fix: update action.yml (#1240)

* fix: allow for other archs

* fix: platform tests

.github/workflows/codeql-analysis.yml

@@ -37,11 +37,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4.0.0
+      uses: actions/checkout@v4.1.1
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2.21.7
+      uses: github/codeql-action/init@v3.23.2
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -52,7 +52,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2.21.7
+      uses: github/codeql-action/autobuild@v3.23.2
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -66,4 +66,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2.21.7
+      uses: github/codeql-action/analyze@v3.23.2

.github/workflows/enforce-license-compliance.yml

@@ -0,0 +1,14 @@
+name: Enforce License Compliance
+
+on:
+  pull_request:
+    branches: [main, master]
+
+jobs:
+  enforce-license-compliance:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Enforce License Compliance'
+        uses: getsentry/action-enforce-license-compliance@57ba820387a1a9315a46115ee276b2968da51f3d # main
+        with:
+          fossa_api_key: ${{ secrets.FOSSA_API_KEY }}

.github/workflows/main.yml

@@ -8,7 +8,7 @@ jobs:
         os: [macos-latest, windows-latest, ubuntu-latest]
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.0.0
+        uses: actions/checkout@v4.1.1
       - name: Upload coverage to Codecov (script)
         uses: ./
         with:
@@ -40,10 +40,10 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [macos-latest, windows-latest, ubuntu-latest]
+        os: [macos-latest, windows-latest, ubuntu-latest, macos-latest-xlarge]
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.0.0
+        uses: actions/checkout@v4.1.1
       - name: Install dependencies
         run: npm install
       - name: Lint

.github/workflows/scorecards-analysis.yml

@@ -24,12 +24,12 @@ jobs:
     
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v4.0.0 # v3.0.0
+        uses: actions/checkout@v4.1.1 # v3.0.0
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif
@@ -48,7 +48,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
         with:
           name: SARIF file
           path: results.sarif
@@ -56,6 +56,6 @@ jobs:
       
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v2.21.7 # v1.0.26
+        uses: github/codeql-action/upload-sarif@v3.23.2 # v1.0.26
         with:
           sarif_file: results.sarif

Makefile

@@ -1,7 +1,7 @@
 deploy:
 	$(eval VERSION := $(shell cat package.json | grep '"version": ' | cut -d\" -f4))
-	git tag -d v3
+	git tag -d v4
-	git push origin :v3
+	git push origin :v4
-	git tag v3
+	git tag v4
 	git tag v$(VERSION) -s -m ""
 	git push origin --tags

README.md

@@ -5,44 +5,43 @@
 [![Workflow for Codecov Action](https://github.com/codecov/codecov-action/actions/workflows/main.yml/badge.svg)](https://github.com/codecov/codecov-action/actions/workflows/main.yml)
 ### Easily upload coverage reports to Codecov from GitHub Actions
 
-## v4 Beta Release
+## v4 Release
-`v4` of the Codecov GitHub Action will use the [Codecov CLI](https://github.com/codecov/codecov-cli) to upload coverage reports to Codecov. Currently, `v4` is in beta.
+`v4` of the Codecov GitHub Action will use the [Codecov CLI](https://github.com/codecov/codecov-cli) to upload coverage reports to Codecov.
 
 Breaking Changes
-- No current support for `aarch64` and `alpine` architectures.
+- Tokenless uploading is unsupported. However, PRs made from forks to the upstream public repos will support tokenless (e.g. contributors to OS projects do not need the upstream repo's Codecov token)
-- Tokenless uploading is unsupported
 - Various arguments to the Action have been removed
 
-`v3` versions and below will not have access to CLI features (e.g. global upload token).
+`v3` versions and below will not have access to CLI features (e.g. global upload token, ATS).
-
-## ⚠️  Deprecation of v1
-**As of February 1, 2022, v1 has been fully sunset and no longer functions**
-
-Due to the [deprecation](https://about.codecov.io/blog/introducing-codecovs-new-uploader/) of the underlying bash uploader,
-the Codecov GitHub Action has released `v2`/`v3` which will use the new [uploader](https://github.com/codecov/uploader). You can learn
-more about our deprecation plan and the new uploader on our [blog](https://about.codecov.io/blog/introducing-codecovs-new-uploader/).
-
-We will be restricting any updates to the `v1` Action to security updates and hotfixes.
 
