chore(release):4.6.0 (#1587)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.7 to 4.2.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4.1.7...v4.2.0)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/codeql-analysis.yml

@@ -12,10 +12,10 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ master ]
+    branches: [ main ]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ master ]
+    branches: [ main ]
   schedule:
     - cron: '24 6 * * 5'
 
@@ -37,11 +37,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4.1.2
+      uses: actions/checkout@v4.2.0
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3.24.10
+      uses: github/codeql-action/init@v3.26.9
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -52,7 +52,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3.24.10
+      uses: github/codeql-action/autobuild@v3.26.9
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -66,4 +66,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3.24.10
+      uses: github/codeql-action/analyze@v3.26.9

.github/workflows/enforce-license-compliance.yml

@@ -2,7 +2,7 @@ name: Enforce License Compliance
 
 on:
   pull_request:
-    branches: [main, master]
+    branches: [main]
 
 jobs:
   enforce-license-compliance:

.github/workflows/main.yml

@@ -5,10 +5,10 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [macos-latest, windows-latest, ubuntu-latest, macos-latest-xlarge]
+        os: [macos-latest, windows-latest, ubuntu-latest]
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.2
+        uses: actions/checkout@v4.2.0
       - name: Install dependencies
         run: npm install
       - name: Lint
@@ -18,6 +18,7 @@ jobs:
       - name: Upload coverage to Codecov (script)
         uses: ./
         with:
+          fail_ci_if_error: true
           files: ./coverage/script/coverage-final.json
           flags: script,${{ matrix.os }}
           name: codecov-script
@@ -26,6 +27,7 @@ jobs:
       - name: Upload coverage to Codecov (demo)
         uses: ./
         with:
+          fail_ci_if_error: true
           files: ./coverage/calculator/coverage-final.json,./coverage/coverage-test/coverage-final.json
           file: ./coverage/coverage-final.json
           flags: demo,${{ matrix.os }}
@@ -35,11 +37,55 @@ jobs:
       - name: Upload coverage to Codecov (version)
         uses: ./
         with:
+          fail_ci_if_error: true
           files: ./coverage/calculator/coverage-final.json,./coverage/coverage-test/coverage-final.json
           file: ./coverage/coverage-final.json
           flags: version,${{ matrix.os }}
           name: codecov-version
-          version: v0.2.0
+          version: v0.7.3
+          verbose: true
+          token: ${{ secrets.CODECOV_TOKEN }}
+
+  run-macos-latest-xlarge:
+    if: github.head.repo.full_name == 'codecov/codecov-action'
+    runs-on: macos-latest-xlarge
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4.2.0
+      - name: Install dependencies
+        run: npm install
+      - name: Lint
+        run: npm run lint
+      - name: Run tests and collect coverage
+        run: npm run test
+      - name: Upload coverage to Codecov (script)
+        uses: ./
+        with:
+          fail_ci_if_error: true
+          files: ./coverage/script/coverage-final.json
+          flags: script,macos-latest-xlarge
+          name: codecov-script
+          verbose: true
+          token: ${{ secrets.CODECOV_TOKEN }}
+      - name: Upload coverage to Codecov (demo)
+        uses: ./
+        with:
+          fail_ci_if_error: true
+          files: ./coverage/calculator/coverage-final.json,./coverage/coverage-test/coverage-final.json
+          file: ./coverage/coverage-final.json
+          flags: demo,macos-latest-xlarge
+          name: codecov-demo
+          verbose: true
+          token: ${{ secrets.CODECOV_TOKEN }}
+      - name: Upload coverage to Codecov (version)
+        uses: ./
+        with:
+          fail_ci_if_error: true
+          files: ./coverage/calculator/coverage-final.json,./coverage/coverage-test/coverage-final.json
+          file: ./coverage/coverage-final.json
+          flags: version,maxos-latest-xlarge
+          name: codecov-version
+          version: v0.6.0
           verbose: true
           token: ${{ secrets.CODECOV_TOKEN }}
 
@@ -48,7 +94,7 @@ jobs:
     container: node:18
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.1.2
+        uses: actions/checkout@v4.2.0
       - name: Install dependencies
         run: npm install
       - name: Lint
@@ -79,6 +125,6 @@ jobs:
           file: ./coverage/coverage-final.json
           flags: version,${{ matrix.os }}
           name: codecov-version
-          version: v0.2.0
+          version: v0.6.0
           verbose: true
           token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/scorecards-analysis.yml

@@ -5,13 +5,14 @@ on:
   schedule:
     - cron: '43 20 * * 1'
   push:
-    branches: [ master ]
+    branches: [ main ]
 
