chore(release): bump to 4.0.2 (#1302)

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.0 to 4.3.1.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](26f96dfa69...5d5d22a312)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/codeql-analysis.yml

@@ -37,11 +37,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4.0.0
+      uses: actions/checkout@v4.1.1
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2.21.5
+      uses: github/codeql-action/init@v3.24.3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -52,7 +52,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2.21.5
+      uses: github/codeql-action/autobuild@v3.24.3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -66,4 +66,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2.21.5
+      uses: github/codeql-action/analyze@v3.24.3

.github/workflows/enforce-license-compliance.yml

@@ -0,0 +1,14 @@
+name: Enforce License Compliance
+
+on:
+  pull_request:
+    branches: [main, master]
+
+jobs:
+  enforce-license-compliance:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Enforce License Compliance'
+        uses: getsentry/action-enforce-license-compliance@57ba820387a1a9315a46115ee276b2968da51f3d # main
+        with:
+          fossa_api_key: ${{ secrets.FOSSA_API_KEY }}

.github/workflows/main.yml

@@ -1,49 +1,14 @@
 name: Workflow for Codecov Action
 on: [push, pull_request]
 jobs:
-  no-deps:
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os: [macos-latest, windows-latest, ubuntu-latest]
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4.0.0
-      - name: Upload coverage to Codecov (script)
-        uses: ./
-        with:
-          files: ./coverage/script/coverage-final.json
-          flags: script,${{ matrix.os }}
-          name: codecov-script
-          verbose: true
-          token: ${{ secrets.CODECOV_TOKEN }}
-      - name: Upload coverage to Codecov (demo)
-        uses: ./
-        with:
-          files: ./coverage/calculator/coverage-final.json,./coverage/coverage-test/coverage-final.json
-          file: ./coverage/coverage-final.json
-          flags: demo,${{ matrix.os }}
-          name: codecov-demo
-          verbose: true
-          token: ${{ secrets.CODECOV_TOKEN }}
-      - name: Upload coverage to Codecov (version)
-        uses: ./
-        with:
-          files: ./coverage/calculator/coverage-final.json,./coverage/coverage-test/coverage-final.json
-          file: ./coverage/coverage-final.json
-          flags: version,${{ matrix.os }}
-          name: codecov-version
-          version: v0.2.0
-          verbose: true
-          token: ${{ secrets.CODECOV_TOKEN }}
   run:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [macos-latest, windows-latest, ubuntu-latest]
+        os: [macos-latest, windows-latest, ubuntu-latest, macos-latest-xlarge]
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.0.0
+        uses: actions/checkout@v4.1.1
       - name: Install dependencies
         run: npm install
       - name: Lint
@@ -76,4 +41,4 @@ jobs:
           name: codecov-version
           version: v0.2.0
           verbose: true
-          token: ${{ secrets.CODECOV_TOKEN }}
+          token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/scorecards-analysis.yml

@@ -24,12 +24,12 @@ jobs:
     
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v4.0.0 # v3.0.0
+        uses: actions/checkout@v4.1.1 # v3.0.0
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif
@@ -48,7 +48,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: SARIF file
           path: results.sarif
@@ -56,6 +56,6 @@ jobs:
       
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v2.21.5 # v1.0.26
+        uses: github/codeql-action/upload-sarif@v3.24.3 # v1.0.26
         with:
           sarif_file: results.sarif

Makefile

@@ -1,7 +1,7 @@
 deploy:
 	$(eval VERSION := $(shell cat package.json | grep '"version": ' | cut -d\" -f4))
-	git tag -d v3
+	git tag -d v4
-	git push origin :v3
+	git push origin :v4
-	git tag v3
+	git tag v4
 	git tag v$(VERSION) -s -m ""
 	git push origin --tags

README.md

@@ -1,96 +1,107 @@
 # Codecov GitHub Action
 
-[![GitHub Marketplace](https://img.shields.io/badge/Marketplace-v3-undefined.svg?logo=github&logoColor=white&style=flat)](https://github.com/marketplace/actions/codecov)
+[![GitHub Marketplace](https://img.shields.io/badge/Marketplace-v4-undefined.svg?logo=github&logoColor=white&style=flat)](https://github.com/marketplace/actions/codecov)
 [![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fcodecov%2Fcodecov-action.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fcodecov%2Fcodecov-action?ref=badge_shield)
 [![Workflow for Codecov Action](https://github.com/codecov/codecov-action/actions/workflows/main.yml/badge.svg)](https://github.com/codecov/codecov-action/actions/workflows/main.yml)
 ### Easily upload coverage reports to Codecov from GitHub Actions
 
-## v4 Beta Release
+## v4 Release
-`v4` of the Codecov GitHub Action will use the [Codecov CLI](https://github.com/codecov/codecov-cli) to upload coverage reports to Codecov. Currently, `v4` is in beta.
+`v4` of the Codecov GitHub Action will use the [Codecov CLI](https://github.com/codecov/codecov-cli) to upload coverage reports to Codecov.
 
