chore(release): 5.4.0 (#1781)

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.0 to 4.6.1.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](65c4c4a1dd...4cec3d8aa0)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/codeql-analysis.yml

@@ -41,7 +41,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3.28.1
+      uses: github/codeql-action/init@v3.28.10
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -52,7 +52,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3.28.1
+      uses: github/codeql-action/autobuild@v3.28.10
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -66,4 +66,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3.28.1
+      uses: github/codeql-action/analyze@v3.28.10

.github/workflows/scorecards-analysis.yml

@@ -30,7 +30,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
         with:
           results_file: results.sarif
           results_format: sarif
@@ -49,7 +49,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: SARIF file
           path: results.sarif
@@ -57,6 +57,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3.28.1 # v1.0.26
+        uses: github/codeql-action/upload-sarif@v3.28.10 # v1.0.26
         with:
           sarif_file: results.sarif

CHANGELOG.md

@@ -1,3 +1,22 @@
+## v5.4.0
+
+### What's Changed
+* update wrapper submodule to 0.2.0, add recurse_submodules arg by @matt-codecov in https://github.com/codecov/codecov-action/pull/1780
+* build(deps): bump actions/upload-artifact from 4.6.0 to 4.6.1 by @app/dependabot in https://github.com/codecov/codecov-action/pull/1775
+* build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 by @app/dependabot in https://github.com/codecov/codecov-action/pull/1776
+* build(deps): bump github/codeql-action from 3.28.9 to 3.28.10 by @app/dependabot in https://github.com/codecov/codecov-action/pull/1777
+* Clarify in README that `use_pypi` bypasses integrity checks too by @webknjaz in https://github.com/codecov/codecov-action/pull/1773
+* Fix use of safe.directory inside containers by @Flamefire in https://github.com/codecov/codecov-action/pull/1768
+* Fix description for report_type input by @craigscott-crascit in https://github.com/codecov/codecov-action/pull/1770
+* build(deps): bump github/codeql-action from 3.28.8 to 3.28.9 by @app/dependabot in https://github.com/codecov/codecov-action/pull/1765
+*  Fix a typo in the example by @miranska in https://github.com/codecov/codecov-action/pull/1758
+* build(deps): bump github/codeql-action from 3.28.5 to 3.28.8 by @app/dependabot in https://github.com/codecov/codecov-action/pull/1757
+* build(deps): bump github/codeql-action from 3.28.1 to 3.28.5 by @app/dependabot in https://github.com/codecov/codecov-action/pull/1753
+
+
+**Full Changelog**: https://github.com/codecov/codecov-action/compare/v5.3.1..v5.4.0
+
+
 ## v5.3.1
 
 ### What's Changed

README.md

@@ -141,8 +141,9 @@ Codecov's Action supports inputs from the user. These inputs, along with their d
 | `override_commit` | Commit SHA (with 40 chars) | Optional
 | `override_pr` | Specify the pull request number manually. Used to override pre-existing CI environment variables. | Optional
 | `plugins` | Comma-separated list of plugins to run. Specify `noop` to turn off all plugins | Optional
+| `recurse_submodules` | Whether to enumerate files inside of submodules for path-fixing purposes. Off by default. | Optional
 | `report_code` | The code of the report if using local upload. If unsure, leave unset. Read more here https://docs.codecov.com/docs/the-codecov-cli#how-to-use-local-upload | Optional
-| `report_type` | The type of file to upload, coverage by default. Possible values are "testing", "coverage". | Optional
+| `report_type` | The type of file to upload, coverage by default. Possible values are "test_results", "coverage". | Optional
 | `root_dir` | Root folder from which to consider paths on the network section. Defaults to current working directory. | Optional
 | `run_command` | Choose which CLI command to run. Options are "upload-coverage", "empty-upload", "pr-base-picking", "send-notifications". "upload-coverage" is run by default.' | Optional
 | `skip_validation` | Skip integrity checking of the CLI. This is NOT recommended. | Optional
@@ -152,7 +153,7 @@ Codecov's Action supports inputs from the user. These inputs, along with their d
 | `url` | Set to the Codecov instance URl. Used by Dedicated Enterprise Cloud customers. | Optional
 | `use_legacy_upload_endpoint` | Use the legacy upload endpoint. | Optional
 | `use_oidc` | Use OIDC instead of token. This will ignore any token supplied | Optional
-| `use_pypi` | Use the pypi version of the CLI instead of from cli.codecov.io | Optional
+| `use_pypi` | Use the pypi version of the CLI instead of from cli.codecov.io. If specified, integrity checking will be bypassed. | Optional
 | `verbose` | Enable verbose logging | Optional
 | `version` | Which version of the Codecov CLI to use (defaults to 'latest') | Optional
 | `working-directory` | Directory in which to execute codecov.sh | Optional
@@ -176,7 +177,7 @@ jobs:
     - name: Setup Python
       uses: actions/setup-python@main
       with:
-        python-version: 3.10
+        python-version: '3.10'
     - name: Generate coverage report
       run: |
         pip install pytest

