chore(release):4.6.0 (#1587)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.7 to 4.2.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4.1.7...v4.2.0)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.eslintrc.json

@@ -17,6 +17,7 @@
         "@typescript-eslint"
     ],
     "rules": {
+        "max-len": ["error", { "code": 120 }],
         "linebreak-style": 0
     }
 }

.github/workflows/codeql-analysis.yml

@@ -12,10 +12,10 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ master ]
+    branches: [ main ]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ master ]
+    branches: [ main ]
   schedule:
     - cron: '24 6 * * 5'
 
@@ -37,11 +37,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4.1.1
+      uses: actions/checkout@v4.2.0
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3.24.5
+      uses: github/codeql-action/init@v3.26.9
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -52,7 +52,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3.24.5
+      uses: github/codeql-action/autobuild@v3.26.9
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -66,4 +66,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3.24.5
+      uses: github/codeql-action/analyze@v3.26.9

.github/workflows/enforce-license-compliance.yml

@@ -2,7 +2,7 @@ name: Enforce License Compliance
 
 on:
   pull_request:
-    branches: [main, master]
+    branches: [main]
 
 jobs:
   enforce-license-compliance:

.github/workflows/main.yml

@@ -5,10 +5,10 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [macos-latest, windows-latest, ubuntu-latest, macos-latest-xlarge]
+        os: [macos-latest, windows-latest, ubuntu-latest]
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.2.0
       - name: Install dependencies
         run: npm install
       - name: Lint
@@ -18,6 +18,7 @@ jobs:
       - name: Upload coverage to Codecov (script)
         uses: ./
         with:
+          fail_ci_if_error: true
           files: ./coverage/script/coverage-final.json
           flags: script,${{ matrix.os }}
           name: codecov-script
@@ -26,6 +27,7 @@ jobs:
       - name: Upload coverage to Codecov (demo)
         uses: ./
         with:
+          fail_ci_if_error: true
           files: ./coverage/calculator/coverage-final.json,./coverage/coverage-test/coverage-final.json
           file: ./coverage/coverage-final.json
           flags: demo,${{ matrix.os }}
@@ -35,11 +37,55 @@ jobs:
       - name: Upload coverage to Codecov (version)
         uses: ./
         with:
+          fail_ci_if_error: true
           files: ./coverage/calculator/coverage-final.json,./coverage/coverage-test/coverage-final.json
           file: ./coverage/coverage-final.json
           flags: version,${{ matrix.os }}
           name: codecov-version
-          version: v0.2.0
+          version: v0.7.3
+          verbose: true
+          token: ${{ secrets.CODECOV_TOKEN }}
+
+  run-macos-latest-xlarge:
+    if: github.head.repo.full_name == 'codecov/codecov-action'
+    runs-on: macos-latest-xlarge
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4.2.0
+      - name: Install dependencies
+        run: npm install
+      - name: Lint
+        run: npm run lint
+      - name: Run tests and collect coverage
+        run: npm run test
+      - name: Upload coverage to Codecov (script)
+        uses: ./
+        with:
+          fail_ci_if_error: true
+          files: ./coverage/script/coverage-final.json
+          flags: script,macos-latest-xlarge
+          name: codecov-script
+          verbose: true
+          token: ${{ secrets.CODECOV_TOKEN }}
+      - name: Upload coverage to Codecov (demo)
+        uses: ./
+        with:
+          fail_ci_if_error: true
+          files: ./coverage/calculator/coverage-final.json,./coverage/coverage-test/coverage-final.json
+          file: ./coverage/coverage-final.json
+          flags: demo,macos-latest-xlarge
+          name: codecov-demo
+          verbose: true
+          token: ${{ secrets.CODECOV_TOKEN }}
+      - name: Upload coverage to Codecov (version)
+        uses: ./
+        with:
+          fail_ci_if_error: true
+          files: ./coverage/calculator/coverage-final.json,./coverage/coverage-test/coverage-final.json
+          file: ./coverage/coverage-final.json
+          flags: version,maxos-latest-xlarge
+          name: codecov-version
+          version: v0.6.0
           verbose: true
           token: ${{ secrets.CODECOV_TOKEN }}
 
@@ -48,7 +94,7 @@ jobs:
     container: node:18
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@v4.2.0
       - name: Install dependencies
         run: npm install
       - name: Lint
@@ -79,6 +125,6 @@ jobs:
           file: ./coverage/coverage-final.json
           flags: version,${{ matrix.os }}
           name: codecov-version
-          version: v0.2.0
+          version: v0.6.0
           verbose: true
           token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/scorecards-analysis.yml

@@ -5,13 +5,14 @@ on:
   schedule:
     - cron: '43 20 * * 1'
   push:
-    branches: [ master ]
+    branches: [ main ]
 
 # Declare default permissions as read only.
 permissions: read-all
 
 jobs:
   analysis:
+    if: github.repository == 'codecov/codecov-action'
     name: Scorecards analysis
     runs-on: ubuntu-latest
     permissions:
@@ -21,15 +22,15 @@ jobs:
       id-token: write
       actions: read
       contents: read
-    
+
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v4.1.1 # v3.0.0
+        uses: actions/checkout@v4.2.0 # v3.0.0
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -40,22 +41,22 @@ jobs:
           # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
 
           # Publish the results for public repositories to enable scorecard badges. For more details, see
-          # https://github.com/ossf/scorecard-action#publishing-results. 
-          # For private repositories, `publish_results` will automatically be set to `false`, regardless 
+          # https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories, `publish_results` will automatically be set to `false`, regardless
           # of the value entered here.
           publish_results: true
 
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
-      
+
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3.24.5 # v1.0.26
+        uses: github/codeql-action/upload-sarif@v3.26.9 # v1.0.26
         with:
           sarif_file: results.sarif

README.md

@@ -9,7 +9,7 @@
 `v4` of the Codecov GitHub Action will use the [Codecov CLI](https://github.com/codecov/codecov-cli) to upload coverage reports to Codecov.
 
