fix: hotfix oidc (#1813)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.28.12 to 3.28.13.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/v3.28.12...v3.28.13)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/codeql-analysis.yml

@@ -41,7 +41,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3.28.11
+      uses: github/codeql-action/init@v3.28.13
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -52,7 +52,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3.28.11
+      uses: github/codeql-action/autobuild@v3.28.13
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -66,4 +66,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3.28.11
+      uses: github/codeql-action/analyze@v3.28.13

.github/workflows/scorecards-analysis.yml

@@ -49,7 +49,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: SARIF file
           path: results.sarif
@@ -57,6 +57,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3.28.11 # v1.0.26
+        uses: github/codeql-action/upload-sarif@v3.28.13 # v1.0.26
         with:
           sarif_file: results.sarif

CHANGELOG.md

@@ -1,3 +1,25 @@
+## v5.4.2
+
+### What's Changed
+
+
+**Full Changelog**: https://github.com/codecov/codecov-action/compare/v5.4.1..v5.4.2
+
+
+## v5.4.1
+
+### What's Changed
+* fix: use the github core methods by @thomasrockhu-codecov in https://github.com/codecov/codecov-action/pull/1807
+* build(deps): bump github/codeql-action from 3.28.12 to 3.28.13 by @app/dependabot in https://github.com/codecov/codecov-action/pull/1803
+* build(deps): bump github/codeql-action from 3.28.11 to 3.28.12 by @app/dependabot in https://github.com/codecov/codecov-action/pull/1797
+* build(deps): bump actions/upload-artifact from 4.6.1 to 4.6.2 by @app/dependabot in https://github.com/codecov/codecov-action/pull/1798
+* chore(release): wrapper -0.2.1 by @app/codecov-releaser-app in https://github.com/codecov/codecov-action/pull/1788
+* build(deps): bump github/codeql-action from 3.28.10 to 3.28.11 by @app/dependabot in https://github.com/codecov/codecov-action/pull/1786
+
+
+**Full Changelog**: https://github.com/codecov/codecov-action/compare/v5.4.0..v5.4.1
+
+
 ## v5.4.0
 
 ### What's Changed

action.yml

@@ -202,16 +202,23 @@ runs:
         GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }}
         GITHUB_REPOSITORY: ${{ github.repository }}
 
+    - name: Get OIDC token
+      if: ${{ inputs.use_oidc == 'true' }}
+      uses: actions/github-script@v7
+      id: oidc
+      with:
+        script: |
+          const id_token = await core.getIDToken(process.env.CC_OIDC_AUDIENCE)
+          return id_token
+      env:
+        CC_OIDC_AUDIENCE: ${{ inputs.url || 'https://codecov.io' }}
 
     - name: Get and set token
       shell: bash
       run: |
         if [ "${{ inputs.use_oidc }}" == 'true' ] && [ "$CC_FORK" != 'true' ];
         then
-          # {"count":1984,"value":"***"}
-          echo -e "\033[0;32m==>\033[0m Requesting OIDC token from '$ACTIONS_ID_TOKEN_REQUEST_URL'"
-          CC_TOKEN=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=$CC_OIDC_AUDIENCE" | cut -d\" -f6)
-          echo "CC_TOKEN=$CC_TOKEN" >> "$GITHUB_ENV"
+          echo "CC_TOKEN=$CC_OIDC_TOKEN" >> "$GITHUB_ENV"
         elif [ -n "${{ env.CODECOV_TOKEN }}" ];
         then
           echo -e "\033[0;32m==>\033[0m Token set from env"
@@ -225,6 +232,7 @@ runs:
           fi
         fi
       env:
+        CC_OIDC_TOKEN: ${{ steps.oidc.outputs.result }}
         CC_OIDC_AUDIENCE: ${{ inputs.url || 'https://codecov.io' }}
 
