fix: download CLI to temp dir and retry GPG key import

Fixes two regressions in the wrapper script:

1. Dirty git state (#1851, #1804): The binary, SHA256SUM, and
   SHA256SUM.sig files were downloaded into the working directory
   (repo root) and never cleaned up. Now downloads to a mktemp -d
   directory with an EXIT trap that removes it automatically.

2. GPG import failures (#1876): The key import used
   `echo "$(curl ...)" | gpg --import` which strips trailing newlines
   from the PGP key, had no retries, and no error checking. Now pipes
   curl directly to gpg with a 3-attempt retry loop and explicit
   failure reporting.

Made-with: Cursor

.github/workflows/codeql-analysis.yml

@@ -37,11 +37,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4.2.2
+      uses: actions/checkout@v5.0.0
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3.28.18
+      uses: github/codeql-action/init@v3.30.0
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -52,7 +52,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3.28.18
+      uses: github/codeql-action/autobuild@v3.30.0
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -66,4 +66,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3.28.18
+      uses: github/codeql-action/analyze@v3.30.0

.github/workflows/main.yml

@@ -12,13 +12,13 @@ jobs:
         os: [macos-latest, windows-latest, ubuntu-latest]
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@v5.0.0
         with:
           submodules: "true"
       - name: Install dependencies
-        run: pip install -r src/scripts/app/requirements.txt
+        run: pip install -r app/requirements.txt
       - name: Run tests and collect coverage
-        run: pytest src/scripts/app/ --cov
+        run: pytest app/ --cov
 
       - name: Upload coverage to Codecov (script)
         uses: ./
@@ -50,17 +50,17 @@ jobs:
           token: ${{ secrets.CODECOV_TOKEN }}
 
   run-macos-latest-xlarge:
-    if: github.head.repo.full_name == 'codecov/codecov-action'
+    if: github.event.pull_request.head.repo.full_name == 'codecov/codecov-action'
     runs-on: macos-latest-xlarge
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@v5.0.0
         with:
           submodules: "true"
       - name: Install dependencies
-        run: pip install -r src/scripts/app/requirements.txt
+        run: pip install -r app/requirements.txt
       - name: Run tests and collect coverage
-        run: pytest src/scripts/app/ --cov
+        run: pytest app/ --cov
       - name: Upload coverage to Codecov (script)
         uses: ./
         with:
@@ -103,7 +103,7 @@ jobs:
     container: python:latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@v5.0.0
         with:
           submodules: "true"
       - name: Install deps
@@ -144,7 +144,7 @@ jobs:
         run: |
           apk add git
       - name: Checkout
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@v5.0.0
         with:
           submodules: "true"
       - name: Upload coverage to Codecov (should fail due to missing dependencies)
@@ -175,7 +175,7 @@ jobs:
         run: |
           apk add git curl gnupg bash
       - name: Checkout
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@v5.0.0
         with:
           submodules: "true"
       - name: Upload coverage to Codecov (should succeed)
@@ -212,7 +212,7 @@ jobs:
         run: |
           apk add git curl
       - name: Checkout
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@v5.0.0
         with:
           submodules: "true"
       - name: Upload coverage to Codecov (should fail due to missing gpg and bash)

.github/workflows/scorecards-analysis.yml

@@ -25,12 +25,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v4.2.2 # v3.0.0
+        uses: actions/checkout@v5.0.0 # v3.0.0
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
         with:
           results_file: results.sarif
           results_format: sarif
@@ -57,6 +57,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3.28.18 # v1.0.26
+        uses: github/codeql-action/upload-sarif@v3.30.0 # v1.0.26
         with:
           sarif_file: results.sarif