 ### Breaking Changes
-- Tokenless uploading is unsupported. However, PRs made from forks to the upstream public repos will support tokenless (e.g. contributors to OS projects do not need the upstream repo's Codecov token)
+- Tokenless uploading is unsupported. However, PRs made from forks to the upstream public repos will support tokenless (e.g. contributors to OSS projects do not need the upstream repo's Codecov token). For details, [see our docs](https://docs.codecov.com/docs/codecov-uploader#supporting-token-less-uploads-for-forks-of-open-source-repos-using-codecov)
 - Various arguments to the Action have been removed
 
 ### Dependabot
@@ -35,7 +35,7 @@ Inside your `.github/workflows/workflow.yml` file:
 
 ```yaml
 steps:
-- uses: actions/checkout@master
+- uses: actions/checkout@main
 - uses: codecov/codecov-action@v4
   with:
     fail_ci_if_error: true # optional (default = false)
@@ -50,7 +50,7 @@ The Codecov token can also be passed in via environment variables:
 
 ```yaml
 steps:
-- uses: actions/checkout@master
+- uses: actions/checkout@main
 - uses: codecov/codecov-action@v4
   with:
     fail_ci_if_error: true # optional (default = false)
@@ -64,44 +64,56 @@ steps:
 > [!NOTE]
 > This assumes that you've set your Codecov token inside *Settings > Secrets* as `CODECOV_TOKEN`. If not, you can [get an upload token](https://docs.codecov.io/docs/frequently-asked-questions#section-where-is-the-repository-upload-token-found-) for your specific repo on [codecov.io](https://www.codecov.io). Keep in mind that secrets are *not* available to forks of repositories.
 
+### Using OIDC
+For users with [OpenID Connect(OIDC) enabled](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect), the Codecov token is not necessary. You can use OIDC with the `use_oidc` argument as following.
+
+```yaml
+- uses: codecov/codecov-action@v4
+  with:
+    use_oidc: true
+```
+
+Any token supplied will be ignored, as Codecov will default to the OIDC token for verification.
+
 ## Arguments
 
 Codecov's Action supports inputs from the user. These inputs, along with their descriptions and usage contexts, are listed in the table below:
 
 | Input  | Description | Required |
 | :---       |     :---     |    :---:   |
-| `token` | Repository Codecov token. Used to authorize report uploads | *Required 
-| `codecov_yml_path` | Specify the path to the Codecov YML | Optional 
-| `commit_parent` | Override to specify the parent commit SHA | Optional 
-| `directory` | Directory to search for coverage reports. | Optional 
-| `disable_search` | Disable search for coverage files. This is helpful when specifying what files you want to upload with the --file option. | Optional 
-| `disable_file_fixes` | Disable file fixes to ignore common lines from coverage (e.g. blank lines or empty brackets) | Optional 
-| `dry_run` | Don't upload files to Codecov | Optional 
-| `env_vars` | Environment variables to tag the upload with (e.g. PYTHON \| OS,PYTHON) | Optional 
-| `exclude` | Folders to exclude from search | Optional 
-| `fail_ci_if_error` | Specify whether or not CI build should fail if Codecov runs into an error during upload | Optional 
-| `file` | Path to coverage file to upload | Optional 
-| `files` | Comma-separated list of files to upload | Optional 
-| `flags` | Flag upload to group coverage metrics (e.g. unittests \| integration \| ui,chrome) | Optional 
-| `handle_no_reports_found` | Raise no exceptions when no coverage reports found | Optional 
-| `job_code` | The job code | Optional 
-| `name` | User defined upload name. Visible in Codecov UI | Optional 
-| `os` | Override the assumed OS. Options are linux \| macos \| windows \| . | Optional 
-| `override_branch` | Specify the branch name | Optional 
-| `override_build` | Specify the build number | Optional 
-| `override_build_url` | The URL of the build where this is running | Optional 
-| `override_commit` | Specify the commit SHA | Optional 
-| `override_pr` | Specify the pull request number | Optional 
-| `plugin` | plugins to run. Options: xcode, gcov, pycoverage. The default behavior runs them all. | Optional 
-| `plugins` | Comma-separated list of plugins for use during upload. | Optional 
-| `report_code` | The code of the report. If unsure, do not include | Optional 
-| `root_dir` | Used when not in git/hg project to identify project root directory | Optional 
-| `slug` | Specify the slug manually (Enterprise use) | Optional 
-| `url` | Specify the base url to upload (Enterprise use) | Optional 
-| `use_legacy_upload_endpoint` | Use the legacy upload endpoint | Optional 
-| `verbose` | Specify whether the Codecov output should be verbose | Optional 
-| `version` | Specify which version of the Codecov CLI should be used. Defaults to `latest` | Optional 
-| `working-directory` | Directory in which to execute codecov.sh | Optional 
+| `token` | Repository Codecov token. Used to authorize report uploads | *Required
+| `codecov_yml_path` | Specify the path to the Codecov YML | Optional
+| `commit_parent` | Override to specify the parent commit SHA | Optional
+| `directory` | Directory to search for coverage reports. | Optional
+| `disable_search` | Disable search for coverage files. This is helpful when specifying what files you want to upload with the --file option. | Optional
+| `disable_file_fixes` | Disable file fixes to ignore common lines from coverage (e.g. blank lines or empty brackets) | Optional
+| `dry_run` | Don't upload files to Codecov | Optional
+| `env_vars` | Environment variables to tag the upload with (e.g. PYTHON \| OS,PYTHON) | Optional
+| `exclude` | Folders to exclude from search | Optional
+| `fail_ci_if_error` | Specify whether or not CI build should fail if Codecov runs into an error during upload | Optional
+| `file` | Path to coverage file to upload | Optional
+| `files` | Comma-separated list of files to upload | Optional
+| `flags` | Flag upload to group coverage metrics (e.g. unittests \| integration \| ui,chrome) | Optional
+| `handle_no_reports_found` | Raise no exceptions when no coverage reports found | Optional
+| `job_code` | The job code | Optional
+| `name` | User defined upload name. Visible in Codecov UI | Optional
+| `os` | Override the assumed OS. Options are linux \| macos \| windows \| . | Optional
+| `override_branch` | Specify the branch name | Optional
+| `override_build` | Specify the build number | Optional
+| `override_build_url` | The URL of the build where this is running | Optional
+| `override_commit` | Specify the commit SHA | Optional
+| `override_pr` | Specify the pull request number | Optional
+| `plugin` | plugins to run. Options: xcode, gcov, pycoverage. The default behavior runs them all. | Optional
+| `plugins` | Comma-separated list of plugins for use during upload. | Optional
+| `report_code` | The code of the report. If unsure, do not include | Optional
+| `root_dir` | Used to specify the location of your   .git   root to identify project root directory | Optional
+| `slug` | Specify the slug manually (Enterprise use) | Optional
+| `url` | Specify the base url to upload (Enterprise use) | Optional
+| `use_legacy_upload_endpoint` | Use the legacy upload endpoint | Optional
+| `use_oidc` | Use OpenID Connect for verification instead of token. This will ignore any token supplied. Please see [GitHub documentation](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) for details.
+| `verbose` | Specify whether the Codecov output should be verbose | Optional
+| `version` | Specify which version of the Codecov CLI should be used. Defaults to `latest` | Optional
+| `working-directory` | Directory in which to execute codecov.sh | Optional
 