 ## Usage
 
-To integrate Codecov with your Actions pipeline, specify the name of this repository with a tag number (`@v3` is recommended) as a `step` within your `workflow.yml` file.
+To integrate Codecov with your Actions pipeline, specify the name of this repository with a tag number (`@v4` is recommended) as a `step` within your `workflow.yml` file.
 
-If you have a *private repository*, this Action also requires you to [provide an upload token](https://docs.codecov.io/docs/frequently-asked-questions#section-where-is-the-repository-upload-token-found-) from [codecov.io](https://www.codecov.io) (tip: in order to avoid exposing your token, store it as a `secret`). Optionally, you can choose to include up to four additional inputs to customize the upload context. **For public repositories, no token is needed**
+This Action also requires you to [provide an upload token](https://docs.codecov.io/docs/frequently-asked-questions#section-where-is-the-repository-upload-token-found-) from [codecov.io](https://www.codecov.io) (tip: in order to avoid exposing your token, [store it](https://docs.codecov.com/docs/adding-the-codecov-token#github-actions) as a `secret`).
+
+Currently, the Action will identify linux, macos, and windows runners. However, the Action may misidentify other architectures. The OS can be specified as
+- alpine
+- alpine-arm64
+- linux
+- linux-arm64
+- macos
+- windows
 
 Inside your `.github/workflows/workflow.yml` file:
 
 ```yaml
 steps:
 - uses: actions/checkout@master
-- uses: codecov/codecov-action@v3
+- uses: codecov/codecov-action@v4
   with:
-    token: ${{ secrets.CODECOV_TOKEN }}
     files: ./coverage1.xml,./coverage2.xml # optional
     flags: unittests # optional
     name: codecov-umbrella # optional
     fail_ci_if_error: true # optional (default = false)
     verbose: true # optional (default = false)
+  env:
+    token: ${{ secrets.CODECOV_TOKEN }}
 ```
 >**Note**: This assumes that you've set your Codecov token inside *Settings > Secrets* as `CODECOV_TOKEN`. If not, you can [get an upload token](https://docs.codecov.io/docs/frequently-asked-questions#section-where-is-the-repository-upload-token-found-) for your specific repo on [codecov.io](https://www.codecov.io). Keep in mind that secrets are *not* available to forks of repositories.
 