.gitignore

@@ -93,3 +93,6 @@ public/
 
 # macOS Finder metadata
 .DS_Store
+
+# pycache dirs
+__pycache__/

CHANGELOG.md

@@ -1,3 +1,27 @@
+## v5.5.2
+
+### What's Changed
+
+
+**Full Changelog**: https://github.com/codecov/codecov-action/compare/v5.5.1..v5.5.2
+
+
+## v5.5.1
+
+### What's Changed
+* fix: overwrite pr number on fork by @thomasrockhu-codecov in https://github.com/codecov/codecov-action/pull/1871
+* build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @app/dependabot in https://github.com/codecov/codecov-action/pull/1868
+* build(deps): bump github/codeql-action from 3.29.9 to 3.29.11 by @app/dependabot in https://github.com/codecov/codecov-action/pull/1867
+* fix: update to use local app/ dir by @thomasrockhu-codecov in https://github.com/codecov/codecov-action/pull/1872
+* docs: fix typo in README by @datalater in https://github.com/codecov/codecov-action/pull/1866
+* Document a `codecov-cli` version reference example by @webknjaz in https://github.com/codecov/codecov-action/pull/1774
+* build(deps): bump github/codeql-action from 3.28.18 to 3.29.9 by @app/dependabot in https://github.com/codecov/codecov-action/pull/1861
+* build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @app/dependabot in https://github.com/codecov/codecov-action/pull/1833
+
+
+**Full Changelog**: https://github.com/codecov/codecov-action/compare/v5.5.0..v5.5.1
+
+
 ## v5.5.0
 
 ### What's Changed

README.md

@@ -14,8 +14,8 @@
 
 The `v5` release also coincides with the opt-out feature for tokens for public repositories. In the `Global Upload Token` section of the settings page of an organization in codecov.io, you can set the ability for Codecov to receive a coverage reports from any source. This will allow contributors or other members of a repository to upload without needing access to the Codecov token. For more details see [how to upload without a token](https://docs.codecov.com/docs/codecov-tokens#uploading-without-a-token).
 
-> [!WARNING] > **The following arguments have been changed**
+> [!WARNING]
->
+> **The following arguments have been changed**
 > - `file` (this has been deprecated in favor of `files`)
 > - `plugin` (this has been deprecated in favor of `plugins`)
 
@@ -140,7 +140,7 @@ Codecov's Action supports inputs from the user. These inputs, along with their d
 | `env_vars` | Environment variables to tag the upload with (e.g. PYTHON \| OS,PYTHON) | Optional
 | `exclude` | Comma-separated list of folders to exclude from search. | Optional
 | `fail_ci_if_error` | On error, exit with non-zero code | Optional
-| `files` | Comma-separated explicit list of files to upload. These will be added to the coverage files found for upload. If you wish to only upload the specified files, please consider using "disable-search" to disable uploading other files. | Optional
+| `files` | Comma-separated explicit list of files to upload. These will be added to the coverage files found for upload. If you wish to only upload the specified files, please consider using "disable_search" to disable uploading other files. | Optional
 | `flags` | Comma-separated list of flags to upload to group coverage metrics. | Optional
 | `force` | Only used for empty-upload run command | Optional
 | `git_service` | Override the git_service (e.g. github_enterprise) | Optional
@@ -174,7 +174,7 @@ Codecov's Action supports inputs from the user. These inputs, along with their d
 | `use_oidc` | Use OIDC instead of token. This will ignore any token supplied | Optional
 | `use_pypi` | Use the pypi version of the CLI instead of from cli.codecov.io. If specified, integrity checking will be bypassed. | Optional
 | `verbose` | Enable verbose logging | Optional
-| `version` | Which version of the Codecov CLI to use (defaults to 'latest') | Optional
+| `version` | Which version of the Codecov CLI to use (defaults to 'latest', must start with a leading 'v'; example: `v10.0.1`) | Optional
 | `working-directory` | Directory in which to execute codecov.sh | Optional
 
 ### Example `workflow.yml` with Codecov Action

action.yml

@@ -50,7 +50,7 @@ inputs:
     required: false
     default: 'false'
   files:
-    description: 'Comma-separated list of explicit files to upload. These will be added to the coverage files found for upload. If you wish to only upload the specified files, please consider using disable-search to disable uploading other files.'
+    description: 'Comma-separated list of explicit files to upload. These will be added to the coverage files found for upload. If you wish to only upload the specified files, please consider using disable_search to disable uploading other files.'
     required: false
   flags:
     description: 'Comma-separated list of flags to upload to group coverage metrics.'
@@ -180,13 +180,20 @@ runs:
       run: |
         missing_deps=""
 
-        # Check for required commands
+        # Check for always-required commands
-        for cmd in bash git curl gpg; do
+        for cmd in bash git curl; do
           if ! command -v "$cmd" >/dev/null 2>&1; then
             missing_deps="$missing_deps $cmd"
           fi
         done
 