 # Declare default permissions as read only.
 permissions: read-all
 
 jobs:
   analysis:
+    if: github.repository == 'codecov/codecov-action'
     name: Scorecards analysis
     runs-on: ubuntu-latest
     permissions:
@@ -21,15 +22,15 @@ jobs:
       id-token: write
       actions: read
       contents: read
-    
+
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v4.1.2 # v3.0.0
+        uses: actions/checkout@v4.2.0 # v3.0.0
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -40,22 +41,22 @@ jobs:
           # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
 
           # Publish the results for public repositories to enable scorecard badges. For more details, see
-          # https://github.com/ossf/scorecard-action#publishing-results. 
+          # https://github.com/ossf/scorecard-action#publishing-results.
-          # For private repositories, `publish_results` will automatically be set to `false`, regardless 
+          # For private repositories, `publish_results` will automatically be set to `false`, regardless
           # of the value entered here.
           publish_results: true
 
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
-      
+
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3.24.10 # v1.0.26
+        uses: github/codeql-action/upload-sarif@v3.26.9 # v1.0.26
         with:
           sarif_file: results.sarif

README.md

@@ -9,7 +9,7 @@
 `v4` of the Codecov GitHub Action will use the [Codecov CLI](https://github.com/codecov/codecov-cli) to upload coverage reports to Codecov.
 
 ### Breaking Changes
-- Tokenless uploading is unsupported. However, PRs made from forks to the upstream public repos will support tokenless (e.g. contributors to OS projects do not need the upstream repo's Codecov token)
+- Tokenless uploading is unsupported. However, PRs made from forks to the upstream public repos will support tokenless (e.g. contributors to OSS projects do not need the upstream repo's Codecov token). For details, [see our docs](https://docs.codecov.com/docs/codecov-uploader#supporting-token-less-uploads-for-forks-of-open-source-repos-using-codecov)
 - Various arguments to the Action have been removed
 
 ### Dependabot
@@ -35,7 +35,7 @@ Inside your `.github/workflows/workflow.yml` file:
 
 ```yaml
 steps:
-- uses: actions/checkout@master
+- uses: actions/checkout@main
 - uses: codecov/codecov-action@v4
   with:
     fail_ci_if_error: true # optional (default = false)
@@ -50,7 +50,7 @@ The Codecov token can also be passed in via environment variables:
 
 ```yaml
 steps:
-- uses: actions/checkout@master
+- uses: actions/checkout@main
 - uses: codecov/codecov-action@v4
   with:
     fail_ci_if_error: true # optional (default = false)
@@ -130,9 +130,9 @@ jobs:
       OS: ${{ matrix.os }}
       PYTHON: '3.10'
     steps:
-    - uses: actions/checkout@master
+    - uses: actions/checkout@main
     - name: Setup Python
-      uses: actions/setup-python@master
+      uses: actions/setup-python@main
       with:
         python-version: 3.10
     - name: Generate coverage report

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codecov-action",
-  "version": "4.3.0",
+  "version": "4.6.0",
   "description": "Upload coverage reports to Codecov from GitHub Actions",
   "main": "index.js",
   "scripts": {
@@ -26,19 +26,19 @@
     "@actions/core": "^1.10.1",
     "@actions/exec": "^1.1.1",
     "@actions/github": "^6.0.0",
-    "gpg": "^0.6.0",
     "undici": "5.28.4"
   },
   "devDependencies": {
-    "@types/jest": "^29.5.12",
+    "@octokit/webhooks-types": "^7.5.1",
-    "@typescript-eslint/eslint-plugin": "^7.6.0",
+    "@types/jest": "^29.5.13",
-    "@typescript-eslint/parser": "^7.6.0",
+    "@typescript-eslint/eslint-plugin": "^8.8.0",
-    "@vercel/ncc": "^0.38.1",
+    "@typescript-eslint/parser": "^8.8.0",
-    "eslint": "^8.57.0",
+    "@vercel/ncc": "^0.38.2",
+    "eslint": "^8.57.1",
     "eslint-config-google": "^0.14.0",
     "jest": "^29.7.0",
     "jest-junit": "^16.0.0",
-    "ts-jest": "^29.1.2",
+    "ts-jest": "^29.2.5",
-    "typescript": "^5.4.4"
+    "typescript": "^5.6.2"
   }
 }

src/buildExec.test.ts

@@ -5,6 +5,7 @@ import {
   buildGeneralExec,
   buildReportExec,
   buildUploadExec,
+  getToken,
 } from './buildExec';
 
