok=true
break
fi
say "$r ->$x GPG key import attempt $gpg_attempt failed, retrying..."
sleep 2
done
if [ "$gpg_import_ok" != "true" ]; then
exit_if_error "Could not import GPG verification key after 3 attempts. Please contact Codecov if problem continues"
fi
say "$g==>$x Verifying GPG signature integrity" say "$g==>$x Verifying GPG signature integrity"
sha_url="https://cli.codecov.io" sha_url="https://cli.codecov.io"
sha_url="${sha_url}/${CC_VERSION}/${CC_OS}" sha_url="${sha_url}/${CC_VERSION}/${CC_OS}"
@@ -120,14 +135,14 @@ else
say "$g ->$x Downloading $b${sha_url}$x" say "$g ->$x Downloading $b${sha_url}$x"
say "$g ->$x Downloading $b${sha_url}.sig$x" say "$g ->$x Downloading $b${sha_url}.sig$x"
say " " say " "
curl -Os $retry --connect-timeout 2 "$sha_url" curl -o "$CC_DOWNLOAD_DIR/${CC_FILENAME}.SHA256SUM" -s $retry --connect-timeout 2 "$sha_url"
curl -Os $retry --connect-timeout 2 "${sha_url}.sig" curl -o "$CC_DOWNLOAD_DIR/${CC_FILENAME}.SHA256SUM.sig" -s $retry --connect-timeout 2 "${sha_url}.sig"
if ! gpg --verify "${CC_FILENAME}.SHA256SUM.sig" "${CC_FILENAME}.SHA256SUM"; if ! gpg --verify "$CC_DOWNLOAD_DIR/${CC_FILENAME}.SHA256SUM.sig" "$CC_DOWNLOAD_DIR/${CC_FILENAME}.SHA256SUM";
then then
exit_if_error "Could not verify signature. Please contact Codecov if problem continues" exit_if_error "Could not verify signature. Please contact Codecov if problem continues"
fi fi
if ! (shasum -a 256 -c "${CC_FILENAME}.SHA256SUM" 2>/dev/null || \ if ! (cd "$CC_DOWNLOAD_DIR" && (shasum -a 256 -c "${CC_FILENAME}.SHA256SUM" 2>/dev/null || \
sha256sum -c "${CC_FILENAME}.SHA256SUM"); sha256sum -c "${CC_FILENAME}.SHA256SUM"));
then then
exit_if_error "Could not verify SHASUM. Please contact Codecov if problem continues" exit_if_error "Could not verify SHASUM. Please contact Codecov if problem continues"
fi fi
@@ -137,11 +152,16 @@ else
fi fi
if [ -n "$CC_BINARY_LOCATION" ]; if [ -n "$CC_BINARY_LOCATION" ];
then then
mkdir -p "$CC_BINARY_LOCATION" && mv "$CC_FILENAME" $_ mkdir -p "$CC_BINARY_LOCATION" && mv "$CC_COMMAND" "$CC_BINARY_LOCATION/$CC_FILENAME"
CC_COMMAND="$CC_BINARY_LOCATION/$CC_FILENAME"
say "$g==>$x ${CC_CLI_TYPE} binary moved to ${CC_BINARY_LOCATION}" say "$g==>$x ${CC_CLI_TYPE} binary moved to ${CC_BINARY_LOCATION}"
fi fi
if [ "$CC_DOWNLOAD_ONLY" = "true" ]; if [ "$CC_DOWNLOAD_ONLY" = "true" ];
then then
if [ -n "$CC_DOWNLOAD_DIR" ] && [ -z "$CC_BINARY_LOCATION" ]; then
cp "$CC_COMMAND" "./$CC_FILENAME"
CC_COMMAND="./$CC_FILENAME"
fi
say "$g==>$x ${CC_CLI_TYPE} download only called. Exiting..." say "$g==>$x ${CC_CLI_TYPE} download only called. Exiting..."
exit exit
fi fi