+        # Check for gpg only if validation is not being skipped
+        if [ "${{ inputs.skip_validation }}" != "true" ]; then
+          if ! command -v gpg >/dev/null 2>&1; then
+            missing_deps="$missing_deps gpg"
+          fi
+        fi
+
         # Report missing required dependencies
         if [ -n "$missing_deps" ]; then
           echo "Error: The following required dependencies are missing:$missing_deps"
@@ -282,7 +289,7 @@ runs:
         then
           CC_SHA="$GITHUB_EVENT_PULL_REQUEST_HEAD_SHA"
         fi
-        if [ -z "$CC_PR" ] && [ "${GITHUB_EVENT_NAME}" == "pull_request_target" ];
+        if [ -z "$CC_PR" ] && [ "$CC_FORK" == 'true' ];
         then
           CC_PR="$GITHUB_EVENT_NUMBER"
         fi

app/calculator.py

@@ -0,0 +1,15 @@
+class Calculator:
+
+    def add(x, y):
+        return x + y
+
+    def subtract(x, y):
+        return x - y
+
+    def multiply(x, y):
+        return x * y
+
+    def divide(x, y):
+        if y == 0:
+            return 'Cannot divide by 0'
+        return x * 1.0 / y

app/requirements.txt

@@ -0,0 +1 @@
+pytest-cov

app/test_calculator.py

@@ -0,0 +1,31 @@
+from .calculator import Calculator
+
+
+def test_add():
+    assert Calculator.add(1, 2) == 3.0
+    assert Calculator.add(1.0, 2.0) == 3.0
+    assert Calculator.add(0, 2.0) == 2.0
+    assert Calculator.add(2.0, 0) == 2.0
+    assert Calculator.add(-4, 2.0) == -2.0
+
+def test_subtract():
+    assert Calculator.subtract(1, 2) == -1.0
+    assert Calculator.subtract(2, 1) == 1.0
+    assert Calculator.subtract(1.0, 2.0) == -1.0
+    assert Calculator.subtract(0, 2.0) == -2.0
+    assert Calculator.subtract(2.0, 0.0) == 2.0
+    assert Calculator.subtract(-4, 2.0) == -6.0
+
+def test_multiply():
+    assert Calculator.multiply(1, 2) == 2.0
+    assert Calculator.multiply(1.0, 2.0) == 2.0
+    assert Calculator.multiply(0, 2.0) == 0.0
+    assert Calculator.multiply(2.0, 0.0) == 0.0
+    assert Calculator.multiply(-4, 2.0) == -8.0
+
+def test_divide():
+    # assert Calculator.divide(1, 2) == 0.5
+    assert Calculator.divide(1.0, 2.0) == 0.5
+    assert Calculator.divide(0, 2.0) == 0
+    assert Calculator.divide(-4, 2.0) == -2.0
+    # assert Calculator.divide(2.0, 0.0) == 'Cannot divide by 0'