 ### Example `workflow.yml` with Codecov Action
 
@@ -118,9 +130,9 @@ jobs:
       OS: ${{ matrix.os }}
       PYTHON: '3.10'
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@main
     - name: Setup Python
-      uses: actions/setup-python@master
+      uses: actions/setup-python@main
       with:
         python-version: 3.10
     - name: Generate coverage report

action.yml

@@ -56,6 +56,12 @@ inputs:
   name:
     description: 'User defined upload name. Visible in Codecov UI'
     required: false
+  network_filter:
+    description: 'Specify a filter on the files listed in the network section of the Codecov report. This will only add files whose path begin with the specified filter. Useful for upload-specific path fixing'
+    required: false
+  network_prefix:
+    description: 'Specify a prefix on files listed in the network section of the Codecov report. Useful to help resolve path fixing'
+    required: false
   os:
     description: 'Override the assumed OS. Options are linux | macos | windows.'
     required: false
@@ -95,6 +101,9 @@ inputs:
   use_legacy_upload_endpoint:
     description: 'Use the legacy upload endpoint'
     required: false
+  use_oidc:
+    description: 'Use OIDC instead of token. This will ignore any token supplied'
+    required: false
   verbose:
     description: 'Specify whether the Codecov output should be verbose'
     required: false

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codecov-action",
-  "version": "4.1.0",
+  "version": "4.6.0",
   "description": "Upload coverage reports to Codecov from GitHub Actions",
   "main": "index.js",
   "scripts": {
@@ -26,19 +26,19 @@
     "@actions/core": "^1.10.1",
     "@actions/exec": "^1.1.1",
     "@actions/github": "^6.0.0",
-    "gpg": "^0.6.0",
-    "undici": "5.28.2"
+    "undici": "5.28.4"
   },
   "devDependencies": {
-    "@types/jest": "^29.5.12",
-    "@typescript-eslint/eslint-plugin": "^7.0.0",
-    "@typescript-eslint/parser": "^6.21.0",
-    "@vercel/ncc": "^0.38.1",
-    "eslint": "^8.57.0",
+    "@octokit/webhooks-types": "^7.5.1",
+    "@types/jest": "^29.5.13",
+    "@typescript-eslint/eslint-plugin": "^8.8.0",
+    "@typescript-eslint/parser": "^8.8.0",
+    "@vercel/ncc": "^0.38.2",
+    "eslint": "^8.57.1",
     "eslint-config-google": "^0.14.0",
     "jest": "^29.7.0",
     "jest-junit": "^16.0.0",
-    "ts-jest": "^29.1.2",
-    "typescript": "^5.3.3"
+    "ts-jest": "^29.2.5",
+    "typescript": "^5.6.2"
   }
 }

src/buildExec.test.ts

@@ -5,12 +5,23 @@ import {
   buildGeneralExec,
   buildReportExec,
   buildUploadExec,
+  getToken,
 } from './buildExec';
 
-
 const context = github.context;
 
-test('general args', () => {
+let OLDOS = process.env.RUNNER_OS;
+
+beforeEach(() => {
+  jest.resetModules();
+  OLDOS = process.env.RUNNER_OS;
+});
+
+afterAll(() => {
+  process.env.RUNNER_OS = OLDOS;
+});
+
+test('general args', async () => {
   const envs = {
     codecov_yml_path: 'dev/codecov.yml',
     url: 'https://codecov.enterprise.com',
@@ -20,7 +31,7 @@ test('general args', () => {
     process.env['INPUT_' + env.toUpperCase()] = envs[env];
   }
 
-  const {args, verbose} = buildGeneralExec();
+  const {args, verbose} = await buildGeneralExec();
 
   expect(args).toEqual(
       expect.arrayContaining([
@@ -36,15 +47,14 @@ test('general args', () => {
   }
 });
 
-
-test('upload args using context', () => {
+test('upload args using context', async () => {
   const expectedArgs = [
     '--git-service',
     'github',
   ];
-  const {uploadExecArgs, uploadCommand} = buildUploadExec();
+  const {uploadExecArgs, uploadCommand} = await buildUploadExec();
   if (context.eventName == 'pull_request') {
-    expectedArgs.push('-C', `${context.payload.pull_request.head.sha}`);
+    expectedArgs.push('-C', `${context.payload.pull_request?.head.sha}`);
   }
   if (context.eventName == 'pull_request_target') {
     expectedArgs.push('-P', `${context.payload.number}`);
@@ -54,7 +64,7 @@ test('upload args using context', () => {
   expect(uploadCommand).toEqual('do-upload');
 });
 
-test('upload args', () => {
+test('upload args', async () => {
   const envs = {
     'codecov_yml_path': 'dev/codecov.yml',
     'commit_parent': 'fakeparentcommit',
@@ -66,7 +76,7 @@ test('upload args', () => {
     'exclude': 'node_modules/',
     'fail_ci_if_error': 'true',
     'file': 'coverage.xml',
-    'files': 'dir1/coverage.xml,dir2/coverage.xml',
+    'files': 'dir1/coverage.xml,dir2/coverage.xml,',
     'flags': 'test,test2',
     'git_service': 'github_enterprise',
     'handle_no_reports_found': 'true',
@@ -78,6 +88,8 @@ test('upload args', () => {
     'override_build_url': 'https://example.com/build/2',
     'override_commit': '9caabca5474b49de74ef5667deabaf74cdacc244',
     'override_pr': '2',
+    'network_filter': 'subA/',
+    'network_prefix': 'forA/',
     'plugin': 'xcode',
     'plugins': 'pycoverage,compress-pycoverage',
     'report_code': 'testCode',
@@ -94,7 +106,7 @@ test('upload args', () => {
     process.env['INPUT_' + env.toUpperCase()] = envs[env];
   }
 
-  const {uploadExecArgs, uploadCommand} = buildUploadExec();
+  const {uploadExecArgs, uploadCommand} = await buildUploadExec();
   const expectedArgs = [
     '--disable-file-fixes',
     '--disable-search',
@@ -121,6 +133,10 @@ test('upload args', () => {
     '32',
     '-n',
     'codecov',
+    '--network-filter',
+    'subA/',
+    '--network-prefix',
+    'forA/',
     '-B',
     'thomasrockhu/test',
     '-b',
@@ -156,7 +172,7 @@ test('upload args', () => {
 });
 
 
-test('report args', () => {
+test('report args', async () => {
   const envs = {
     git_service: 'github_enterprise',
     override_commit: '9caabca5474b49de74ef5667deabaf74cdacc244',
@@ -169,7 +185,7 @@ test('report args', () => {
     process.env['INPUT_' + env.toUpperCase()] = envs[env];
   }
 
-  const {reportExecArgs, reportCommand} = buildReportExec();
+  const {reportExecArgs, reportCommand} = await buildReportExec();
 
   const expectedArgs = [
     '--git-service',
@@ -191,22 +207,22 @@ test('report args', () => {
 });
 