-Breaking Changes
+### Breaking Changes
-- No current support for `aarch64` and `alpine` architectures.
+- Tokenless uploading is unsupported. However, PRs made from forks to the upstream public repos will support tokenless (e.g. contributors to OS projects do not need the upstream repo's Codecov token)
-- Tokenless uploading is unsupported
 - Various arguments to the Action have been removed
 
-`v3` versions and below will not have access to CLI features (e.g. global upload token).
+### Dependabot
+- For repositories using `Dependabot`, users will need to ensure that it has access to the Codecov token for PRs from Dependabot to upload coverage. To do this, please add your `CODECOV_TOKEN` as a Dependabot Secret. For more information, see ["Configuring access to private registries for Dependabot."](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#storing-credentials-for-dependabot-to-use)
 
-## ⚠️  Deprecation of v1
+`v3` versions and below will not have access to CLI features (e.g. global upload token, ATS).
-**As of February 1, 2022, v1 has been fully sunset and no longer functions**
-
-Due to the [deprecation](https://about.codecov.io/blog/introducing-codecovs-new-uploader/) of the underlying bash uploader,
-the Codecov GitHub Action has released `v2`/`v3` which will use the new [uploader](https://github.com/codecov/uploader). You can learn
-more about our deprecation plan and the new uploader on our [blog](https://about.codecov.io/blog/introducing-codecovs-new-uploader/).
-
-We will be restricting any updates to the `v1` Action to security updates and hotfixes.
 
 ## Usage
 
-To integrate Codecov with your Actions pipeline, specify the name of this repository with a tag number (`@v3` is recommended) as a `step` within your `workflow.yml` file.
+To integrate Codecov with your Actions pipeline, specify the name of this repository with a tag number (`@v4` is recommended) as a `step` within your `workflow.yml` file.
 
-If you have a *private repository*, this Action also requires you to [provide an upload token](https://docs.codecov.io/docs/frequently-asked-questions#section-where-is-the-repository-upload-token-found-) from [codecov.io](https://www.codecov.io) (tip: in order to avoid exposing your token, store it as a `secret`). Optionally, you can choose to include up to four additional inputs to customize the upload context. **For public repositories, no token is needed**
+This Action also requires you to [provide an upload token](https://docs.codecov.io/docs/frequently-asked-questions#section-where-is-the-repository-upload-token-found-) from [codecov.io](https://www.codecov.io) (tip: in order to avoid exposing your token, [store it](https://docs.codecov.com/docs/adding-the-codecov-token#github-actions) as a `secret`).
+
+Currently, the Action will identify linux, macos, and windows runners. However, the Action may misidentify other architectures. The OS can be specified as
+- alpine
+- alpine-arm64
+- linux
+- linux-arm64
+- macos
+- windows
 
 Inside your `.github/workflows/workflow.yml` file:
 
 ```yaml
 steps:
 - uses: actions/checkout@master
-- uses: codecov/codecov-action@v3
+- uses: codecov/codecov-action@v4
   with:
-    token: ${{ secrets.CODECOV_TOKEN }}
+    fail_ci_if_error: true # optional (default = false)
     files: ./coverage1.xml,./coverage2.xml # optional
     flags: unittests # optional
     name: codecov-umbrella # optional
-    fail_ci_if_error: true # optional (default = false)
+    token: ${{ secrets.CODECOV_TOKEN }} # required
     verbose: true # optional (default = false)
 ```
->**Note**: This assumes that you've set your Codecov token inside *Settings > Secrets* as `CODECOV_TOKEN`. If not, you can [get an upload token](https://docs.codecov.io/docs/frequently-asked-questions#section-where-is-the-repository-upload-token-found-) for your specific repo on [codecov.io](https://www.codecov.io). Keep in mind that secrets are *not* available to forks of repositories.
+
+The Codecov token can also be passed in via environment variables:
+
+```yaml
+steps:
+- uses: actions/checkout@master
+- uses: codecov/codecov-action@v4
+  with:
+    fail_ci_if_error: true # optional (default = false)
+    files: ./coverage1.xml,./coverage2.xml # optional
+    flags: unittests # optional
+    name: codecov-umbrella # optional
+    verbose: true # optional (default = false)
+  env:
+    CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+```
+> [!NOTE]
+> This assumes that you've set your Codecov token inside *Settings > Secrets* as `CODECOV_TOKEN`. If not, you can [get an upload token](https://docs.codecov.io/docs/frequently-asked-questions#section-where-is-the-repository-upload-token-found-) for your specific repo on [codecov.io](https://www.codecov.io). Keep in mind that secrets are *not* available to forks of repositories.
 
 ## Arguments
 
 Codecov's Action supports inputs from the user. These inputs, along with their descriptions and usage contexts, are listed in the table below:
 