dist/codecov.sh

@@ -71,6 +71,11 @@ then
   fi
   CC_COMMAND="${CC_CLI_TYPE}"
 else
+  CC_DOWNLOAD_DIR=$(mktemp -d)
+  cleanup_downloads() {
+    rm -rf "$CC_DOWNLOAD_DIR"
+  }
+  trap cleanup_downloads EXIT
   if [ -n "$CC_OS" ];
   then
     say "$g==>$x Overridden OS: $b${CC_OS}$x"
@@ -87,7 +92,7 @@ else
   fi
   CC_FILENAME="${CC_CLI_TYPE%-cli}"
   [[ $CC_OS == "windows" ]] && CC_FILENAME+=".exe"
-  CC_COMMAND="./$CC_FILENAME"
+  CC_COMMAND="$CC_DOWNLOAD_DIR/$CC_FILENAME"
   [[ $CC_OS == "macos" ]]  && \
     ! command -v gpg 2>&1 >/dev/null && \
     HOMEBREW_NO_AUTO_UPDATE=1 brew install gpg
@@ -95,7 +100,7 @@ else
   CC_URL="$CC_URL/${CC_VERSION}"
   CC_URL="$CC_URL/${CC_OS}/${CC_FILENAME}"
   say "$g ->$x Downloading $b${CC_URL}$x"
-  curl -O $retry "$CC_URL"
+  curl -o "$CC_DOWNLOAD_DIR/$CC_FILENAME" $retry "$CC_URL"
   say "$g==>$x Finishing downloading $b${CC_OS}:${CC_VERSION}$x"
   v_url="https://cli.codecov.io/api/${CC_OS}/${CC_VERSION}"
   v=$(curl $retry --retry-all-errors -s "$v_url" -H "Accept:application/json" | tr \{ '\n' | tr , '\n' | tr \} '\n' | grep "\"version\"" | awk  -F'"' '{print $4}' | tail -1)
@@ -110,9 +115,19 @@ then
     chmod +x "$CC_COMMAND"
   fi
 else
-  echo "$(curl -s https://keybase.io/codecovsecurity/pgp_keys.asc)" | \
+  gpg_key_url="https://keybase.io/codecovsecurity/pgp_keys.asc"
-    gpg --no-default-keyring --import
+  gpg_import_ok=false
-  # One-time step
+  for gpg_attempt in 1 2 3; do
+    if curl -sf $retry "$gpg_key_url" | gpg --no-default-keyring --import 2>/dev/null; then
+      gpg_import_ok=true
+      break
+    fi
+    say "$r ->$x GPG key import attempt $gpg_attempt failed, retrying..."
+    sleep 2
+  done
+  if [ "$gpg_import_ok" != "true" ]; then
+    exit_if_error "Could not import GPG verification key after 3 attempts. Please contact Codecov if problem continues"
+  fi
   say "$g==>$x Verifying GPG signature integrity"
   sha_url="https://cli.codecov.io"
   sha_url="${sha_url}/${CC_VERSION}/${CC_OS}"
@@ -120,14 +135,14 @@ else
   say "$g ->$x Downloading $b${sha_url}$x"
   say "$g ->$x Downloading $b${sha_url}.sig$x"
   say " "
-  curl -Os $retry --connect-timeout 2 "$sha_url"
+  curl -o "$CC_DOWNLOAD_DIR/${CC_FILENAME}.SHA256SUM" -s $retry --connect-timeout 2 "$sha_url"
-  curl -Os $retry --connect-timeout 2 "${sha_url}.sig"
+  curl -o "$CC_DOWNLOAD_DIR/${CC_FILENAME}.SHA256SUM.sig" -s $retry --connect-timeout 2 "${sha_url}.sig"
-  if ! gpg --verify "${CC_FILENAME}.SHA256SUM.sig" "${CC_FILENAME}.SHA256SUM";
+  if ! gpg --verify "$CC_DOWNLOAD_DIR/${CC_FILENAME}.SHA256SUM.sig" "$CC_DOWNLOAD_DIR/${CC_FILENAME}.SHA256SUM";
   then
     exit_if_error "Could not verify signature. Please contact Codecov if problem continues"
   fi
-  if ! (shasum -a 256 -c "${CC_FILENAME}.SHA256SUM" 2>/dev/null || \
+  if ! (cd "$CC_DOWNLOAD_DIR" && (shasum -a 256 -c "${CC_FILENAME}.SHA256SUM" 2>/dev/null || \
-    sha256sum -c "${CC_FILENAME}.SHA256SUM");
+    sha256sum -c "${CC_FILENAME}.SHA256SUM"));
   then
     exit_if_error "Could not verify SHASUM. Please contact Codecov if problem continues"
   fi
@@ -137,11 +152,16 @@ else
 fi
 if [ -n "$CC_BINARY_LOCATION" ];
 then
-  mkdir -p "$CC_BINARY_LOCATION" && mv "$CC_FILENAME" $_
+  mkdir -p "$CC_BINARY_LOCATION" && mv "$CC_COMMAND" "$CC_BINARY_LOCATION/$CC_FILENAME"
+  CC_COMMAND="$CC_BINARY_LOCATION/$CC_FILENAME"
   say "$g==>$x ${CC_CLI_TYPE} binary moved to ${CC_BINARY_LOCATION}"
 fi
 if [ "$CC_DOWNLOAD_ONLY" = "true" ];
 then
+  if [ -n "$CC_DOWNLOAD_DIR" ] && [ -z "$CC_BINARY_LOCATION" ]; then
+    cp "$CC_COMMAND" "./$CC_FILENAME"
+    CC_COMMAND="./$CC_FILENAME"
+  fi
   say "$g==>$x ${CC_CLI_TYPE} download only called. Exiting..."
   exit
 fi

src/version

@@ -1 +1 @@
-5.5.0
+5.5.2