 const context = github.context;
@@ -53,7 +54,7 @@ test('upload args using context', async () => {
   ];
   const {uploadExecArgs, uploadCommand} = await buildUploadExec();
   if (context.eventName == 'pull_request') {
-    expectedArgs.push('-C', `${context.payload.pull_request.head.sha}`);
+    expectedArgs.push('-C', `${context.payload.pull_request?.head.sha}`);
   }
   if (context.eventName == 'pull_request_target') {
     expectedArgs.push('-P', `${context.payload.number}`);
@@ -75,7 +76,7 @@ test('upload args', async () => {
     'exclude': 'node_modules/',
     'fail_ci_if_error': 'true',
     'file': 'coverage.xml',
-    'files': 'dir1/coverage.xml,dir2/coverage.xml',
+    'files': 'dir1/coverage.xml,dir2/coverage.xml,',
     'flags': 'test,test2',
     'git_service': 'github_enterprise',
     'handle_no_reports_found': 'true',
@@ -213,12 +214,12 @@ test('report args using context', async () => {
   for (const env of Object.keys(envs)) {
     process.env['INPUT_' + env.toUpperCase()] = envs[env];
   }
-  const expectedArgs : string[] = [
+  const expectedArgs: string[] = [
     '--git-service',
     'github',
   ];
   if (context.eventName == 'pull_request') {
-    expectedArgs.push('-C', `${context.payload.pull_request.head.sha}`);
+    expectedArgs.push('-C', `${context.payload.pull_request?.head.sha}`);
   }
 
   const {reportExecArgs, reportCommand} = await buildReportExec();
@@ -271,14 +272,20 @@ test('commit args', async () => {
 });
 
 test('commit args using context', async () => {
-  const expectedArgs :string[] = [
+  const expectedArgs: string[] = [
     '--git-service',
     'github',
   ];
 
   const {commitExecArgs, commitCommand} = await buildCommitExec();
+  if (
+    (context.eventName == 'pull_request' || context.eventName == 'pull_request_target') &&
+    context.payload.pull_request?.base.label.split(':')[0] != context.payload.pull_request?.head.label.split(':')[0]
+  ) {
+    expectedArgs.push('-B', `${context.payload.pull_request?.head.label}`);
+  }
   if (context.eventName == 'pull_request') {
-    expectedArgs.push('-C', `${context.payload.pull_request.head.sha}`);
+    expectedArgs.push('-C', `${context.payload.pull_request?.head.sha}`);
   }
   if (context.eventName == 'pull_request_target') {
     expectedArgs.push('-P', `${context.payload.number}`);
@@ -289,7 +296,7 @@ test('commit args using context', async () => {
 });
 
 test('commit args using github server url', async () => {
-  const expectedArgs :string[] = [
+  const expectedArgs: string[] = [
     '--git-service',
     'github_enterprise',
   ];
@@ -297,13 +304,65 @@ test('commit args using github server url', async () => {
   process.env.GITHUB_SERVER_URL = 'https://example.com';
 
   const {commitExecArgs, commitCommand} = await buildCommitExec();
+  if (
+    (context.eventName == 'pull_request' || context.eventName == 'pull_request_target') &&
+    context.payload.pull_request?.base.label.split(':')[0] != context.payload.pull_request?.head.label.split(':')[0]
+  ) {
+    expectedArgs.push('-B', `${context.payload.pull_request?.head.label}`);
+  }
   if (context.eventName == 'pull_request') {
-    expectedArgs.push('-C', `${context.payload.pull_request.head.sha}`);
+    expectedArgs.push('-C', `${context.payload.pull_request?.head.sha}`);
   }
   if (context.eventName == 'pull_request_target') {
     expectedArgs.push('-P', `${context.payload.number}`);
   }
+  expect(commitExecArgs).toEqual(expectedArgs);
+  expect(commitCommand).toEqual('create-commit');
+});
+
+test('build commit args when token arg is unset and from fork', async () => {
+  context.eventName = 'pull_request';
+  context.payload.pull_request = {
+    'number': 1,
+    'base': {
+      'label': 'hello:main',
+    },
+    'head': {
+      'label': 'world:feat',
+      'sha': 'aaaaaa',
+    },
+  };
+
+  const expectedArgs: string[] = [
+    '--git-service',
+    'github_enterprise',
+    '-B',
+    'world:feat',
+    '-C',
+    `${context.payload.pull_request?.head.sha}`,
+  ];
+
+  const {commitExecArgs, commitCommand} = await buildCommitExec();
 