     - name: Override branch for forks

dist/codecov.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-CC_WRAPPER_VERSION="0.2.0"
+CC_WRAPPER_VERSION="0.2.1"
 set +u
 say() {
   echo -e "$1"
@@ -52,8 +52,8 @@ if [ -n "$CC_BINARY" ];
 then
   if [ -f "$CC_BINARY" ];
   then
-    cc_filename=$CC_BINARY
-    cc_command=$CC_BINARY
+    c_filename=$CC_BINARY
+    c_command=$CC_BINARY
   else
     exit_if_error "Could not find binary file $CC_BINARY"
   fi
@@ -63,7 +63,7 @@ then
     exit_if_error "Could not install via pypi."
     exit
   fi
-  cc_command="codecovcli"
+  c_command="codecovcli"
 else
   if [ -n "$CC_OS" ];
   then
@@ -79,17 +79,17 @@ else
     [[ $(arch) == "aarch64" && $family == "linux" ]] && CC_OS+="-arm64"
     say "$g==>$x Detected $b${CC_OS}$x"
   fi
-  cc_filename="codecov"
-  [[ $CC_OS == "windows" ]] && cc_filename+=".exe"
-  cc_command="./$cc_filename"
+  c_filename="codecov"
+  [[ $CC_OS == "windows" ]] && c_filename+=".exe"
+  c_command="./$c_filename"
   [[ $CC_OS == "macos" ]]  && \
     ! command -v gpg 2>&1 >/dev/null && \
     HOMEBREW_NO_AUTO_UPDATE=1 brew install gpg
-  cc_url="https://cli.codecov.io"
-  cc_url="$cc_url/${CC_VERSION}"
-  cc_url="$cc_url/${CC_OS}/${cc_filename}"
-  say "$g ->$x Downloading $b${cc_url}$x"
-  curl -O --retry 5 --retry-delay 2 "$cc_url"
+  c_url="https://cli.codecov.io"
+  c_url="$c_url/${CC_VERSION}"
+  c_url="$c_url/${CC_OS}/${c_filename}"
+  say "$g ->$x Downloading $b${c_url}$x"
+  curl -O --retry 5 --retry-delay 2 "$c_url"
   say "$g==>$x Finishing downloading $b${CC_OS}:${CC_VERSION}$x"
   version_url="https://cli.codecov.io/api/${CC_OS}/${CC_VERSION}"
   version=$(curl -s "$version_url" -H "Accept:application/json" | tr \{ '\n' | tr , '\n' | tr \} '\n' | grep "\"version\"" | awk  -F'"' '{print $4}' | tail -1)
@@ -107,44 +107,44 @@ CC_PUBLIC_PGP_KEY=$(curl -s https://keybase.io/codecovsecurity/pgp_keys.asc)
   say "$g==>$x Verifying GPG signature integrity"
   sha_url="https://cli.codecov.io"
   sha_url="${sha_url}/${CC_VERSION}/${CC_OS}"
-  sha_url="${sha_url}/${cc_filename}.SHA256SUM"
+  sha_url="${sha_url}/${c_filename}.SHA256SUM"
   say "$g ->$x Downloading $b${sha_url}$x"
   say "$g ->$x Downloading $b${sha_url}.sig$x"
   say " "
   curl -Os --retry 5 --retry-delay 2 --connect-timeout 2 "$sha_url"
   curl -Os --retry 5 --retry-delay 2 --connect-timeout 2 "${sha_url}.sig"
-  if ! gpg --verify "${cc_filename}.SHA256SUM.sig" "${cc_filename}.SHA256SUM";
+  if ! gpg --verify "${c_filename}.SHA256SUM.sig" "${c_filename}.SHA256SUM";