-| Input  | Description | Usage |
+| Input  | Description | Required |
-| :---:     |     :---:   |    :---:   |
+| :---       |     :---     |    :---:   |
-| `token`  | Used to authorize coverage report uploads  | *Required |
+| `token` | Repository Codecov token. Used to authorize report uploads | *Required 
-| `move_coverage_to_trash` | Move discovered coverage reports to the trash | Optional
+| `codecov_yml_path` | Specify the path to the Codecov YML | Optional 
-| `commit_parent` | The commit SHA of the parent for which you are uploading coverage. If not present, the parent will be determined using the API of your repository provider.  When using the repository provider's API, the parent is determined via finding the closest ancestor to the commit. | Optional
+| `commit_parent` | Override to specify the parent commit SHA | Optional 
-| `dry_run` | Don't upload files to Codecov | Optional
+| `directory` | Directory to search for coverage reports. | Optional 
-| `env_vars`  | Environment variables to tag the upload with. Multiple env variables can be separated with commas (e.g. `OS,PYTHON`) | Optional
+| `disable_search` | Disable search for coverage files. This is helpful when specifying what files you want to upload with the --file option. | Optional 
-| `fail_ci_if_error`  | Specify if CI pipeline should fail when Codecov runs into errors during upload. *Defaults to **false*** | Optional
+| `disable_file_fixes` | Disable file fixes to ignore common lines from coverage (e.g. blank lines or empty brackets) | Optional 
-| `files`  | Comma-separated paths to the coverage report(s). Negated paths are supported by starting with `!` | Optional
+| `dry_run` | Don't upload files to Codecov | Optional 
-| `flags`  | Flag the upload to group coverage metrics (unittests, uitests, etc.). Multiple flags are separated by a comma (ui,chrome) | Optional
+| `env_vars` | Environment variables to tag the upload with (e.g. PYTHON \| OS,PYTHON) | Optional 
-| `full_report` | Specify the path of a full Codecov report to re-upload | Optional
+| `exclude` | Folders to exclude from search | Optional 
-| `functionalities` | Toggle functionalities | Optional
+| `fail_ci_if_error` | Specify whether or not CI build should fail if Codecov runs into an error during upload | Optional 
-| -- `network` | Disable uploading the file network | Optional
+| `file` | Path to coverage file to upload | Optional 
-| -- `fixes` | Enable file fixes to ignore common lines from coverage | Optional
+| `files` | Comma-separated list of files to upload | Optional 
-| -- `search` | Disable searching for coverage files | Optional
+| `flags` | Flag upload to group coverage metrics (e.g. unittests \| integration \| ui,chrome) | Optional 
-| `gcov` | Run with gcov support | Optional
+| `handle_no_reports_found` | Raise no exceptions when no coverage reports found | Optional 
-| `gcov_args` | Extra arguments to pass to gcov | Optional
+| `job_code` | The job code | Optional 
-| `gcov_ignore` | Paths to ignore during gcov gathering | Optional
+| `name` | User defined upload name. Visible in Codecov UI | Optional 
-| `gcov_include` | Paths to include during gcov gathering | Optional
+| `os` | Override the assumed OS. Options are linux \| macos \| windows \| . | Optional 
-| `gcov_executable` | gcov executable to run. Defaults to gcov. | Optional
+| `override_branch` | Specify the branch name | Optional 
-| `name`  | Custom defined name for the upload | Optional
+| `override_build` | Specify the build number | Optional 
-| `network_filter` | Specify a filter on the files listed in the network section of the Codecov report. Useful for upload-specific path fixing | Optional
+| `override_build_url` | The URL of the build where this is running | Optional 
-| `network_prefix` | Specify a prefix on files listed in the network section of the Codecov report. Useful to help resolve path fixing | Optional
+| `override_commit` | Specify the commit SHA | Optional 
-| `os` | Specify the OS (linux, macos, windows, alpine) | Optional
+| `override_pr` | Specify the pull request number | Optional 
-| `override_branch` | Specify the branch name | Optional
+| `plugin` | plugins to run. Options: xcode, gcov, pycoverage. The default behavior runs them all. | Optional 
-| `override_build` | Specify the build number | Optional
+| `plugins` | Comma-separated list of plugins for use during upload. | Optional 
-| `override_commit` | Specify the commit SHA | Optional
+| `report_code` | The code of the report. If unsure, do not include | Optional 
-| `override_pr` | Specify the pull request number | Optional
+| `root_dir` | Used when not in git/hg project to identify project root directory | Optional 
-| `override_tag` | Specify the git tag | Optional
+| `slug` | Specify the slug manually (Enterprise use) | Optional 
-| `root_dir` | Used when not in git/hg project to identify project root directory | Optional
+| `url` | Specify the base url to upload (Enterprise use) | Optional 
-| `directory` | Directory to search for coverage reports. | Optional
+| `use_legacy_upload_endpoint` | Use the legacy upload endpoint | Optional 
-| `slug` | Specify the slug manually (Enterprise use) | Optional
+| `verbose` | Specify whether the Codecov output should be verbose | Optional 
-| `swift` | Run with swift coverage support | Optional
+| `version` | Specify which version of the Codecov CLI should be used. Defaults to `latest` | Optional 
-| -- `swift_project` | Specify the swift project to speed up coverage conversion | Optional
+| `working-directory` | Directory in which to execute codecov.sh | Optional 
-| `upstream_proxy` | The upstream http proxy server to connect through | Optional
-| `url` | Change the upload host (Enterprise use) | Optional
-| `verbose` | Specify whether the Codecov output should be verbose | Optional
-| `version` | Specify which version of the Codecov Uploader should be used. Defaults to `latest` | Optional
-| `working-directory` | Directory in which to execute `codecov.sh` | Optional
-| `xtra_args` | Add additional uploader args that may be missing in the Action | Optional
-
 