action.yml

@@ -112,11 +112,14 @@ inputs:
   plugins:
     description: 'Comma-separated list of plugins to run. Specify `noop` to turn off all plugins'
     required: false
+  recurse_submodules:
+    description: 'Whether to enumerate files inside of submodules for path-fixing purposes. Off by default.'
+    default: 'false'
   report_code:
     description: 'The code of the report if using local upload. If unsure, leave default. Read more here https://docs.codecov.com/docs/the-codecov-cli#how-to-use-local-upload'
     required: false
   report_type:
-    description: 'The type of file to upload, coverage by default. Possible values are "testing", "coverage".'
+    description: 'The type of file to upload, coverage by default. Possible values are "test_results", "coverage".'
     required: false
   root_dir:
     description: 'Root folder from which to consider paths on the network section. Defaults to current working directory.'
@@ -181,7 +184,8 @@ runs:
       if: ${{ inputs.disable_safe_directory != 'true' }}
       shell: bash
       run: |
-        git config --global --add safe.directory ${{ github.workspace }}
+        git config --global --add safe.directory "${{ github.workspace }}"
+        git config --global --add safe.directory "$GITHUB_WORKSPACE"
 
     - name: Set fork
       shell: bash
@@ -299,6 +303,7 @@ runs:
         CC_OS: ${{ inputs.os }}
         CC_PARENT_SHA: ${{ inputs.commit_parent }}
         CC_PLUGINS: ${{ inputs.plugins }}
+        CC_RECURSE_SUBMODULES: ${{ inputs.recurse_submodules }}
         CC_REPORT_TYPE: ${{ inputs.report_type }}
         CC_RUN_CMD: ${{ inputs.run_command }}
         CC_SERVICE: ${{ inputs.git_service }}