 
-test('report args using context', () => {
+test('report args using context', async () => {
   const envs = {
     token: 'd3859757-ab80-4664-924d-aef22fa7557b',
   };
   for (const env of Object.keys(envs)) {
     process.env['INPUT_' + env.toUpperCase()] = envs[env];
   }
-  const expectedArgs : string[] = [
+  const expectedArgs: string[] = [
     '--git-service',
     'github',
   ];
   if (context.eventName == 'pull_request') {
-    expectedArgs.push('-C', `${context.payload.pull_request.head.sha}`);
+    expectedArgs.push('-C', `${context.payload.pull_request?.head.sha}`);
   }
 
-  const {reportExecArgs, reportCommand} = buildReportExec();
+  const {reportExecArgs, reportCommand} = await buildReportExec();
 
   expect(reportExecArgs).toEqual(expectedArgs);
   expect(reportCommand).toEqual('create-report');
@@ -216,7 +232,7 @@ test('report args using context', () => {
 });
 
 
-test('commit args', () => {
+test('commit args', async () => {
   const envs = {
     git_service: 'github_enterprise',
     commit_parent: '83231650328f11695dfb754ca0f540516f188d27',
@@ -231,7 +247,7 @@ test('commit args', () => {
     process.env['INPUT_' + env.toUpperCase()] = envs[env];
   }
 
-  const {commitExecArgs, commitCommand} = buildCommitExec();
+  const {commitExecArgs, commitCommand} = await buildCommitExec();
   const expectedArgs = [
     '--parent-sha',
     '83231650328f11695dfb754ca0f540516f188d27',
@@ -255,15 +271,21 @@ test('commit args', () => {
   }
 });
 
-test('commit args using context', () => {
-  const expectedArgs :string[] = [
+test('commit args using context', async () => {
+  const expectedArgs: string[] = [
     '--git-service',
     'github',
   ];
 
-  const {commitExecArgs, commitCommand} = buildCommitExec();
+  const {commitExecArgs, commitCommand} = await buildCommitExec();
+  if (
+    (context.eventName == 'pull_request' || context.eventName == 'pull_request_target') &&
+    context.payload.pull_request?.base.label.split(':')[0] != context.payload.pull_request?.head.label.split(':')[0]
+  ) {
+    expectedArgs.push('-B', `${context.payload.pull_request?.head.label}`);
+  }
   if (context.eventName == 'pull_request') {
-    expectedArgs.push('-C', `${context.payload.pull_request.head.sha}`);
+    expectedArgs.push('-C', `${context.payload.pull_request?.head.sha}`);
   }
   if (context.eventName == 'pull_request_target') {
     expectedArgs.push('-P', `${context.payload.number}`);
@@ -272,3 +294,75 @@ test('commit args using context', () => {
   expect(commitExecArgs).toEqual(expectedArgs);
   expect(commitCommand).toEqual('create-commit');
 });
+
+test('commit args using github server url', async () => {
+  const expectedArgs: string[] = [
+    '--git-service',
+    'github_enterprise',
+  ];
+
+  process.env.GITHUB_SERVER_URL = 'https://example.com';
+
+  const {commitExecArgs, commitCommand} = await buildCommitExec();
+  if (
+    (context.eventName == 'pull_request' || context.eventName == 'pull_request_target') &&
+    context.payload.pull_request?.base.label.split(':')[0] != context.payload.pull_request?.head.label.split(':')[0]
+  ) {
+    expectedArgs.push('-B', `${context.payload.pull_request?.head.label}`);
+  }
+  if (context.eventName == 'pull_request') {
+    expectedArgs.push('-C', `${context.payload.pull_request?.head.sha}`);
+  }
+  if (context.eventName == 'pull_request_target') {
+    expectedArgs.push('-P', `${context.payload.number}`);
+  }
+  expect(commitExecArgs).toEqual(expectedArgs);
+  expect(commitCommand).toEqual('create-commit');
+});
+
+test('build commit args when token arg is unset and from fork', async () => {
+  context.eventName = 'pull_request';
+  context.payload.pull_request = {
+    'number': 1,
+    'base': {
+      'label': 'hello:main',
+    },
+    'head': {
+      'label': 'world:feat',
+      'sha': 'aaaaaa',
+    },
+  };
+
+  const expectedArgs: string[] = [
+    '--git-service',
+    'github_enterprise',
+    '-B',
+    'world:feat',
+    '-C',
+    `${context.payload.pull_request?.head.sha}`,
+  ];
+
+  const {commitExecArgs, commitCommand} = await buildCommitExec();
+
+  expect(commitExecArgs).toEqual(expectedArgs);
+  expect(commitCommand).toEqual('create-commit');
+});
+
+test('get token when token arg is unset and from fork', async () => {
+  context.eventName = 'pull_request';
+  context.payload.pull_request = {
+    'number': 1,
+    'base': {
+      'label': 'hello:main',
+    },
+    'head': {
+      'label': 'world:feat',
+      'sha': 'aaaaaa',
+    },
+  };
+
+
+  const token = await getToken();
+
+  expect(token).toEqual('');
+});

src/buildExec.ts

@@ -2,11 +2,13 @@
 
 import * as core from '@actions/core';
 import * as github from '@actions/github';
+import {type PullRequestEvent} from '@octokit/webhooks-types';
 
+import {setFailure} from './helpers';
 
 const context = github.context;
 
-const isTrue = (variable) => {
+const isTrue = (variable: string): boolean => {
   const lowercase = variable.toLowerCase();
   return (
     lowercase === '1' ||
@@ -17,22 +19,81 @@ const isTrue = (variable) => {
   );
 };
 
+const getGitService = (): string => {
+  const overrideGitService = core.getInput('git_service');
+  const serverUrl = process.env.GITHUB_SERVER_URL;
+  if (overrideGitService) {
+    return overrideGitService;
+  } else if (serverUrl !== undefined && serverUrl !== 'https://github.com') {
+    return 'github_enterprise';
+  }
+  return 'github';
+};
 