 ### Example `workflow.yml` with Codecov Action
 
@@ -118,15 +129,15 @@ jobs:
         pip install pytest-cov
         pytest --cov=./ --cov-report=xml
     - name: Upload coverage to Codecov
-      uses: codecov/codecov-action@v3
+      uses: codecov/codecov-action@v4
       with:
-        token: ${{ secrets.CODECOV_TOKEN }}
         directory: ./coverage/reports/
         env_vars: OS,PYTHON
         fail_ci_if_error: true
         files: ./coverage1.xml,./coverage2.xml,!./cache
         flags: unittests
         name: codecov-umbrella
+        token: ${{ secrets.CODECOV_TOKEN }}
         verbose: true
 ```
 ## Contributing

action.yml

@@ -3,19 +3,22 @@ description: 'GitHub Action that uploads coverage reports for your repository to
 author: 'Ibrahim Ali <@ibrahim0814> & Thomas Hu <@thomasrockhu> | Codecov'
 inputs:
   token:
-    description: 'Repository upload token - get it from codecov.io. Required only for private repositories'
+    description: 'Repository Codecov token. Used to authorize report uploads'
     required: false
-  file:
+  codecov_yml_path:
-    description: 'Path to coverage file to upload'
+    description: 'Specify the path to the Codecov YML'
     required: false
-  files:
+  commit_parent:
-    description: 'Comma-separated list of files to upload'
+    description: 'Override to specify the parent commit SHA'
     required: false
   directory:
     description: 'Directory to search for coverage reports.'
     required: false
-  flags:
+  disable_search:
-    description: 'Flag upload to group coverage metrics (e.g. unittests | integration | ui,chrome)'
+    description: 'Disable search for coverage files. This is helpful when specifying what files you want to upload with the --file option.'
+    required: false
+  disable_file_fixes:
+    description: 'Disable file fixes to ignore common lines from coverage (e.g. blank lines or empty brackets)'
     required: false
   dry_run:
     description: "Don't upload files to Codecov"
@@ -23,11 +26,26 @@ inputs:
   env_vars:
     description: 'Environment variables to tag the upload with (e.g. PYTHON | OS,PYTHON)'
     required: false
+  exclude:
+    description: 'Folders to exclude from search'
+    required: false
   fail_ci_if_error:
     description: 'Specify whether or not CI build should fail if Codecov runs into an error during upload'
     required: false
-  gcov:
+  file:
-    description: 'Run with gcov support'
+    description: 'Path to coverage file to upload'
+    required: false
+  files:
+    description: 'Comma-separated list of files to upload'
+    required: false
+  flags:
+    description: 'Flag upload to group coverage metrics (e.g. unittests | integration | ui,chrome)'
+    required: false
+  handle_no_reports_found:
+    description: 'Raise no exceptions when no coverage reports found'
+    required: false
+  job_code:
+    description: 'The job code'
     required: false
   name:
     description: 'User defined upload name. Visible in Codecov UI'
@@ -41,18 +59,36 @@ inputs:
   override_build:
     description: 'Specify the build number'
     required: false
+  override_build_url:
+    description: 'The URL of the build where this is running'
+    required: false
   override_commit:
     description: 'Specify the commit SHA'
     required: false
   override_pr:
     description: 'Specify the pull request number'
     required: false
+  plugin:
+    description: 'plugins to run. Options: xcode, gcov, pycoverage. The default behavior runs them all.'
+    required: false
+  plugins:
+    description: 'Comma-separated list of plugins for use during upload.'
+    required: false
+  report_code:
+    description: 'The code of the report. If unsure, do not include'
+    required: false
   root_dir:
     description: 'Used when not in git/hg project to identify project root directory'
     required: false
   slug:
     description: 'Specify the slug manually (Enterprise use)'
     required: false
+  url:
+    description: 'Specify the base url to upload (Enterprise use)'
+    required: false
+  use_legacy_upload_endpoint:
+    description: 'Use the legacy upload endpoint'
+    required: false
   verbose:
     description: 'Specify whether the Codecov output should be verbose'
     required: false
@@ -66,5 +102,5 @@ branding:
   color: 'red'
   icon: 'umbrella'
 runs:
-  using: 'node16'
+  using: 'node20'
   main: 'dist/index.js'

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codecov-action",
-  "version": "4.0.0-beta.2",
+  "version": "4.0.2",
   "description": "Upload coverage reports to Codecov from GitHub Actions",
   "main": "index.js",
   "scripts": {
@@ -25,21 +25,20 @@
   "dependencies": {
     "@actions/core": "^1.10.1",
     "@actions/exec": "^1.1.1",
-    "@actions/github": "^5.1.1",
+    "@actions/github": "^6.0.0",
-    "node-fetch": "^3.3.2",
+    "gpg": "^0.6.0",
-    "openpgp": "5.10"