dist/codecov.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-CC_WRAPPER_VERSION="0.1.0"
+CC_WRAPPER_VERSION="0.2.0"
 set +u
 say() {
   echo -e "$1"
@@ -27,7 +27,7 @@ v_arg() {
     echo "$(eval echo \$"CC_$1")"
   fi
 }
-write_truthy_args() {
+write_bool_args() {
   if [ "$(eval echo \$$1)" = "true" ] || [ "$(eval echo \$$1)" = "1" ];
   then
     echo "-$(lower $1)"
@@ -143,8 +143,8 @@ then
   cc_cli_args+=( "--codecov-yml-path" )
   cc_cli_args+=( "$CC_YML_PATH" )
 fi
-cc_cli_args+=( $(write_truthy_args CC_DISABLE_TELEM) )
-cc_cli_args+=( $(write_truthy_args CC_VERBOSE) )
+cc_cli_args+=( $(write_bool_args CC_DISABLE_TELEM) )
+cc_cli_args+=( $(write_bool_args CC_VERBOSE) )
 if [ -n "$CC_TOKEN_VAR" ];
 then
   token="$(eval echo \$$CC_TOKEN_VAR)"
@@ -162,7 +162,7 @@ fi
 if [ "$CC_RUN_CMD" == "upload-coverage" ]; then
 cc_args=()
 # Args for create commit
-cc_args+=( $(write_truthy_args CC_FAIL_ON_ERROR) )
+cc_args+=( $(write_bool_args CC_FAIL_ON_ERROR) )
 cc_args+=( $(k_arg GIT_SERVICE) $(v_arg GIT_SERVICE))
 cc_args+=( $(k_arg PARENT_SHA) $(v_arg PARENT_SHA))
 cc_args+=( $(k_arg PR) $(v_arg PR))
@@ -177,9 +177,9 @@ cc_args+=( $(k_arg BRANCH) $(v_arg BRANCH))
 cc_args+=( $(k_arg BUILD) $(v_arg BUILD))
 cc_args+=( $(k_arg BUILD_URL) $(v_arg BUILD_URL))
 cc_args+=( $(k_arg DIR) $(v_arg DIR))
-cc_args+=( $(write_truthy_args CC_DISABLE_FILE_FIXES) )
-cc_args+=( $(write_truthy_args CC_DISABLE_SEARCH) )
-cc_args+=( $(write_truthy_args CC_DRY_RUN) )
+cc_args+=( $(write_bool_args CC_DISABLE_FILE_FIXES) )
+cc_args+=( $(write_bool_args CC_DISABLE_SEARCH) )
+cc_args+=( $(write_bool_args CC_DRY_RUN) )
 if [ -n "$CC_EXCLUDES" ];
 then
   for directory in $CC_EXCLUDES; do
@@ -202,9 +202,10 @@ cc_args+=( $(k_arg GCOV_ARGS) $(v_arg GCOV_ARGS))
 cc_args+=( $(k_arg GCOV_EXECUTABLE) $(v_arg GCOV_EXECUTABLE))
 cc_args+=( $(k_arg GCOV_IGNORE) $(v_arg GCOV_IGNORE))
 cc_args+=( $(k_arg GCOV_INCLUDE) $(v_arg GCOV_INCLUDE))
-cc_args+=( $(write_truthy_args CC_HANDLE_NO_REPORTS_FOUND) )
+cc_args+=( $(write_bool_args CC_HANDLE_NO_REPORTS_FOUND) )
+cc_args+=( $(write_bool_args CC_RECURSE_SUBMODULES) )
 cc_args+=( $(k_arg JOB_CODE) $(v_arg JOB_CODE))
-cc_args+=( $(write_truthy_args CC_LEGACY) )
+cc_args+=( $(write_bool_args CC_LEGACY) )
 if [ -n "$CC_NAME" ];
 then
   cc_args+=( "--name" "$CC_NAME" )
@@ -223,8 +224,8 @@ cc_args+=( $(k_arg SWIFT_PROJECT) $(v_arg SWIFT_PROJECT))
 IFS=$OLDIFS
 elif [ "$CC_RUN_CMD" == "empty-upload" ]; then
 cc_args=()
-cc_args+=( $(write_truthy_args CC_FAIL_ON_ERROR) )
-cc_args+=( $(write_truthy_args CC_FORCE) )
+cc_args+=( $(write_bool_args CC_FAIL_ON_ERROR) )
+cc_args+=( $(write_bool_args CC_FORCE) )
 cc_args+=( $(k_arg GIT_SERVICE) $(v_arg GIT_SERVICE))
 cc_args+=( $(k_arg SHA) $(v_arg SHA))
 cc_args+=( $(k_arg SLUG) $(v_arg SLUG))
@@ -237,7 +238,7 @@ cc_args+=( $(k_arg SERVICE) $(v_arg SERVICE))
 elif [ "$CC_RUN_CMD" == "send-notifications" ]; then
 cc_args=()
 cc_args+=( $(k_arg SHA) $(v_arg SHA))
-cc_args+=( $(write_truthy_args CC_FAIL_ON_ERROR) )
+cc_args+=( $(write_bool_args CC_FAIL_ON_ERROR) )
 cc_args+=( $(k_arg GIT_SERVICE) $(v_arg GIT_SERVICE))
 cc_args+=( $(k_arg SLUG) $(v_arg SLUG))
 else
@@ -245,9 +246,9 @@ else
   exit
 fi
 unset NODE_OPTIONS
-# See https://github.com/codecov/uploader/issues/475
+# https://github.com/codecov/uploader/issues/475
 say "$g==>$x Running $CC_RUN_CMD"
-say "      $b$cc_command $(echo "${cc_cli_args[@]}")$CC_RUN_CMD$token_str $(echo "${cc_args[@]}")$x"
+say "      $b$cc_command $(echo "${cc_cli_args[@]}") $CC_RUN_CMD$token_str $(echo "${cc_args[@]}")$x"
 if ! $cc_command \
   ${cc_cli_args[*]} \
   ${CC_RUN_CMD} \

src/version

@@ -1 +1 @@
-5.3.1
+5.4.0