-const buildCommitExec = () => {
+const isPullRequestFromFork = (): boolean => {
+  core.info(`eventName: ${context.eventName}`);
+  if (!['pull_request', 'pull_request_target'].includes(context.eventName)) {
+    return false;
+  }
+
+  const baseLabel = context.payload.pull_request.base.label;
+  const headLabel = context.payload.pull_request.head.label;
+
+  core.info(`baseRef: ${baseLabel} | headRef: ${headLabel}`);
+  return baseLabel.split(':')[0] !== headLabel.split(':')[0];
+};
+
+const getToken = async (): Promise<string> => {
+  let token = core.getInput('token');
+  let url = core.getInput('url');
+  const useOIDC = isTrue(core.getInput('use_oidc'));
+  if (useOIDC) {
+    if (!url) {
+      url = 'https://codecov.io';
+    }
+    try {
+      token = await core.getIDToken(url);
+      return Promise.resolve(token);
+    } catch (err) {
+      setFailure(
+          `Codecov: Failed to get OIDC token with url: ${url}. ${err.message}`,
+          true,
+      );
+    }
+  }
+  return token;
+};
+
+const getOverrideBranch = (token: string): string => {
+  let overrideBranch = core.getInput('override_branch');
+  if (!overrideBranch && !token && isPullRequestFromFork()) {
+    core.info('==> Fork detected, tokenless uploading used');
+    // backwards compatibility with certain versions of the CLI that expect this
+    process.env['TOKENLESS'] = context.payload.pull_request.head.label;
+    overrideBranch =context.payload.pull_request.head.label;
+  }
+  return overrideBranch;
+};
+
+const buildCommitExec = async (): Promise<{
+  commitExecArgs: any[];
+  commitOptions: any;
+  commitCommand: string;
+}> => {
   const commitParent = core.getInput('commit_parent');
-  const gitService = core.getInput('git_service');
-  const overrideBranch = core.getInput('override_branch');
+  const gitService = getGitService();
   const overrideCommit = core.getInput('override_commit');
   const overridePr = core.getInput('override_pr');
   const slug = core.getInput('slug');
-  const token = core.getInput('token');
+  const token = await getToken();
+  const overrideBranch = getOverrideBranch(token);
   const failCi = isTrue(core.getInput('fail_ci_if_error'));
   const workingDir = core.getInput('working-directory');
 
   const commitCommand = 'create-commit';
-  const commitExecArgs = [];
+  const commitExecArgs: string[] = [];
 
-  const commitOptions:any = {};
+  const commitOptions: any = {};
   commitOptions.env = Object.assign(process.env, {
     GITHUB_ACTION: process.env.GITHUB_ACTION,
     GITHUB_RUN_ID: process.env.GITHUB_RUN_ID,
@@ -42,35 +103,33 @@ const buildCommitExec = () => {
     GITHUB_HEAD_REF: process.env.GITHUB_HEAD_REF || '',
   });
 
-
   if (token) {
     commitOptions.env.CODECOV_TOKEN = token;
   }
   if (commitParent) {
-    commitExecArgs.push('--parent-sha', `${commitParent}`);
+    commitExecArgs.push('--parent-sha', commitParent);
   }
-  commitExecArgs.push('--git-service', `${gitService ? gitService : 'github'}`);
+  commitExecArgs.push('--git-service', gitService);
 
   if (overrideBranch) {
-    commitExecArgs.push('-B', `${overrideBranch}`);
+    commitExecArgs.push('-B', overrideBranch);
   }
   if (overrideCommit) {
-    commitExecArgs.push('-C', `${overrideCommit}`);
+    commitExecArgs.push('-C', overrideCommit);
   } else if (
-    `${context.eventName}` == 'pull_request' ||
-    `${context.eventName}` == 'pull_request_target'
+    ['pull_request', 'pull_request_target'].includes(context.eventName)
   ) {
-    commitExecArgs.push('-C', `${context.payload.pull_request.head.sha}`);
+    const payload = context.payload as PullRequestEvent;
+    commitExecArgs.push('-C', payload.pull_request.head.sha);
   }
   if (overridePr) {
-    commitExecArgs.push('--pr', `${overridePr}`);
-  } else if (
-    `${context.eventName}` == 'pull_request_target'
-  ) {
-    commitExecArgs.push('--pr', `${context.payload.number}`);
+    commitExecArgs.push('--pr', overridePr);
+  } else if (context.eventName === 'pull_request_target') {
+    const payload = context.payload as PullRequestEvent;
+    commitExecArgs.push('--pr', payload.number.toString());
   }
   if (slug) {
-    commitExecArgs.push('--slug', `${slug}`);
+    commitExecArgs.push('--slug', slug);
   }
   if (failCi) {
     commitExecArgs.push('-Z');
@@ -79,21 +138,23 @@ const buildCommitExec = () => {
     commitOptions.cwd = workingDir;
   }
 
-
   return {commitExecArgs, commitOptions, commitCommand};
 };
 
-const buildGeneralExec = () => {
+const buildGeneralExec = (): {
+  args: any[];
+  verbose: boolean;
+} => {
   const codecovYmlPath = core.getInput('codecov_yml_path');
   const url = core.getInput('url');
   const verbose = isTrue(core.getInput('verbose'));
   const args = [];
 
   if (codecovYmlPath) {
-    args.push('--codecov-yml-path', `${codecovYmlPath}`);
+    args.push('--codecov-yml-path', codecovYmlPath);
   }
   if (url) {
-    args.push('--enterprise-url', `${url}`);
+    args.push('--enterprise-url', url);
   }
   if (verbose) {
     args.push('-v');
@@ -101,20 +162,23 @@ const buildGeneralExec = () => {
   return {args, verbose};
 };
 
-const buildReportExec = () => {
-  const gitService = core.getInput('git_service');
+const buildReportExec = async (): Promise<{
+  reportExecArgs: any[];
+  reportOptions: any;
+  reportCommand: string;
+}> => {
+  const gitService = getGitService();
   const overrideCommit = core.getInput('override_commit');
   const overridePr = core.getInput('override_pr');
   const slug = core.getInput('slug');
-  const token = core.getInput('token');
+  const token = await getToken();
   const failCi = isTrue(core.getInput('fail_ci_if_error'));
   const workingDir = core.getInput('working-directory');
 
-
   const reportCommand = 'create-report';
-  const reportExecArgs = [];
+  const reportExecArgs: string[] = [];
 
-  const reportOptions:any = {};
+  const reportOptions: any = {};
   reportOptions.env = Object.assign(process.env, {
     GITHUB_ACTION: process.env.GITHUB_ACTION,
     GITHUB_RUN_ID: process.env.GITHUB_RUN_ID,
@@ -124,29 +188,27 @@ const buildReportExec = () => {
     GITHUB_HEAD_REF: process.env.GITHUB_HEAD_REF || '',
   });
 