   expect(commitExecArgs).toEqual(expectedArgs);
   expect(commitCommand).toEqual('create-commit');
 });
+
+test('get token when token arg is unset and from fork', async () => {
+  context.eventName = 'pull_request';
+  context.payload.pull_request = {
+    'number': 1,
+    'base': {
+      'label': 'hello:main',
+    },
+    'head': {
+      'label': 'world:feat',
+      'sha': 'aaaaaa',
+    },
+  };
+
+
+  const token = await getToken();
+
+  expect(token).toEqual('');
+});

src/buildExec.ts

@@ -2,12 +2,13 @@
 
 import * as core from '@actions/core';
 import * as github from '@actions/github';
+import {type PullRequestEvent} from '@octokit/webhooks-types';
 
 import {setFailure} from './helpers';
 
 const context = github.context;
 
-const isTrue = (variable) => {
+const isTrue = (variable: string): boolean => {
   const lowercase = variable.toLowerCase();
   return (
     lowercase === '1' ||
@@ -18,7 +19,7 @@ const isTrue = (variable) => {
   );
 };
 
-const getGitService = () => {
+const getGitService = (): string => {
   const overrideGitService = core.getInput('git_service');
   const serverUrl = process.env.GITHUB_SERVER_URL;
   if (overrideGitService) {
@@ -29,18 +30,30 @@ const getGitService = () => {
   return 'github';
 };
 
-const getToken = async () => {
+const isPullRequestFromFork = (): boolean => {
+  core.info(`eventName: ${context.eventName}`);
+  if (!['pull_request', 'pull_request_target'].includes(context.eventName)) {
+    return false;
+  }
+
+  const baseLabel = context.payload.pull_request.base.label;
+  const headLabel = context.payload.pull_request.head.label;
+
+  core.info(`baseRef: ${baseLabel} | headRef: ${headLabel}`);
+  return baseLabel.split(':')[0] !== headLabel.split(':')[0];
+};
+
+const getToken = async (): Promise<string> => {
   let token = core.getInput('token');
   let url = core.getInput('url');
   const useOIDC = isTrue(core.getInput('use_oidc'));
-
   if (useOIDC) {
     if (!url) {
       url = 'https://codecov.io';
     }
     try {
       token = await core.getIDToken(url);
-      return token;
+      return Promise.resolve(token);
     } catch (err) {
       setFailure(
           `Codecov: Failed to get OIDC token with url: ${url}. ${err.message}`,
@@ -51,21 +64,36 @@ const getToken = async () => {
   return token;
 };
 
-const buildCommitExec = async () => {
+const getOverrideBranch = (token: string): string => {
+  let overrideBranch = core.getInput('override_branch');
+  if (!overrideBranch && !token && isPullRequestFromFork()) {
+    core.info('==> Fork detected, tokenless uploading used');
+    // backwards compatibility with certain versions of the CLI that expect this
+    process.env['TOKENLESS'] = context.payload.pull_request.head.label;
+    overrideBranch =context.payload.pull_request.head.label;
+  }
+  return overrideBranch;
+};
+
+const buildCommitExec = async (): Promise<{
+  commitExecArgs: any[];
+  commitOptions: any;
+  commitCommand: string;
+}> => {
   const commitParent = core.getInput('commit_parent');
   const gitService = getGitService();
-  const overrideBranch = core.getInput('override_branch');
   const overrideCommit = core.getInput('override_commit');
   const overridePr = core.getInput('override_pr');
   const slug = core.getInput('slug');
   const token = await getToken();
+  const overrideBranch = getOverrideBranch(token);
   const failCi = isTrue(core.getInput('fail_ci_if_error'));
   const workingDir = core.getInput('working-directory');
 
   const commitCommand = 'create-commit';
-  const commitExecArgs = [];
+  const commitExecArgs: string[] = [];
 
-  const commitOptions:any = {};
+  const commitOptions: any = {};
   commitOptions.env = Object.assign(process.env, {
     GITHUB_ACTION: process.env.GITHUB_ACTION,
     GITHUB_RUN_ID: process.env.GITHUB_RUN_ID,
@@ -75,35 +103,33 @@ const buildCommitExec = async () => {
     GITHUB_HEAD_REF: process.env.GITHUB_HEAD_REF || '',
   });
 