+    "undici": "5.28.2"
   },
   "devDependencies": {
-    "@types/jest": "^29.5.4",
+    "@types/jest": "^29.5.12",
-    "@types/node": "^20.6.0",
+    "@typescript-eslint/eslint-plugin": "^7.0.0",
-    "@typescript-eslint/eslint-plugin": "^6.7.0",
+    "@typescript-eslint/parser": "^6.21.0",
-    "@typescript-eslint/parser": "^6.7.0",
+    "@vercel/ncc": "^0.38.1",
-    "@vercel/ncc": "^0.38.0",
+    "eslint": "^8.56.0",
-    "eslint": "^8.49.0",
     "eslint-config-google": "^0.14.0",
-    "jest": "^29.6.4",
+    "jest": "^29.7.0",
     "jest-junit": "^16.0.0",
-    "ts-jest": "^29.1.1",
+    "ts-jest": "^29.1.2",
-    "typescript": "^5.2.0"
+    "typescript": "^5.3.3"
   }
 }

src/buildExec.test.ts

@@ -12,6 +12,7 @@ const context = github.context;
 
 test('general args', () => {
   const envs = {
+    codecov_yml_path: 'dev/codecov.yml',
     url: 'https://codecov.enterprise.com',
     verbose: 't',
   };
@@ -23,6 +24,8 @@ test('general args', () => {
 
   expect(args).toEqual(
       expect.arrayContaining([
+        '--codecov-yml-path',
+        'dev/codecov.yml',
         '--enterprise-url',
         'https://codecov.enterprise.com',
         '-v',
@@ -50,24 +53,38 @@ test('upload args using context', () => {
 
 test('upload args', () => {
   const envs = {
+    'codecov_yml_path': 'dev/codecov.yml',
+    'commit_parent': 'fakeparentcommit',
     'directory': 'coverage/',
+    'disable_file_fixes': 'true',
+    'disable_search': 'true',
     'dry_run': 'true',
     'env_vars': 'OS,PYTHON',
+    'exclude': 'node_modules/',
     'fail_ci_if_error': 'true',
     'file': 'coverage.xml',
     'files': 'dir1/coverage.xml,dir2/coverage.xml',
     'flags': 'test,test2',
+    'handle_no_reports_found': 'true',
+    'job_code': '32',
     'name': 'codecov',
+    'os': 'macos',
     'override_branch': 'thomasrockhu/test',
     'override_build': '1',
+    'override_build_url': 'https://example.com/build/2',
     'override_commit': '9caabca5474b49de74ef5667deabaf74cdacc244',
     'override_pr': '2',
+    'plugin': 'xcode',
+    'plugins': 'pycoverage,compress-pycoverage',
+    'report_code': 'testCode',
     'root_dir': 'root/',
     'slug': 'fakeOwner/fakeRepo',
     'token': 'd3859757-ab80-4664-924d-aef22fa7557b',
+    'url': 'https://enterprise.example.com',
+    'use_legacy_upload_endpoint': 'true',
+    'verbose': 'true',
+    'version': '0.1.2',
     'working-directory': 'src',
-    'plugin': 'xcode',
-    'exclude': 'src',
   };
   for (const env of Object.keys(envs)) {
     process.env['INPUT_' + env.toUpperCase()] = envs[env];
@@ -75,11 +92,13 @@ test('upload args', () => {
 
   const {uploadExecArgs, uploadCommand} = buildUploadExec();
   const expectedArgs = [
-    '-n',
+    '--disable-file-fixes',
-    'codecov',
+    '--disable-search',
     '-d',
     '-e',
     'OS,PYTHON',
+    '--exclude',
+    'node_modules/',
     '-Z',
     '-f',
     'coverage.xml',
@@ -91,24 +110,36 @@ test('upload args', () => {
     'test',
     '-F',
     'test2',
+    '--handle-no-reports-found',
+    '--job-code',
+    '32',
+    '-n',
+    'codecov',
     '-B',
     'thomasrockhu/test',
     '-b',
     '1',
+    '--build-url',
+    'https://example.com/build/2',
     '-C',
     '9caabca5474b49de74ef5667deabaf74cdacc244',
     '-P',
     '2',
+    '--plugin',
+    'xcode',
+    '--plugin',
+    'pycoverage',
+    '--plugin',
+    'compress-pycoverage',
+    '--report-code',
+    'testCode',
     '--network-root-folder',
     'root/',
     '-s',
     'coverage/',
     '-r',
     'fakeOwner/fakeRepo',
-    '--plugin',
+    '--legacy',
-    'xcode',
-    '--exclude',
-    'src',
   ];
 
   expect(uploadExecArgs).toEqual(expectedArgs);
@@ -122,8 +153,10 @@ test('upload args', () => {
 test('report args', () => {
   const envs = {
     override_commit: '9caabca5474b49de74ef5667deabaf74cdacc244',
+    override_pr: 'fakePR',
     slug: 'fakeOwner/fakeRepo',
     token: 'd3859757-ab80-4664-924d-aef22fa7557b',
+    fail_ci_if_error: 'true',
   };
   for (const env of Object.keys(envs)) {
     process.env['INPUT_' + env.toUpperCase()] = envs[env];
@@ -131,13 +164,17 @@ test('report args', () => {
 
   const {reportExecArgs, reportCommand} = buildReportExec();
 
-  expect(reportExecArgs).toEqual(
+  const expectedArgs = [
-      expect.arrayContaining([
+    '-C',
-        '-C',
+    '9caabca5474b49de74ef5667deabaf74cdacc244',
-        '9caabca5474b49de74ef5667deabaf74cdacc244',
+    '-P',
-        '--slug',
+    'fakePR',
-        'fakeOwner/fakeRepo',
+    '--slug',
-      ]));
+    'fakeOwner/fakeRepo',
+    '-Z',
+  ];
+
+  expect(reportExecArgs).toEqual(expectedArgs);
   expect(reportCommand).toEqual('create-report');
   for (const env of Object.keys(envs)) {
     delete process.env['INPUT_' + env.toUpperCase()];
@@ -169,32 +206,34 @@ test('report args using context', () => {
 
 test('commit args', () => {