-
   if (token) {
     reportOptions.env.CODECOV_TOKEN = token;
   }
-  reportExecArgs.push('--git-service', `${gitService ? gitService : 'github'}`);
+  reportExecArgs.push('--git-service', gitService);
 
   if (overrideCommit) {
-    reportExecArgs.push('-C', `${overrideCommit}`);
+    reportExecArgs.push('-C', overrideCommit);
   } else if (
-    `${context.eventName}` == 'pull_request' ||
-    `${context.eventName}` == 'pull_request_target'
+    ['pull_request', 'pull_request_target'].includes(context.eventName)
   ) {
-    reportExecArgs.push('-C', `${context.payload.pull_request.head.sha}`);
+    const payload = context.payload as PullRequestEvent;
+    reportExecArgs.push('-C', payload.pull_request.head.sha);
   }
   if (overridePr) {
-    reportExecArgs.push('-P', `${overridePr}`);
-  } else if (
-    `${context.eventName}` == 'pull_request_target'
-  ) {
-    reportExecArgs.push('-P', `${context.payload.number}`);
+    reportExecArgs.push('-P', overridePr);
+  } else if (context.eventName == 'pull_request_target') {
+    const payload = context.payload as PullRequestEvent;
+    reportExecArgs.push('-P', payload.number.toString());
   }
   if (slug) {
-    reportExecArgs.push('--slug', `${slug}`);
+    reportExecArgs.push('--slug', slug);
   }
   if (failCi) {
     reportExecArgs.push('-Z');
@@ -158,9 +220,17 @@ const buildReportExec = () => {
   return {reportExecArgs, reportOptions, reportCommand};
 };
 
-const buildUploadExec = () => {
+const buildUploadExec = async (): Promise<{
+  uploadExecArgs: any[];
+  uploadOptions: any;
+  disableSafeDirectory: boolean;
+  failCi: boolean;
+  os: string;
+  uploaderVersion: string;
+  uploadCommand: string;
+}> => {
   const disableFileFixes = isTrue(core.getInput('disable_file_fixes'));
-  const disableSafeDirectory = isTrue(core.getInput('diable_safe_directory'));
+  const disableSafeDirectory = isTrue(core.getInput('disable_safe_directory'));
   const disableSearch = isTrue(core.getInput('disable_search'));
   const dryRun = isTrue(core.getInput('dry_run'));
   const envVars = core.getInput('env_vars');
@@ -169,10 +239,12 @@ const buildUploadExec = () => {
   const file = core.getInput('file');
   const files = core.getInput('files');
   const flags = core.getInput('flags');
-  const gitService = core.getInput('git_service');
+  const gitService = getGitService();
   const handleNoReportsFound = isTrue(core.getInput('handle_no_reports_found'));
   const jobCode = core.getInput('job_code');
   const name = core.getInput('name');
+  const networkFilter = core.getInput('network_filter');
+  const networkPrefix = core.getInput('network_prefix');
   const os = core.getInput('os');
   const overrideBranch = core.getInput('override_branch');
   const overrideBuild = core.getInput('override_build');
@@ -185,16 +257,16 @@ const buildUploadExec = () => {
   const rootDir = core.getInput('root_dir');
   const searchDir = core.getInput('directory');
   const slug = core.getInput('slug');
-  const token = core.getInput('token');
+  const token = await getToken();
   let uploaderVersion = core.getInput('version');
   const useLegacyUploadEndpoint = isTrue(
       core.getInput('use_legacy_upload_endpoint'),
   );
   const workingDir = core.getInput('working-directory');
 
-  const uploadExecArgs = [];
+  const uploadExecArgs: string[] = [];
   const uploadCommand = 'do-upload';
-  const uploadOptions:any = {};
+  const uploadOptions: any = {};
   uploadOptions.env = Object.assign(process.env, {
     GITHUB_ACTION: process.env.GITHUB_ACTION,
     GITHUB_RUN_ID: process.env.GITHUB_RUN_ID,
@@ -228,77 +300,94 @@ const buildUploadExec = () => {
     uploadExecArgs.push('-e', envVarsArg.join(','));
   }
   if (exclude) {
-    uploadExecArgs.push('--exclude', `${exclude}`);
+    uploadExecArgs.push('--exclude', exclude);
   }
   if (failCi) {
     uploadExecArgs.push('-Z');
   }
   if (file) {
-    uploadExecArgs.push('-f', `${file}`);
+    uploadExecArgs.push('-f', file);
   }
   if (files) {
-    files.split(',').map((f) => f.trim()).forEach((f) => {
-      uploadExecArgs.push('-f', `${f}`);
-    });
+    files
+        .split(',')
+        .map((f) => f.trim())
+        .forEach((f) => {
+          if (f.length > 0) {
+          // this handles trailing commas
+            uploadExecArgs.push('-f', f);
+          }
+        });
   }
   if (flags) {
-    flags.split(',').map((f) => f.trim()).forEach((f) => {
-      uploadExecArgs.push('-F', `${f}`);
-    });
+    flags
+        .split(',')
+        .map((f) => f.trim())
+        .forEach((f) => {
+          uploadExecArgs.push('-F', f);
+        });
   }
-  uploadExecArgs.push('--git-service', `${gitService ? gitService : 'github'}`);
+  uploadExecArgs.push('--git-service', gitService);
   if (handleNoReportsFound) {
     uploadExecArgs.push('--handle-no-reports-found');
   }
   if (jobCode) {
-    uploadExecArgs.push('--job-code', `${jobCode}`);
+    uploadExecArgs.push('--job-code', jobCode);
   }
   if (name) {
-    uploadExecArgs.push('-n', `${name}`);
+    uploadExecArgs.push('-n', name);
+  }
+  if (networkFilter) {
+    uploadExecArgs.push('--network-filter', networkFilter);
+  }
+  if (networkPrefix) {
+    uploadExecArgs.push('--network-prefix', networkPrefix);
   }
   if (overrideBranch) {
-    uploadExecArgs.push('-B', `${overrideBranch}`);
+    uploadExecArgs.push('-B', overrideBranch);
   }
   if (overrideBuild) {
-    uploadExecArgs.push('-b', `${overrideBuild}`);
+    uploadExecArgs.push('-b', overrideBuild);
   }
   if (overrideBuildUrl) {
-    uploadExecArgs.push('--build-url', `${overrideBuildUrl}`);
+    uploadExecArgs.push('--build-url', overrideBuildUrl);
   }
   if (overrideCommit) {
-    uploadExecArgs.push('-C', `${overrideCommit}`);
+    uploadExecArgs.push('-C', overrideCommit);
   } else if (
-    `${context.eventName}` == 'pull_request' ||
-    `${context.eventName}` == 'pull_request_target'
+    ['pull_request', 'pull_request_target'].includes(context.eventName)
   ) {
-    uploadExecArgs.push('-C', `${context.payload.pull_request.head.sha}`);
+    const payload = context.payload as PullRequestEvent;
+    uploadExecArgs.push('-C', payload.pull_request.head.sha);
   }
   if (overridePr) {
-    uploadExecArgs.push('-P', `${overridePr}`);
-  } else if (
-    `${context.eventName}` == 'pull_request_target'
-  ) {
-    uploadExecArgs.push('-P', `${context.payload.number}`);
+    uploadExecArgs.push('-P', overridePr);
+  } else if (context.eventName == 'pull_request_target') {
+    const payload = context.payload as PullRequestEvent;
+    uploadExecArgs.push('-P', payload.number.toString());
   }
   if (plugin) {
-    uploadExecArgs.push('--plugin', `${plugin}`);
+    uploadExecArgs.push('--plugin', plugin);
   }
   if (plugins) {
-    plugins.split(',').map((p) => p.trim()).forEach((p) => {
-      uploadExecArgs.push('--plugin', `${p}`);
-    });
+    plugins
+        .split(',')
+        .map((p) => p.trim())
+        .forEach((p) => {
+          uploadExecArgs.push('--plugin', p);
+        });
   }
   if (reportCode) {
-    uploadExecArgs.push('--report-code', `${reportCode}`);
+    uploadExecArgs.push('--report-code', reportCode);
   }
   if (rootDir) {
-    uploadExecArgs.push('--network-root-folder', `${rootDir}`);
+    uploadExecArgs.push('--network-root-folder', rootDir);
   }
   if (searchDir) {
-    uploadExecArgs.push('-s', `${searchDir}`);
+    uploadExecArgs.push('-s', searchDir);
   }
   if (slug) {
-    uploadExecArgs.push('-r', `${slug}`);
+    uploadExecArgs.push('-r', slug);
   }
   if (workingDir) {
     uploadOptions.cwd = workingDir;
@@ -327,4 +416,5 @@ export {
   buildGeneralExec,
   buildReportExec,
   buildUploadExec,
+  getToken,
 };