-
   if (token) {
     commitOptions.env.CODECOV_TOKEN = token;
   }
   if (commitParent) {
-    commitExecArgs.push('--parent-sha', `${commitParent}`);
+    commitExecArgs.push('--parent-sha', commitParent);
   }
-  commitExecArgs.push('--git-service', `${gitService}`);
+  commitExecArgs.push('--git-service', gitService);
 
   if (overrideBranch) {
-    commitExecArgs.push('-B', `${overrideBranch}`);
+    commitExecArgs.push('-B', overrideBranch);
   }
   if (overrideCommit) {
-    commitExecArgs.push('-C', `${overrideCommit}`);
+    commitExecArgs.push('-C', overrideCommit);
   } else if (
-    `${context.eventName}` == 'pull_request' ||
+    ['pull_request', 'pull_request_target'].includes(context.eventName)
-    `${context.eventName}` == 'pull_request_target'
   ) {
-    commitExecArgs.push('-C', `${context.payload.pull_request.head.sha}`);
+    const payload = context.payload as PullRequestEvent;
+    commitExecArgs.push('-C', payload.pull_request.head.sha);
   }
   if (overridePr) {
-    commitExecArgs.push('--pr', `${overridePr}`);
+    commitExecArgs.push('--pr', overridePr);
-  } else if (
+  } else if (context.eventName === 'pull_request_target') {
-    `${context.eventName}` == 'pull_request_target'
+    const payload = context.payload as PullRequestEvent;
-  ) {
+    commitExecArgs.push('--pr', payload.number.toString());
-    commitExecArgs.push('--pr', `${context.payload.number}`);
   }
   if (slug) {
-    commitExecArgs.push('--slug', `${slug}`);
+    commitExecArgs.push('--slug', slug);
   }
   if (failCi) {
     commitExecArgs.push('-Z');
@@ -112,21 +138,23 @@ const buildCommitExec = async () => {
     commitOptions.cwd = workingDir;
   }
 
-
   return {commitExecArgs, commitOptions, commitCommand};
 };
 
-const buildGeneralExec = () => {
+const buildGeneralExec = (): {
+  args: any[];
+  verbose: boolean;
+} => {
   const codecovYmlPath = core.getInput('codecov_yml_path');
   const url = core.getInput('url');
   const verbose = isTrue(core.getInput('verbose'));
   const args = [];
 
   if (codecovYmlPath) {
-    args.push('--codecov-yml-path', `${codecovYmlPath}`);
+    args.push('--codecov-yml-path', codecovYmlPath);
   }
   if (url) {
-    args.push('--enterprise-url', `${url}`);
+    args.push('--enterprise-url', url);
   }
   if (verbose) {
     args.push('-v');
@@ -134,7 +162,11 @@ const buildGeneralExec = () => {
   return {args, verbose};
 };
 
-const buildReportExec = async () => {
+const buildReportExec = async (): Promise<{
+  reportExecArgs: any[];
+  reportOptions: any;
+  reportCommand: string;
+}> => {
   const gitService = getGitService();
   const overrideCommit = core.getInput('override_commit');
   const overridePr = core.getInput('override_pr');
@@ -143,11 +175,10 @@ const buildReportExec = async () => {
   const failCi = isTrue(core.getInput('fail_ci_if_error'));
   const workingDir = core.getInput('working-directory');
 
-
   const reportCommand = 'create-report';
-  const reportExecArgs = [];
+  const reportExecArgs: string[] = [];
 
-  const reportOptions:any = {};
+  const reportOptions: any = {};
   reportOptions.env = Object.assign(process.env, {
     GITHUB_ACTION: process.env.GITHUB_ACTION,
     GITHUB_RUN_ID: process.env.GITHUB_RUN_ID,
@@ -157,29 +188,27 @@ const buildReportExec = async () => {
     GITHUB_HEAD_REF: process.env.GITHUB_HEAD_REF || '',
   });
 
-
   if (token) {
     reportOptions.env.CODECOV_TOKEN = token;
   }
-  reportExecArgs.push('--git-service', `${gitService}`);
+  reportExecArgs.push('--git-service', gitService);
 
   if (overrideCommit) {
-    reportExecArgs.push('-C', `${overrideCommit}`);
+    reportExecArgs.push('-C', overrideCommit);
   } else if (
-    `${context.eventName}` == 'pull_request' ||
+    ['pull_request', 'pull_request_target'].includes(context.eventName)
-    `${context.eventName}` == 'pull_request_target'
   ) {
-    reportExecArgs.push('-C', `${context.payload.pull_request.head.sha}`);
+    const payload = context.payload as PullRequestEvent;
+    reportExecArgs.push('-C', payload.pull_request.head.sha);
   }
   if (overridePr) {
-    reportExecArgs.push('-P', `${overridePr}`);
+    reportExecArgs.push('-P', overridePr);
-  } else if (
+  } else if (context.eventName == 'pull_request_target') {
-    `${context.eventName}` == 'pull_request_target'
+    const payload = context.payload as PullRequestEvent;
-  ) {
+    reportExecArgs.push('-P', payload.number.toString());
-    reportExecArgs.push('-P', `${context.payload.number}`);
   }
   if (slug) {
-    reportExecArgs.push('--slug', `${slug}`);
+    reportExecArgs.push('--slug', slug);
   }
   if (failCi) {
     reportExecArgs.push('-Z');
@@ -191,7 +220,15 @@ const buildReportExec = async () => {
   return {reportExecArgs, reportOptions, reportCommand};
 };
 