@@ -118,9 +117,8 @@ jobs:
         pip install pytest-cov
         pytest --cov=./ --cov-report=xml
     - name: Upload coverage to Codecov
-      uses: codecov/codecov-action@v3
+      uses: codecov/codecov-action@v4
       with:
-        token: ${{ secrets.CODECOV_TOKEN }}
         directory: ./coverage/reports/
         env_vars: OS,PYTHON
         fail_ci_if_error: true
@@ -128,6 +126,8 @@ jobs:
         flags: unittests
         name: codecov-umbrella
         verbose: true
+      env:
+        token: ${{ secrets.CODECOV_TOKEN }}
 ```
 ## Contributing
 

action.yml

@@ -11,23 +11,26 @@ inputs:
   files:
     description: 'Comma-separated list of files to upload'
     required: false
+  commit_parent:
+    description: 'Override to specify the parent commit SHA'
+    required: false
   directory:
     description: 'Directory to search for coverage reports.'
     required: false
-  flags:
-    description: 'Flag upload to group coverage metrics (e.g. unittests | integration | ui,chrome)'
-    required: false
   dry_run:
     description: "Don't upload files to Codecov"
     required: false
   env_vars:
     description: 'Environment variables to tag the upload with (e.g. PYTHON | OS,PYTHON)'
     required: false
+  exclude:
+    description: 'Folders to exclude from search'
+    required: false
   fail_ci_if_error:
     description: 'Specify whether or not CI build should fail if Codecov runs into an error during upload'
     required: false
-  gcov:
+  flags:
-    description: 'Run with gcov support'
+    description: 'Flag upload to group coverage metrics (e.g. unittests | integration | ui,chrome)'
     required: false
   name:
     description: 'User defined upload name. Visible in Codecov UI'
@@ -47,6 +50,9 @@ inputs:
   override_pr:
     description: 'Specify the pull request number'
     required: false
+  plugin:
+    description: 'plugins to run. Options: xcode, gcov, pycoverage. The default behavior runs them all.'
+    required: false
   plugins:
     description: 'Comma-separated list of plugins for use during upload.'
     required: false
@@ -56,6 +62,9 @@ inputs:
   slug:
     description: 'Specify the slug manually (Enterprise use)'
     required: false
+  url:
+    description: 'Specify the base url to upload (Enterprise use)'
+    required: false
   verbose:
     description: 'Specify whether the Codecov output should be verbose'
     required: false
@@ -69,5 +78,5 @@ branding:
   color: 'red'
   icon: 'umbrella'
 runs:
-  using: 'node16'
+  using: 'node20'
   main: 'dist/index.js'

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codecov-action",
-  "version": "4.0.0-beta.3",
+  "version": "4.0.0",
   "description": "Upload coverage reports to Codecov from GitHub Actions",
   "main": "index.js",
   "scripts": {
@@ -25,21 +25,20 @@
   "dependencies": {
     "@actions/core": "^1.10.1",
     "@actions/exec": "^1.1.1",
-    "@actions/github": "^5.1.1",
+    "@actions/github": "^6.0.0",
-    "node-fetch": "^3.3.2",
+    "gpg": "^0.6.0",
-    "openpgp": "5.10"
+    "undici": "5.28.2"
   },
   "devDependencies": {
-    "@types/jest": "^29.5.5",
+    "@types/jest": "^29.5.11",
-    "@types/node": "^20.6.3",
+    "@typescript-eslint/eslint-plugin": "^6.20.0",
-    "@typescript-eslint/eslint-plugin": "^6.7.2",
+    "@typescript-eslint/parser": "^6.20.0",
-    "@typescript-eslint/parser": "^6.7.2",
+    "@vercel/ncc": "^0.38.1",
-    "@vercel/ncc": "^0.38.0",
+    "eslint": "^8.56.0",
-    "eslint": "^8.49.0",
     "eslint-config-google": "^0.14.0",
     "jest": "^29.7.0",
     "jest-junit": "^16.0.0",
-    "ts-jest": "^29.1.1",
+    "ts-jest": "^29.1.2",
-    "typescript": "^5.2.0"
+    "typescript": "^5.3.3"
   }
 }

src/helpers.test.ts

@@ -43,6 +43,9 @@ test('getBaseUrl', () => {
     'https://cli.codecov.io/latest/linux/codecov',
     'https://cli.codecov.io/latest/macos/codecov',
     'https://cli.codecov.io/latest/windows/codecov.exe',
+    'https://cli.codecov.io/latest/alpine/codecov',
+    'https://cli.codecov.io/latest/linux-arm64/codecov',
+    'https://cli.codecov.io/latest/alpine-arm64/codecov',
   ]);
 
   expect(PLATFORMS.map((platform) => {
@@ -51,19 +54,22 @@ test('getBaseUrl', () => {
     'https://cli.codecov.io/v0.1.0_8880/linux/codecov',
     'https://cli.codecov.io/v0.1.0_8880/macos/codecov',
     'https://cli.codecov.io/v0.1.0_8880/windows/codecov.exe',
+    'https://cli.codecov.io/v0.1.0_8880/alpine/codecov',
+    'https://cli.codecov.io/v0.1.0_8880/linux-arm64/codecov',
+    'https://cli.codecov.io/v0.1.0_8880/alpine-arm64/codecov',
   ]);
 });
 
 test('isWindows', () => {
   expect(PLATFORMS.map((platform) => {
     return isWindows(platform);
-  })).toEqual([false, false, true]);
+  })).toEqual([false, false, true, false, false, false]);
 });
 
 test('isValidPlatform', () => {
   expect(PLATFORMS.map((platform) => {