src/helpers.ts

@@ -8,13 +8,19 @@ const PLATFORMS = [
   'alpine',
   'linux-arm64',
   'alpine-arm64',
-];
+] as const;
+type Platform = typeof PLATFORMS[number];
 
 const setFailure = (message: string, failCi: boolean): void => {
-    failCi ? core.setFailed(message) : core.warning(message);
-    if (failCi) {
-      process.exit();
-    }
+  if (failCi) {
+    core.setFailed(message);
+  } else {
+    core.warning(message);
+  }
+
+  if (failCi) {
+    process.exit();
+  }
 };
 
 const getUploaderName = (platform: string): string => {
@@ -25,8 +31,8 @@ const getUploaderName = (platform: string): string => {
   }
 };
 
-const isValidPlatform = (platform: string): boolean => {
-  return PLATFORMS.includes(platform);
+const isValidPlatform = (platform: string): platform is Platform => {
+  return PLATFORMS.includes(platform as Platform);
 };
 
 const isWindows = (platform: string): boolean => {

src/index.ts

@@ -1,6 +1,6 @@
-import * as fs from 'fs';
-import * as https from 'https';
-import * as path from 'path';
+import * as fs from 'node:fs';
+import * as https from 'node:https';
+import * as path from 'node:path';
 
 import * as exec from '@actions/exec';
 
@@ -24,102 +24,106 @@ import versionInfo from './version';
 
 let failCi;
 
-try {
-  const {commitExecArgs, commitOptions, commitCommand} = buildCommitExec();
-  const {reportExecArgs, reportOptions, reportCommand} = buildReportExec();
-  const {
-    uploadExecArgs,
-    uploadOptions,
-    disableSafeDirectory,
-    failCi,
-    os,
-    uploaderVersion,
-    uploadCommand,
-  } = buildUploadExec();
-  const {args, verbose} = buildGeneralExec();
+const run = async (): Promise<void> => {
+  try {
+    const {commitExecArgs, commitOptions, commitCommand} = await buildCommitExec();
+    const {reportExecArgs, reportOptions, reportCommand} = await buildReportExec();
+    const {
+      uploadExecArgs,
+      uploadOptions,
+      disableSafeDirectory,
+      failCi,
+      os,
+      uploaderVersion,
+      uploadCommand,
+    } = await buildUploadExec();
+    const {args, verbose} = buildGeneralExec();
 
-  const platform = getPlatform(os);
+    const platform = getPlatform(os);
 
-  const filename = path.join( __dirname, getUploaderName(platform));
-  https.get(getBaseUrl(platform, uploaderVersion), (res) => {
-    // Image will be stored at this path
-    const filePath = fs.createWriteStream(filename);
-    res.pipe(filePath);
-    filePath
-        .on('error', (err) => {
-          setFailure(
-              `Codecov: Failed to write uploader binary: ${err.message}`,
-              true,
-          );
-        }).on('finish', async () => {
-          filePath.close();
+    const filename = path.join( __dirname, getUploaderName(platform));
+    https.get(getBaseUrl(platform, uploaderVersion), (res) => {
+      // Image will be stored at this path
+      const filePath = fs.createWriteStream(filename);
+      res.pipe(filePath);
+      filePath
+          .on('error', (err) => {
+            setFailure(
+                `Codecov: Failed to write uploader binary: ${err.message}`,
+                true,
+            );
+          }).on('finish', async () => {
+            filePath.close();
 
-          await verify(filename, platform, uploaderVersion, verbose, failCi);
-          await versionInfo(platform, uploaderVersion);
-          await fs.chmodSync(filename, '777');
-          if (!disableSafeDirectory) {
-            await setSafeDirectory();
-          }
+            await verify(filename, platform, uploaderVersion, verbose, failCi);
+            await versionInfo(platform, uploaderVersion);
+            await fs.chmodSync(filename, '777');
+            if (!disableSafeDirectory) {
+              await setSafeDirectory();
+            }
 