   then
     exit_if_error "Could not verify signature. Please contact Codecov if problem continues"
   fi
-  if ! (shasum -a 256 -c "${cc_filename}.SHA256SUM" 2>/dev/null || \
-    sha256sum -c "${cc_filename}.SHA256SUM");
+  if ! (shasum -a 256 -c "${c_filename}.SHA256SUM" 2>/dev/null || \
+    sha256sum -c "${c_filename}.SHA256SUM");
   then
     exit_if_error "Could not verify SHASUM. Please contact Codecov if problem continues"
   fi
   say "$g==>$x CLI integrity verified"
   say
-  chmod +x "$cc_command"
+  chmod +x "$c_command"
 fi
 if [ -n "$CC_BINARY_LOCATION" ];
 then
-  mkdir -p "$CC_BINARY_LOCATION" && mv "$cc_filename" $_
+  mkdir -p "$CC_BINARY_LOCATION" && mv "$c_filename" $_
   say "$g==>$x Codecov binary moved to ${CC_BINARY_LOCATION}"
 fi
 if [ "$CC_DOWNLOAD_ONLY" = "true" ];
 then
   say "$g==>$x Codecov download only called. Exiting..."
 fi
-cc_cli_args=()
-cc_cli_args+=( $(k_arg AUTO_LOAD_PARAMS_FROM) $(v_arg AUTO_LOAD_PARAMS_FROM))
-cc_cli_args+=( $(k_arg ENTERPRISE_URL) $(v_arg ENTERPRISE_URL))
+c_cli_args=()
+c_cli_args+=( $(k_arg AUTO_LOAD_PARAMS_FROM) $(v_arg AUTO_LOAD_PARAMS_FROM))
+c_cli_args+=( $(k_arg ENTERPRISE_URL) $(v_arg ENTERPRISE_URL))
 if [ -n "$CC_YML_PATH" ]
 then
-  cc_cli_args+=( "--codecov-yml-path" )
-  cc_cli_args+=( "$CC_YML_PATH" )
+  c_cli_args+=( "--codecov-yml-path" )
+  c_cli_args+=( "$CC_YML_PATH" )
 fi
-cc_cli_args+=( $(write_bool_args CC_DISABLE_TELEM) )
-cc_cli_args+=( $(write_bool_args CC_VERBOSE) )
+c_cli_args+=( $(write_bool_args CC_DISABLE_TELEM) )
+c_cli_args+=( $(write_bool_args CC_VERBOSE) )
 if [ -n "$CC_TOKEN_VAR" ];
 then
   token="$(eval echo \$$CC_TOKEN_VAR)"
@@ -159,101 +159,101 @@ then
   token_str+=" -t <redacted>"
   token_arg+=( " -t " "$token")
 fi
+c_args=()
 if [ "$CC_RUN_CMD" == "upload-coverage" ]; then
-cc_args=()
 # Args for create commit
-cc_args+=( $(write_bool_args CC_FAIL_ON_ERROR) )
-cc_args+=( $(k_arg GIT_SERVICE) $(v_arg GIT_SERVICE))
-cc_args+=( $(k_arg PARENT_SHA) $(v_arg PARENT_SHA))
-cc_args+=( $(k_arg PR) $(v_arg PR))
-cc_args+=( $(k_arg SHA) $(v_arg SHA))
-cc_args+=( $(k_arg SLUG) $(v_arg SLUG))
+c_args+=( $(write_bool_args CC_FAIL_ON_ERROR) )
+c_args+=( $(k_arg GIT_SERVICE) $(v_arg GIT_SERVICE))
+c_args+=( $(k_arg PARENT_SHA) $(v_arg PARENT_SHA))
+c_args+=( $(k_arg PR) $(v_arg PR))
+c_args+=( $(k_arg SHA) $(v_arg SHA))
+c_args+=( $(k_arg SLUG) $(v_arg SLUG))
 # Args for create report
-cc_args+=( $(k_arg CODE) $(v_arg CODE))
+c_args+=( $(k_arg CODE) $(v_arg CODE))
 # Args for do upload
-cc_args+=( $(k_arg ENV) $(v_arg ENV))