     return isValidPlatform(platform);
-  })).toEqual([true, true, true]);
+  })).toEqual([true, true, true, true, true, true]);
 
   expect(isValidPlatform('fakeos')).toBeFalsy();
 });

src/helpers.ts

@@ -4,6 +4,9 @@ const PLATFORMS = [
   'linux',
   'macos',
   'windows',
+  'alpine',
+  'linux-arm64',
+  'alpine-arm64',
 ];
 
 const setFailure = (message: string, failCi: boolean): void => {

src/validate.ts

@@ -1,10 +1,10 @@
 import * as crypto from 'crypto';
 import * as fs from 'fs';
+import * as gpg from 'gpg';
 import * as path from 'path';
 
 import * as core from '@actions/core';
-import * as openpgp from 'openpgp';
+import {request} from 'undici';
-import * as fetch from 'node-fetch';
 
 import {
   getBaseUrl,
@@ -22,45 +22,33 @@ const verify = async (
   try {
     const uploaderName = getUploaderName(platform);
 
-    // Read in public key
-    const publicKeyArmored = await fs.readFileSync(
-        path.join(__dirname, 'pgp_keys.asc'),
-        'utf-8',
-    );
-
     // Get SHASUM and SHASUM signature files
     console.log(`${getBaseUrl(platform, version)}.SHA256SUM`);
-    const shasumRes = await fetch.default(
+    const shasumRes = await request(
         `${getBaseUrl(platform, version)}.SHA256SUM`,
     );
-    const shasum = await shasumRes.text();
+    const shasum = await shasumRes.body.text();
     if (verbose) {
       console.log(`Received SHA256SUM ${shasum}`);
     }
+    await fs.writeFileSync(
+        path.join(__dirname, `${uploaderName}.SHA256SUM`),
+        shasum,
+    );
 
-    const shaSigRes = await fetch.default(
+    const shaSigRes = await request(
         `${getBaseUrl(platform, version)}.SHA256SUM.sig`,
     );
-    const shaSig = await shaSigRes.text();
+    const shaSig = await shaSigRes.body.text();
     if (verbose) {
       console.log(`Received SHA256SUM signature ${shaSig}`);
     }
-
+    await fs.writeFileSync(
-    // Verify shasum
+        path.join(__dirname, `${uploaderName}.SHA256SUM.sig`),
-    const verified = await openpgp.verify({
+        shaSig,
-      message: await openpgp.createMessage({text: shasum}),
-      signature: await openpgp.readSignature({armoredSignature: shaSig}),
-      verificationKeys: await openpgp.readKeys({armoredKeys: publicKeyArmored}),
-    });
-    const valid = await verified.signatures[0].verified;
-    if (valid) {
-      core.info('==> SHASUM file signed by key id ' +
-          verified.signatures[0].keyID.toHex(),
     );
-    } else {
-      setFailure('Codecov: Error validating SHASUM signature', failCi);
-    }
 
+    const validateSha = async () => {
       const calculateHash = async (filename: string) => {
         const stream = fs.createReadStream(filename);
         const uploaderSha = crypto.createHash(`sha256`);
@@ -74,7 +62,9 @@ const verify = async (
         });
       };
 
-    const hash = await calculateHash(filename);
+      const hash = await calculateHash(
+          path.join(__dirname, `${uploaderName}`),
+      );
       if (hash === shasum) {
         core.info(`==> Uploader SHASUM verified (${hash})`);
       } else {
@@ -84,6 +74,38 @@ const verify = async (
             failCi,
         );
       }
+    };
+
+    const verifySignature = () => {
+      gpg.call('', [
+        '--logger-fd',
+        '1',
+        '--verify',
+        path.join(__dirname, `${uploaderName}.SHA256SUM.sig`),
+        path.join(__dirname, `${uploaderName}.SHA256SUM`),
+      ], async (err, verifyResult) => {
+        if (err) {
+          setFailure('Codecov: Error importing pgp key', failCi);
+        }
+        core.info(verifyResult);
+        await validateSha();
+      });
+    };
+
+    // Import gpg key
+    gpg.call('', [
+      '--logger-fd',
+      '1',
+      '--no-default-keyring',
+      '--import',
+      path.join(__dirname, 'pgp_keys.asc'),
+    ], async (err, importResult) => {
+      if (err) {
+        setFailure('Codecov: Error importing pgp key', failCi);
+      }
+      core.info(importResult);
+      verifySignature();
+    });
   } catch (err) {
     setFailure(`Codecov: Error validating uploader: ${err.message}`, failCi);
   }

src/version.ts

@@ -1,5 +1,5 @@
 import * as core from '@actions/core';
-import * as fetch from 'node-fetch';
+import {request} from 'undici';
 
 const versionInfo = async (
     platform: string,
@@ -10,10 +10,10 @@ const versionInfo = async (
   }
 
   try {
-    const metadataRes = await fetch.default( `https://uploader.codecov.io/${platform}/latest`, {
+    const metadataRes = await request(`https://cli.codecov.io/${platform}/latest`, {
       headers: {'Accept': 'application/json'},
     });
-    const metadata = await metadataRes.json();
+    const metadata = await metadataRes.body.json();
     core.info(`==> Running version ${metadata['version']}`);
   } catch (err) {
     core.info(`Could not pull latest version information: ${err}`);