-const buildUploadExec = async () => {
+const buildUploadExec = async (): Promise<{
+  uploadExecArgs: any[];
+  uploadOptions: any;
+  disableSafeDirectory: boolean;
+  failCi: boolean;
+  os: string;
+  uploaderVersion: string;
+  uploadCommand: string;
+}> => {
   const disableFileFixes = isTrue(core.getInput('disable_file_fixes'));
   const disableSafeDirectory = isTrue(core.getInput('disable_safe_directory'));
   const disableSearch = isTrue(core.getInput('disable_search'));
@@ -227,9 +264,9 @@ const buildUploadExec = async () => {
   );
   const workingDir = core.getInput('working-directory');
 
-  const uploadExecArgs = [];
+  const uploadExecArgs: string[] = [];
   const uploadCommand = 'do-upload';
-  const uploadOptions:any = {};
+  const uploadOptions: any = {};
   uploadOptions.env = Object.assign(process.env, {
     GITHUB_ACTION: process.env.GITHUB_ACTION,
     GITHUB_RUN_ID: process.env.GITHUB_RUN_ID,
@@ -263,83 +300,94 @@ const buildUploadExec = async () => {
     uploadExecArgs.push('-e', envVarsArg.join(','));
   }
   if (exclude) {
-    uploadExecArgs.push('--exclude', `${exclude}`);
+    uploadExecArgs.push('--exclude', exclude);
   }
   if (failCi) {
     uploadExecArgs.push('-Z');
   }
   if (file) {
-    uploadExecArgs.push('-f', `${file}`);
+    uploadExecArgs.push('-f', file);
   }
   if (files) {
-    files.split(',').map((f) => f.trim()).forEach((f) => {
+    files
-      uploadExecArgs.push('-f', `${f}`);
+        .split(',')
-    });
+        .map((f) => f.trim())
+        .forEach((f) => {
+          if (f.length > 0) {
+          // this handles trailing commas
+            uploadExecArgs.push('-f', f);
+          }
+        });
   }
   if (flags) {
-    flags.split(',').map((f) => f.trim()).forEach((f) => {
+    flags
-      uploadExecArgs.push('-F', `${f}`);
+        .split(',')
-    });
+        .map((f) => f.trim())
+        .forEach((f) => {
+          uploadExecArgs.push('-F', f);
+        });
   }
-  uploadExecArgs.push('--git-service', `${gitService}`);
+  uploadExecArgs.push('--git-service', gitService);
   if (handleNoReportsFound) {
     uploadExecArgs.push('--handle-no-reports-found');
   }
   if (jobCode) {
-    uploadExecArgs.push('--job-code', `${jobCode}`);
+    uploadExecArgs.push('--job-code', jobCode);
   }
   if (name) {
-    uploadExecArgs.push('-n', `${name}`);
+    uploadExecArgs.push('-n', name);
   }
   if (networkFilter) {
-    uploadExecArgs.push('--network-filter', `${networkFilter}`);
+    uploadExecArgs.push('--network-filter', networkFilter);
   }
   if (networkPrefix) {
-    uploadExecArgs.push('--network-prefix', `${networkPrefix}`);
+    uploadExecArgs.push('--network-prefix', networkPrefix);
   }
   if (overrideBranch) {
-    uploadExecArgs.push('-B', `${overrideBranch}`);
+    uploadExecArgs.push('-B', overrideBranch);
   }
   if (overrideBuild) {
-    uploadExecArgs.push('-b', `${overrideBuild}`);
+    uploadExecArgs.push('-b', overrideBuild);
   }
   if (overrideBuildUrl) {
-    uploadExecArgs.push('--build-url', `${overrideBuildUrl}`);
+    uploadExecArgs.push('--build-url', overrideBuildUrl);
   }
   if (overrideCommit) {
-    uploadExecArgs.push('-C', `${overrideCommit}`);
+    uploadExecArgs.push('-C', overrideCommit);
   } else if (
-    `${context.eventName}` == 'pull_request' ||
+    ['pull_request', 'pull_request_target'].includes(context.eventName)
-    `${context.eventName}` == 'pull_request_target'
   ) {
-    uploadExecArgs.push('-C', `${context.payload.pull_request.head.sha}`);
+    const payload = context.payload as PullRequestEvent;
+    uploadExecArgs.push('-C', payload.pull_request.head.sha);
   }
   if (overridePr) {
-    uploadExecArgs.push('-P', `${overridePr}`);
+    uploadExecArgs.push('-P', overridePr);
-  } else if (
+  } else if (context.eventName == 'pull_request_target') {
-    `${context.eventName}` == 'pull_request_target'
+    const payload = context.payload as PullRequestEvent;
-  ) {
+    uploadExecArgs.push('-P', payload.number.toString());
-    uploadExecArgs.push('-P', `${context.payload.number}`);
   }
   if (plugin) {
-    uploadExecArgs.push('--plugin', `${plugin}`);
+    uploadExecArgs.push('--plugin', plugin);
   }
   if (plugins) {
-    plugins.split(',').map((p) => p.trim()).forEach((p) => {
+    plugins
-      uploadExecArgs.push('--plugin', `${p}`);
+        .split(',')
-    });
+        .map((p) => p.trim())
+        .forEach((p) => {
+          uploadExecArgs.push('--plugin', p);
+        });
   }
   if (reportCode) {
-    uploadExecArgs.push('--report-code', `${reportCode}`);
+    uploadExecArgs.push('--report-code', reportCode);
   }
   if (rootDir) {
-    uploadExecArgs.push('--network-root-folder', `${rootDir}`);
+    uploadExecArgs.push('--network-root-folder', rootDir);
   }
   if (searchDir) {
-    uploadExecArgs.push('-s', `${searchDir}`);
+    uploadExecArgs.push('-s', searchDir);
   }
   if (slug) {
-    uploadExecArgs.push('-r', `${slug}`);
+    uploadExecArgs.push('-r', slug);
   }
   if (workingDir) {
     uploadOptions.cwd = workingDir;
@@ -368,4 +416,5 @@ export {
   buildGeneralExec,
   buildReportExec,
   buildUploadExec,
+  getToken,
 };