+c_args+=( $(k_arg ENV) $(v_arg ENV))
 OLDIFS=$IFS;IFS=,
-cc_args+=( $(k_arg BRANCH) $(v_arg BRANCH))
-cc_args+=( $(k_arg BUILD) $(v_arg BUILD))
-cc_args+=( $(k_arg BUILD_URL) $(v_arg BUILD_URL))
-cc_args+=( $(k_arg DIR) $(v_arg DIR))
-cc_args+=( $(write_bool_args CC_DISABLE_FILE_FIXES) )
-cc_args+=( $(write_bool_args CC_DISABLE_SEARCH) )
-cc_args+=( $(write_bool_args CC_DRY_RUN) )
+c_args+=( $(k_arg BRANCH) $(v_arg BRANCH))
+c_args+=( $(k_arg BUILD) $(v_arg BUILD))
+c_args+=( $(k_arg BUILD_URL) $(v_arg BUILD_URL))
+c_args+=( $(k_arg DIR) $(v_arg DIR))
+c_args+=( $(write_bool_args CC_DISABLE_FILE_FIXES) )
+c_args+=( $(write_bool_args CC_DISABLE_SEARCH) )
+c_args+=( $(write_bool_args CC_DRY_RUN) )
 if [ -n "$CC_EXCLUDES" ];
 then
   for directory in $CC_EXCLUDES; do
-    cc_args+=( "--exclude" "$directory" )
+    c_args+=( "--exclude" "$directory" )
   done
 fi
 if [ -n "$CC_FILES" ];
 then
   for file in $CC_FILES; do
-    cc_args+=( "--file" "$file" )
+    c_args+=( "--file" "$file" )
   done
 fi
 if [ -n "$CC_FLAGS" ];
 then
   for flag in $CC_FLAGS; do
-    cc_args+=( "--flag" "$flag" )
+    c_args+=( "--flag" "$flag" )
   done
 fi
-cc_args+=( $(k_arg GCOV_ARGS) $(v_arg GCOV_ARGS))
-cc_args+=( $(k_arg GCOV_EXECUTABLE) $(v_arg GCOV_EXECUTABLE))
-cc_args+=( $(k_arg GCOV_IGNORE) $(v_arg GCOV_IGNORE))
-cc_args+=( $(k_arg GCOV_INCLUDE) $(v_arg GCOV_INCLUDE))
-cc_args+=( $(write_bool_args CC_HANDLE_NO_REPORTS_FOUND) )
-cc_args+=( $(write_bool_args CC_RECURSE_SUBMODULES) )
-cc_args+=( $(k_arg JOB_CODE) $(v_arg JOB_CODE))
-cc_args+=( $(write_bool_args CC_LEGACY) )
+c_args+=( $(k_arg GCOV_ARGS) $(v_arg GCOV_ARGS))
+c_args+=( $(k_arg GCOV_EXECUTABLE) $(v_arg GCOV_EXECUTABLE))
+c_args+=( $(k_arg GCOV_IGNORE) $(v_arg GCOV_IGNORE))
+c_args+=( $(k_arg GCOV_INCLUDE) $(v_arg GCOV_INCLUDE))
+c_args+=( $(write_bool_args CC_HANDLE_NO_REPORTS_FOUND) )
+c_args+=( $(write_bool_args CC_RECURSE_SUBMODULES) )
+c_args+=( $(k_arg JOB_CODE) $(v_arg JOB_CODE))
+c_args+=( $(write_bool_args CC_LEGACY) )
 if [ -n "$CC_NAME" ];
 then
-  cc_args+=( "--name" "$CC_NAME" )
+  c_args+=( "--name" "$CC_NAME" )
 fi
-cc_args+=( $(k_arg NETWORK_FILTER) $(v_arg NETWORK_FILTER))
-cc_args+=( $(k_arg NETWORK_PREFIX) $(v_arg NETWORK_PREFIX))
-cc_args+=( $(k_arg NETWORK_ROOT_FOLDER) $(v_arg NETWORK_ROOT_FOLDER))
+c_args+=( $(k_arg NETWORK_FILTER) $(v_arg NETWORK_FILTER))
+c_args+=( $(k_arg NETWORK_PREFIX) $(v_arg NETWORK_PREFIX))
+c_args+=( $(k_arg NETWORK_ROOT_FOLDER) $(v_arg NETWORK_ROOT_FOLDER))
 if [ -n "$CC_PLUGINS" ];