   const envs = {
+    commit_parent: '83231650328f11695dfb754ca0f540516f188d27',
+    override_branch: 'thomasrockhu/test',
     override_commit: '9caabca5474b49de74ef5667deabaf74cdacc244',
+    override_pr: '2',
     slug: 'fakeOwner/fakeRepo',
     token: 'd3859757-ab80-4664-924d-aef22fa7557b',
-    override_branch: 'thomasrockhu/test',
+    fail_ci_if_error: 'true',
-    override_pr: '2',
-    commit_parent: '83231650328f11695dfb754ca0f540516f188d27',
   };
   for (const env of Object.keys(envs)) {
     process.env['INPUT_' + env.toUpperCase()] = envs[env];
   }
 
   const {commitExecArgs, commitCommand} = buildCommitExec();
+  const expectedArgs = [
+    '--parent-sha',
+    '83231650328f11695dfb754ca0f540516f188d27',
+    '-B',
+    'thomasrockhu/test',
+    '-C',
+    '9caabca5474b49de74ef5667deabaf74cdacc244',
+    '--pr',
+    '2',
+    '--slug',
+    'fakeOwner/fakeRepo',
+    '-Z',
+  ];
 
-  expect(commitExecArgs).toEqual(
+  expect(commitExecArgs).toEqual(expectedArgs);
-      expect.arrayContaining([
-        '-C',
-        '9caabca5474b49de74ef5667deabaf74cdacc244',
-        '--slug',
-        'fakeOwner/fakeRepo',
-        '-B',
-        'thomasrockhu/test',
-        '--pr',
-        '2',
-        '--parent-sha',
-        '83231650328f11695dfb754ca0f540516f188d27',
-      ]));
   expect(commitCommand).toEqual('create-commit');
   for (const env of Object.keys(envs)) {
     delete process.env['INPUT_' + env.toUpperCase()];

src/buildExec.ts

@@ -25,7 +25,8 @@ const buildCommitExec = () => {
   const overridePr = core.getInput('override_pr');
   const slug = core.getInput('slug');
   const token = core.getInput('token');
-
+  const failCi = isTrue(core.getInput('fail_ci_if_error'));
+  const workingDir = core.getInput('working-directory');
 
   const commitCommand = 'create-commit';
   const commitExecArgs = [];
@@ -69,16 +70,26 @@ const buildCommitExec = () => {
   if (slug) {
     commitExecArgs.push('--slug', `${slug}`);
   }
+  if (failCi) {
+    commitExecArgs.push('-Z');
+  }
+  if (workingDir) {
+    commitOptions.cwd = workingDir;
+  }
 
 
   return {commitExecArgs, commitOptions, commitCommand};
 };
 
 const buildGeneralExec = () => {
+  const codecovYmlPath = core.getInput('codecov_yml_path');
   const url = core.getInput('url');
   const verbose = isTrue(core.getInput('verbose'));
   const args = [];
 
+  if (codecovYmlPath) {
+    args.push('--codecov-yml-path', `${codecovYmlPath}`);
+  }
   if (url) {
     args.push('--enterprise-url', `${url}`);
   }
@@ -90,8 +101,11 @@ const buildGeneralExec = () => {
 
 const buildReportExec = () => {
   const overrideCommit = core.getInput('override_commit');
+  const overridePr = core.getInput('override_pr');
   const slug = core.getInput('slug');
   const token = core.getInput('token');
+  const failCi = isTrue(core.getInput('fail_ci_if_error'));
+  const workingDir = core.getInput('working-directory');
 
 
   const reportCommand = 'create-report';
@@ -119,34 +133,57 @@ const buildReportExec = () => {
   ) {
     reportExecArgs.push('-C', `${context.payload.pull_request.head.sha}`);
   }
+  if (overridePr) {
+    reportExecArgs.push('-P', `${overridePr}`);
+  } else if (
+    `${context.eventName}` == 'pull_request_target'
+  ) {
+    reportExecArgs.push('-P', `${context.payload.number}`);
+  }
   if (slug) {
     reportExecArgs.push('--slug', `${slug}`);
   }
+  if (failCi) {
+    reportExecArgs.push('-Z');
+  }
+  if (workingDir) {
+    reportOptions.cwd = workingDir;
+  }
 
   return {reportExecArgs, reportOptions, reportCommand};
 };
 
 const buildUploadExec = () => {
-  const envVars = core.getInput('env_vars');
+  const disableFileFixes = isTrue(core.getInput('disable_file_fixes'));
+  const disableSearch = isTrue(core.getInput('disable_search'));
   const dryRun = isTrue(core.getInput('dry_run'));
+  const envVars = core.getInput('env_vars');
+  const exclude = core.getInput('exclude');
   const failCi = isTrue(core.getInput('fail_ci_if_error'));
   const file = core.getInput('file');
   const files = core.getInput('files');
   const flags = core.getInput('flags');
+  const handleNoReportsFound = isTrue(core.getInput('handle_no_reports_found'));
+  const jobCode = core.getInput('job_code');
   const name = core.getInput('name');
   const os = core.getInput('os');
   const overrideBranch = core.getInput('override_branch');
   const overrideBuild = core.getInput('override_build');
+  const overrideBuildUrl = core.getInput('override_build_url');
   const overrideCommit = core.getInput('override_commit');
   const overridePr = core.getInput('override_pr');
+  const plugin = core.getInput('plugin');
+  const plugins = core.getInput('plugins');
+  const reportCode = core.getInput('report_code');
   const rootDir = core.getInput('root_dir');
   const searchDir = core.getInput('directory');
   const slug = core.getInput('slug');