src/helpers.ts

@@ -8,13 +8,19 @@ const PLATFORMS = [
   'alpine',
   'linux-arm64',
   'alpine-arm64',
-];
+] as const;
+type Platform = typeof PLATFORMS[number];
 
 const setFailure = (message: string, failCi: boolean): void => {
-    failCi ? core.setFailed(message) : core.warning(message);
+  if (failCi) {
-    if (failCi) {
+    core.setFailed(message);
-      process.exit();
+  } else {
-    }
+    core.warning(message);
+  }
+
+  if (failCi) {
+    process.exit();
+  }
 };
 
 const getUploaderName = (platform: string): string => {
@@ -25,8 +31,8 @@ const getUploaderName = (platform: string): string => {
   }
 };
 
-const isValidPlatform = (platform: string): boolean => {
+const isValidPlatform = (platform: string): platform is Platform => {
-  return PLATFORMS.includes(platform);
+  return PLATFORMS.includes(platform as Platform);
 };
 
 const isWindows = (platform: string): boolean => {

src/index.ts

@@ -1,6 +1,6 @@
-import * as fs from 'fs';
+import * as fs from 'node:fs';
-import * as https from 'https';
+import * as https from 'node:https';
-import * as path from 'path';
+import * as path from 'node:path';
 
 import * as exec from '@actions/exec';
 
@@ -24,7 +24,7 @@ import versionInfo from './version';
 
 let failCi;
 
-const run = async () => {
+const run = async (): Promise<void> => {
   try {
     const {commitExecArgs, commitOptions, commitCommand} = await buildCommitExec();
     const {reportExecArgs, reportOptions, reportCommand} = await buildReportExec();
@@ -62,7 +62,7 @@ const run = async () => {
               await setSafeDirectory();
             }
 