-          const unlink = () => {
-            fs.unlink(filename, (err) => {
-              if (err) {
-                setFailure(
-                    `Codecov: Could not unlink uploader: ${err.message}`,
-                    failCi,
-                );
-              }
-            });
-          };
-          const doUpload = async () => {
-            await exec.exec(getCommand(filename, args, uploadCommand).join(' '),
-                uploadExecArgs,
-                uploadOptions)
-                .catch((err) => {
+            const unlink = (): void => {
+              fs.unlink(filename, (err) => {
+                if (err) {
                   setFailure(
-                      `Codecov:
-                      Failed to properly upload report: ${err.message}`,
+                      `Codecov: Could not unlink uploader: ${err.message}`,
                       failCi,
                   );
-                });
-          };
-          const createReport = async () => {
+                }
+              });
+            };
+            const doUpload = async (): Promise<void> => {
+              await exec.exec(getCommand(filename, args, uploadCommand).join(' '),
+                  uploadExecArgs,
+                  uploadOptions)
+                  .catch((err) => {
+                    setFailure(
+                        `Codecov:
+                        Failed to properly upload report: ${err.message}`,
+                        failCi,
+                    );
+                  });
+            };
+            const createReport = async (): Promise<void> => {
+              await exec.exec(
+                  getCommand(filename, args, reportCommand).join(' '),
+                  reportExecArgs,
+                  reportOptions)
+                  .then(async (exitCode) => {
+                    if (exitCode == 0) {
+                      await doUpload();
+                    }
+                  }).catch((err) => {
+                    setFailure(
+                        `Codecov:
+                        Failed to properly create report: ${err.message}`,
+                        failCi,
+                    );
+                  });
+            };
             await exec.exec(
-                getCommand(filename, args, reportCommand).join(' '),
-                reportExecArgs,
-                reportOptions)
+                getCommand(
+                    filename,
+                    args,
+                    commitCommand,
+                ).join(' '),
+                commitExecArgs, commitOptions)
                 .then(async (exitCode) => {
                   if (exitCode == 0) {
-                    await doUpload();
+                    await createReport();
                   }
+                  unlink();
                 }).catch((err) => {
                   setFailure(
-                      `Codecov:
-                      Failed to properly create report: ${err.message}`,
+                      `Codecov: Failed to properly create commit: ${err.message}`,
                       failCi,
                   );
                 });
-          };
-          await exec.exec(
-              getCommand(
-                  filename,
-                  args,
-                  commitCommand,
-              ).join(' '),
-              commitExecArgs, commitOptions)
-              .then(async (exitCode) => {
-                if (exitCode == 0) {
-                  await createReport();
-                }
-                unlink();
-              }).catch((err) => {
-                setFailure(
-                    `Codecov: Failed to properly create commit: ${err.message}`,
-                    failCi,
-                );
-              });
-        });
-  });
-} catch (err) {
-  setFailure(`Codecov: Encountered an unexpected error ${err.message}`, failCi);
-}
+          });
+    });
+  } catch (err) {
+    setFailure(`Codecov: Encountered an unexpected error ${err.message}`, failCi);
+  }
+};
+
+run();

src/validate.ts

@@ -1,7 +1,7 @@
-import * as crypto from 'crypto';
-import * as fs from 'fs';
-import * as gpg from 'gpg';
-import * as path from 'path';
+import {execSync} from 'node:child_process';
+import * as crypto from 'node:crypto';
+import * as fs from 'node:fs';
+import * as path from 'node:path';
 
 import * as core from '@actions/core';
 import {request} from 'undici';
@@ -76,36 +76,43 @@ const verify = async (
       }
     };
 
-    const verifySignature = () => {
-      gpg.call('', [
+    const verifySignature = async () => {
+      const command = [
+        'gpg',
         '--logger-fd',
         '1',
         '--verify',
         path.join(__dirname, `${uploaderName}.SHA256SUM.sig`),
         path.join(__dirname, `${uploaderName}.SHA256SUM`),
-      ], async (err, verifyResult) => {
-        if (err) {
-          setFailure('Codecov: Error importing pgp key', failCi);
-        }
-        core.info(verifyResult);
-        await validateSha();
-      });
+      ].join(' ');
+
+      try {
+        await execSync(command, {stdio: 'inherit'});
+      } catch (err) {
+        setFailure(`Codecov: Error verifying gpg signature: ${err.message}`, failCi);
+      }
     };
 
-    // Import gpg key
-    gpg.call('', [
-      '--logger-fd',
-      '1',
-      '--no-default-keyring',
-      '--import',
-      path.join(__dirname, 'pgp_keys.asc'),
-    ], async (err, importResult) => {
-      if (err) {
-        setFailure('Codecov: Error importing pgp key', failCi);
+    const importKey = async () => {
+      const command = [
+        'gpg',
+        '--logger-fd',
+        '1',
+        '--no-default-keyring',
+        '--import',
+        path.join(__dirname, 'pgp_keys.asc'),
+      ].join(' ');
+
+      try {
+        await execSync(command, {stdio: 'inherit'});
+      } catch (err) {
+        setFailure(`Codecov: Error importing gpg key: ${err.message}`, failCi);
       }
-      core.info(importResult);
-      verifySignature();
-    });
+    };
+
+    await importKey();
+    await verifySignature();
+    await validateSha();
   } catch (err) {
     setFailure(`Codecov: Error validating uploader: ${err.message}`, failCi);
   }

src/version.test.ts

@@ -0,0 +1,62 @@
+import * as core from '@actions/core';
+import {Agent, MockAgent, setGlobalDispatcher} from 'undici';
+
+import versionInfo from './version';
+
+const mockAgent = new MockAgent();
+
+beforeAll(() => {
+  setGlobalDispatcher(mockAgent);
+  mockAgent.disableNetConnect();
+});
+
+afterEach(() => {
+  jest.clearAllMocks();
+});
+
+afterAll(async () => {
+  await mockAgent.close();
+  setGlobalDispatcher(new Agent());
+});
+
+describe('versionInfo', () => {
+  const platform = 'linux';
+
+  test('should resolve requested version info', async () => {
+    const version = 'latest';
+    const coreInfoSpy = jest.spyOn(core, 'info');
+
+    mockAgent
+        .get('https://cli.codecov.io')
+        .intercept({
+          path: `/${platform}/${version}`,
+        })
+        .reply(200, {
+          version: 'v0.5.2',
+        });
+
+    await versionInfo(platform, version);
+
+    expect(coreInfoSpy).toHaveBeenCalledTimes(2);
+    expect(coreInfoSpy).toHaveBeenCalledWith('==> Running version latest');
+    expect(coreInfoSpy).toHaveBeenCalledWith('==> Running version v0.5.2');
+  });
+
+  test('should handle unsupported version', async () => {
+    const version = 'unsupported';
+    const coreInfoSpy = jest.spyOn(core, 'info');
+
+    mockAgent
+        .get('https://cli.codecov.io')
+        .intercept({
+          path: `/${platform}/${version}`,
+        })
+        .reply(404, 'MESSAGE');
+
+    await versionInfo(platform, version);
+
+    expect(coreInfoSpy).toHaveBeenCalledTimes(2);
+    expect(coreInfoSpy).toHaveBeenCalledWith('==> Running version unsupported');
+    expect(coreInfoSpy).toHaveBeenCalledWith(expect.stringContaining('Could not pull latest version information'));
+  });
+});

src/version.ts

@@ -3,14 +3,12 @@ import {request} from 'undici';
 
 const versionInfo = async (
     platform: string,
-    version?: string,
+    version: string,
 ): Promise<void> => {
-  if (version) {
-    core.info(`==> Running version ${version}`);
-  }
+  core.info(`==> Running version ${version}`);
 
   try {
-    const metadataRes = await request(`https://cli.codecov.io/${platform}/latest`, {
+    const metadataRes = await request(`https://cli.codecov.io/${platform}/${version}`, {
       headers: {'Accept': 'application/json'},
     });
     const metadata = await metadataRes.body.json();