   const token = core.getInput('token');
   let uploaderVersion = core.getInput('version');
+  const useLegacyUploadEndpoint = isTrue(
+      core.getInput('use_legacy_upload_endpoint'),
+  );
   const workingDir = core.getInput('working-directory');
-  const plugin = core.getInput('plugin');
-  const exclude = core.getInput('exclude');
 
   const uploadExecArgs = [];
   const uploadCommand = 'do-upload';
@@ -168,21 +205,24 @@ const buildUploadExec = () => {
       envVarsArg.push(envVarClean);
     }
   }
-  if (name) {
-    uploadExecArgs.push(
-        '-n',
-        `${name}`,
-    );
-  }
   if (token) {
     uploadOptions.env.CODECOV_TOKEN = token;
   }
+  if (disableFileFixes) {
+    uploadExecArgs.push('--disable-file-fixes');
+  }
+  if (disableSearch) {
+    uploadExecArgs.push('--disable-search');
+  }
   if (dryRun) {
     uploadExecArgs.push('-d');
   }
   if (envVarsArg.length) {
     uploadExecArgs.push('-e', envVarsArg.join(','));
   }
+  if (exclude) {
+    uploadExecArgs.push('--exclude', `${exclude}`);
+  }
   if (failCi) {
     uploadExecArgs.push('-Z');
   }
@@ -199,12 +239,24 @@ const buildUploadExec = () => {
       uploadExecArgs.push('-F', `${f}`);
     });
   }
+  if (handleNoReportsFound) {
+    uploadExecArgs.push('--handle-no-reports-found');
+  }
+  if (jobCode) {
+    uploadExecArgs.push('--job-code', `${jobCode}`);
+  }
+  if (name) {
+    uploadExecArgs.push('-n', `${name}`);
+  }
   if (overrideBranch) {
     uploadExecArgs.push('-B', `${overrideBranch}`);
   }
   if (overrideBuild) {
     uploadExecArgs.push('-b', `${overrideBuild}`);
   }
+  if (overrideBuildUrl) {
+    uploadExecArgs.push('--build-url', `${overrideBuildUrl}`);
+  }
   if (overrideCommit) {
     uploadExecArgs.push('-C', `${overrideCommit}`);
   } else if (
@@ -220,6 +272,17 @@ const buildUploadExec = () => {
   ) {
     uploadExecArgs.push('-P', `${context.payload.number}`);
   }
+  if (plugin) {
+    uploadExecArgs.push('--plugin', `${plugin}`);
+  }
+  if (plugins) {
+    plugins.split(',').map((p) => p.trim()).forEach((p) => {
+      uploadExecArgs.push('--plugin', `${p}`);
+    });
+  }
+  if (reportCode) {
+    uploadExecArgs.push('--report-code', `${reportCode}`);
+  }
   if (rootDir) {
     uploadExecArgs.push('--network-root-folder', `${rootDir}`);
   }
@@ -232,16 +295,12 @@ const buildUploadExec = () => {
   if (workingDir) {
     uploadOptions.cwd = workingDir;
   }
-  if (plugin) {
-    uploadExecArgs.push('--plugin', `${plugin}`);
-  }
-  if (exclude) {
-    uploadExecArgs.push('--exclude', `${exclude}`);
-  }
-
   if (uploaderVersion == '') {
     uploaderVersion = 'latest';
   }
+  if (useLegacyUploadEndpoint) {
+    uploadExecArgs.push('--legacy');
+  }
 
   return {
     uploadExecArgs,

src/helpers.test.ts

@@ -43,6 +43,9 @@ test('getBaseUrl', () => {
     'https://cli.codecov.io/latest/linux/codecov',
     'https://cli.codecov.io/latest/macos/codecov',
     'https://cli.codecov.io/latest/windows/codecov.exe',
+    'https://cli.codecov.io/latest/alpine/codecov',
+    'https://cli.codecov.io/latest/linux-arm64/codecov',
+    'https://cli.codecov.io/latest/alpine-arm64/codecov',
   ]);
 
   expect(PLATFORMS.map((platform) => {
@@ -51,19 +54,22 @@ test('getBaseUrl', () => {
     'https://cli.codecov.io/v0.1.0_8880/linux/codecov',
     'https://cli.codecov.io/v0.1.0_8880/macos/codecov',
     'https://cli.codecov.io/v0.1.0_8880/windows/codecov.exe',
+    'https://cli.codecov.io/v0.1.0_8880/alpine/codecov',
+    'https://cli.codecov.io/v0.1.0_8880/linux-arm64/codecov',
+    'https://cli.codecov.io/v0.1.0_8880/alpine-arm64/codecov',
   ]);
 });
 
 test('isWindows', () => {
   expect(PLATFORMS.map((platform) => {
     return isWindows(platform);
-  })).toEqual([false, false, true]);
+  })).toEqual([false, false, true, false, false, false]);
 });
 
 test('isValidPlatform', () => {
   expect(PLATFORMS.map((platform) => {
     return isValidPlatform(platform);
-  })).toEqual([true, true, true]);
+  })).toEqual([true, true, true, true, true, true]);
 
   expect(isValidPlatform('fakeos')).toBeFalsy();
 });

src/helpers.ts

@@ -4,6 +4,9 @@ const PLATFORMS = [
   'linux',
   'macos',
   'windows',
+  'alpine',
+  'linux-arm64',
+  'alpine-arm64',
 ];
 
 const setFailure = (message: string, failCi: boolean): void => {

src/validate.ts

@@ -1,10 +1,10 @@
 import * as crypto from 'crypto';
 import * as fs from 'fs';
+import * as gpg from 'gpg';
 import * as path from 'path';
 
 import * as core from '@actions/core';
-import * as openpgp from 'openpgp';
+import {request} from 'undici';
-import * as fetch from 'node-fetch';
 
 import {
   getBaseUrl,
@@ -22,68 +22,90 @@ const verify = async (
   try {
     const uploaderName = getUploaderName(platform);
 
-    // Read in public key
-    const publicKeyArmored = await fs.readFileSync(
-        path.join(__dirname, 'pgp_keys.asc'),
-        'utf-8',
-    );