-            const unlink = () => {
+            const unlink = (): void => {
               fs.unlink(filename, (err) => {
                 if (err) {
                   setFailure(
@@ -72,7 +72,7 @@ const run = async () => {
                 }
               });
             };
-            const doUpload = async () => {
+            const doUpload = async (): Promise<void> => {
               await exec.exec(getCommand(filename, args, uploadCommand).join(' '),
                   uploadExecArgs,
                   uploadOptions)
@@ -84,7 +84,7 @@ const run = async () => {
                     );
                   });
             };
-            const createReport = async () => {
+            const createReport = async (): Promise<void> => {
               await exec.exec(
                   getCommand(filename, args, reportCommand).join(' '),
                   reportExecArgs,

src/validate.ts

@@ -1,7 +1,7 @@
-import * as crypto from 'crypto';
+import {execSync} from 'node:child_process';
-import * as fs from 'fs';
+import * as crypto from 'node:crypto';
-import * as gpg from 'gpg';
+import * as fs from 'node:fs';
-import * as path from 'path';
+import * as path from 'node:path';
 
 import * as core from '@actions/core';
 import {request} from 'undici';
@@ -76,36 +76,43 @@ const verify = async (
       }
     };
 
-    const verifySignature = () => {
+    const verifySignature = async () => {
-      gpg.call('', [
+      const command = [
+        'gpg',
         '--logger-fd',
         '1',
         '--verify',
         path.join(__dirname, `${uploaderName}.SHA256SUM.sig`),
         path.join(__dirname, `${uploaderName}.SHA256SUM`),
-      ], async (err, verifyResult) => {
+      ].join(' ');
-        if (err) {
+
-          setFailure('Codecov: Error importing pgp key', failCi);
+      try {
-        }
+        await execSync(command, {stdio: 'inherit'});
-        core.info(verifyResult);
+      } catch (err) {
-        await validateSha();
+        setFailure(`Codecov: Error verifying gpg signature: ${err.message}`, failCi);
-      });
+      }
     };
 
-    // Import gpg key
+    const importKey = async () => {
-    gpg.call('', [
+      const command = [
-      '--logger-fd',
+        'gpg',
-      '1',
+        '--logger-fd',
-      '--no-default-keyring',
+        '1',
-      '--import',
+        '--no-default-keyring',
-      path.join(__dirname, 'pgp_keys.asc'),
+        '--import',
-    ], async (err, importResult) => {
+        path.join(__dirname, 'pgp_keys.asc'),
-      if (err) {
+      ].join(' ');
-        setFailure('Codecov: Error importing pgp key', failCi);
+
+      try {
+        await execSync(command, {stdio: 'inherit'});
+      } catch (err) {
+        setFailure(`Codecov: Error importing gpg key: ${err.message}`, failCi);
       }
-      core.info(importResult);
+    };
-      verifySignature();
+
-    });
+    await importKey();
+    await verifySignature();
+    await validateSha();
   } catch (err) {
     setFailure(`Codecov: Error validating uploader: ${err.message}`, failCi);
   }

src/version.test.ts

@@ -0,0 +1,62 @@
+import * as core from '@actions/core';
+import {Agent, MockAgent, setGlobalDispatcher} from 'undici';
+
+import versionInfo from './version';
+
+const mockAgent = new MockAgent();
+
+beforeAll(() => {
+  setGlobalDispatcher(mockAgent);
+  mockAgent.disableNetConnect();
+});
+
+afterEach(() => {
+  jest.clearAllMocks();
+});
+
+afterAll(async () => {
+  await mockAgent.close();
+  setGlobalDispatcher(new Agent());
+});
+
+describe('versionInfo', () => {
+  const platform = 'linux';
+
+  test('should resolve requested version info', async () => {
+    const version = 'latest';
+    const coreInfoSpy = jest.spyOn(core, 'info');
+
+    mockAgent
+        .get('https://cli.codecov.io')
+        .intercept({
+          path: `/${platform}/${version}`,
+        })
+        .reply(200, {
+          version: 'v0.5.2',
+        });
+
+    await versionInfo(platform, version);
+
+    expect(coreInfoSpy).toHaveBeenCalledTimes(2);
+    expect(coreInfoSpy).toHaveBeenCalledWith('==> Running version latest');
+    expect(coreInfoSpy).toHaveBeenCalledWith('==> Running version v0.5.2');
+  });
+
+  test('should handle unsupported version', async () => {
+    const version = 'unsupported';
+    const coreInfoSpy = jest.spyOn(core, 'info');
+
+    mockAgent
+        .get('https://cli.codecov.io')
+        .intercept({
+          path: `/${platform}/${version}`,
+        })
+        .reply(404, 'MESSAGE');
+
+    await versionInfo(platform, version);
+
+    expect(coreInfoSpy).toHaveBeenCalledTimes(2);
+    expect(coreInfoSpy).toHaveBeenCalledWith('==> Running version unsupported');
+    expect(coreInfoSpy).toHaveBeenCalledWith(expect.stringContaining('Could not pull latest version information'));
+  });
+});