 then
   for plugin in $CC_PLUGINS; do
-    cc_args+=( "--plugin" "$plugin" )
+    c_args+=( "--plugin" "$plugin" )
   done
 fi
-cc_args+=( $(k_arg REPORT_TYPE) $(v_arg REPORT_TYPE))
-cc_args+=( $(k_arg SWIFT_PROJECT) $(v_arg SWIFT_PROJECT))
+c_args+=( $(k_arg REPORT_TYPE) $(v_arg REPORT_TYPE))
+c_args+=( $(k_arg SWIFT_PROJECT) $(v_arg SWIFT_PROJECT))
 IFS=$OLDIFS
 elif [ "$CC_RUN_CMD" == "empty-upload" ]; then
-cc_args=()
-cc_args+=( $(write_bool_args CC_FAIL_ON_ERROR) )
-cc_args+=( $(write_bool_args CC_FORCE) )
-cc_args+=( $(k_arg GIT_SERVICE) $(v_arg GIT_SERVICE))
-cc_args+=( $(k_arg SHA) $(v_arg SHA))
-cc_args+=( $(k_arg SLUG) $(v_arg SLUG))
+c_args+=( $(k_arg BRANCH) $(v_arg BRANCH))
+c_args+=( $(write_bool_args CC_FAIL_ON_ERROR) )
+c_args+=( $(write_bool_args CC_FORCE) )
+c_args+=( $(k_arg GIT_SERVICE) $(v_arg GIT_SERVICE))
+c_args+=( $(k_arg PARENT_SHA) $(v_arg PARENT_SHA))
+c_args+=( $(k_arg PR) $(v_arg PR))
+c_args+=( $(k_arg SHA) $(v_arg SHA))
+c_args+=( $(k_arg SLUG) $(v_arg SLUG))
 elif [ "$CC_RUN_CMD" == "pr-base-picking" ]; then
-cc_args=()
-cc_args+=( $(k_arg BASE_SHA) $(v_arg BASE_SHA))
-cc_args+=( $(k_arg PR) $(v_arg PR))
-cc_args+=( $(k_arg SLUG) $(v_arg SLUG))
-cc_args+=( $(k_arg SERVICE) $(v_arg SERVICE))
+c_args+=( $(k_arg BASE_SHA) $(v_arg BASE_SHA))
+c_args+=( $(k_arg PR) $(v_arg PR))
+c_args+=( $(k_arg SLUG) $(v_arg SLUG))
+c_args+=( $(k_arg SERVICE) $(v_arg SERVICE))
 elif [ "$CC_RUN_CMD" == "send-notifications" ]; then
-cc_args=()
-cc_args+=( $(k_arg SHA) $(v_arg SHA))
-cc_args+=( $(write_bool_args CC_FAIL_ON_ERROR) )
-cc_args+=( $(k_arg GIT_SERVICE) $(v_arg GIT_SERVICE))
-cc_args+=( $(k_arg SLUG) $(v_arg SLUG))
+c_args+=( $(k_arg SHA) $(v_arg SHA))
+c_args+=( $(write_bool_args CC_FAIL_ON_ERROR) )
+c_args+=( $(k_arg GIT_SERVICE) $(v_arg GIT_SERVICE))
+c_args+=( $(k_arg SLUG) $(v_arg SLUG))
 else
   exit_if_error "Invalid run command specified: $CC_RUN_CMD"
   exit
 fi
 unset NODE_OPTIONS
-# https://github.com/codecov/uploader/issues/475
+# github.com/codecov/uploader/issues/475
 say "$g==>$x Running $CC_RUN_CMD"
-say "      $b$cc_command $(echo "${cc_cli_args[@]}") $CC_RUN_CMD$token_str $(echo "${cc_args[@]}")$x"
-if ! $cc_command \
-  ${cc_cli_args[*]} \
+say "      $b$c_command $(echo "${c_cli_args[@]}") $CC_RUN_CMD$token_str $(echo "${c_args[@]}")$x"
+if ! $c_command \
+  ${c_cli_args[*]} \
   ${CC_RUN_CMD} \
   ${token_arg[*]} \
-  "${cc_args[@]}";
+  "${c_args[@]}";
 then
   exit_if_error "Failed to run $CC_RUN_CMD"
 fi

src/version

@@ -1 +1 @@
-5.4.0
+5.4.2