-
     // Get SHASUM and SHASUM signature files
     console.log(`${getBaseUrl(platform, version)}.SHA256SUM`);
-    const shasumRes = await fetch.default(
+    const shasumRes = await request(
         `${getBaseUrl(platform, version)}.SHA256SUM`,
     );
-    const shasum = await shasumRes.text();
+    const shasum = await shasumRes.body.text();
     if (verbose) {
       console.log(`Received SHA256SUM ${shasum}`);
     }
+    await fs.writeFileSync(
+        path.join(__dirname, `${uploaderName}.SHA256SUM`),
+        shasum,
+    );
 
-    const shaSigRes = await fetch.default(
+    const shaSigRes = await request(
         `${getBaseUrl(platform, version)}.SHA256SUM.sig`,
     );
-    const shaSig = await shaSigRes.text();
+    const shaSig = await shaSigRes.body.text();
     if (verbose) {
       console.log(`Received SHA256SUM signature ${shaSig}`);
     }
+    await fs.writeFileSync(
+        path.join(__dirname, `${uploaderName}.SHA256SUM.sig`),
+        shaSig,
+    );
 
-    // Verify shasum
+    const validateSha = async () => {
-    const verified = await openpgp.verify({
+      const calculateHash = async (filename: string) => {
-      message: await openpgp.createMessage({text: shasum}),
+        const stream = fs.createReadStream(filename);
-      signature: await openpgp.readSignature({armoredSignature: shaSig}),
+        const uploaderSha = crypto.createHash(`sha256`);
-      verificationKeys: await openpgp.readKeys({armoredKeys: publicKeyArmored}),
+        stream.pipe(uploaderSha);
-    });
+
-    const valid = await verified.signatures[0].verified;
+        return new Promise((resolve, reject) => {
-    if (valid) {
+          stream.on('end', () => resolve(
-      core.info('==> SHASUM file signed by key id ' +
+              `${uploaderSha.digest('hex')}  ${uploaderName}`,
-          verified.signatures[0].keyID.toHex(),
+          ));
+          stream.on('error', reject);
+        });
+      };
+
+      const hash = await calculateHash(
+          path.join(__dirname, `${uploaderName}`),
       );
-    } else {
+      if (hash === shasum) {
-      setFailure('Codecov: Error validating SHASUM signature', failCi);
+        core.info(`==> Uploader SHASUM verified (${hash})`);
-    }
+      } else {
+        setFailure(
+            'Codecov: Uploader shasum does not match -- ' +
+              `uploader hash: ${hash}, public hash: ${shasum}`,
+            failCi,
+        );
+      }
+    };
 
-    const calculateHash = async (filename: string) => {
+    const verifySignature = () => {
-      const stream = fs.createReadStream(filename);
+      gpg.call('', [
-      const uploaderSha = crypto.createHash(`sha256`);
+        '--logger-fd',
-      stream.pipe(uploaderSha);
+        '1',
-
+        '--verify',
-      return new Promise((resolve, reject) => {
+        path.join(__dirname, `${uploaderName}.SHA256SUM.sig`),
-        stream.on('end', () => resolve(
+        path.join(__dirname, `${uploaderName}.SHA256SUM`),
-            `${uploaderSha.digest('hex')}  ${uploaderName}`,
+      ], async (err, verifyResult) => {
-        ));
+        if (err) {
-        stream.on('error', reject);
+          setFailure('Codecov: Error importing pgp key', failCi);
+        }
+        core.info(verifyResult);
+        await validateSha();
       });
     };
 
-    const hash = await calculateHash(filename);
+    // Import gpg key
-    if (hash === shasum) {
+    gpg.call('', [
-      core.info(`==> Uploader SHASUM verified (${hash})`);
+      '--logger-fd',
-    } else {
+      '1',
-      setFailure(
+      '--no-default-keyring',
-          'Codecov: Uploader shasum does not match -- ' +
+      '--import',
-            `uploader hash: ${hash}, public hash: ${shasum}`,
+      path.join(__dirname, 'pgp_keys.asc'),
-          failCi,
+    ], async (err, importResult) => {
-      );
+      if (err) {
-    }
+        setFailure('Codecov: Error importing pgp key', failCi);
+      }
+      core.info(importResult);
+      verifySignature();
+    });
   } catch (err) {
     setFailure(`Codecov: Error validating uploader: ${err.message}`, failCi);
   }

src/version.ts

@@ -1,5 +1,5 @@
 import * as core from '@actions/core';
-import * as fetch from 'node-fetch';
+import {request} from 'undici';
 
 const versionInfo = async (
     platform: string,
@@ -10,10 +10,10 @@ const versionInfo = async (
   }
 
   try {
-    const metadataRes = await fetch.default( `https://uploader.codecov.io/${platform}/latest`, {
+    const metadataRes = await request(`https://cli.codecov.io/${platform}/latest`, {
       headers: {'Accept': 'application/json'},
     });
-    const metadata = await metadataRes.json();
+    const metadata = await metadataRes.body.json();
     core.info(`==> Running version ${metadata['version']}`);
   } catch (err) {
     core.info(`Could not pull latest version information: ${err}`);