build(deps): bump github/codeql-action from 3.30.0 to 4.36.2

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.30.0 to 4.36.2.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/v3.30.0...v4.36.2)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.36.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/codeql-analysis.yml

@@ -41,7 +41,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3.30.0
+      uses: github/codeql-action/init@v4.36.2
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -52,7 +52,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3.30.0
+      uses: github/codeql-action/autobuild@v4.36.2
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -66,4 +66,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3.30.0
+      uses: github/codeql-action/analyze@v4.36.2

.github/workflows/enforce-license-compliance.yml

@@ -1,14 +0,0 @@
-name: Enforce License Compliance
-
-on:
-  pull_request:
-    branches: [main]
-
-jobs:
-  enforce-license-compliance:
-    runs-on: ubuntu-latest
-    steps:
-      - name: 'Enforce License Compliance'
-        uses: getsentry/action-enforce-license-compliance@57ba820387a1a9315a46115ee276b2968da51f3d # main
-        with:
-          fossa_api_key: ${{ secrets.FOSSA_API_KEY }}

.github/workflows/scorecards-analysis.yml

@@ -57,6 +57,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3.30.0 # v1.0.26
+        uses: github/codeql-action/upload-sarif@v4.36.2 # v1.0.26
         with:
           sarif_file: results.sarif

Makefile

@@ -1,7 +1,7 @@
 deploy:
 	$(eval VERSION := $(shell cat src/version))
-	git tag -d v6
+	git tag -d v7
-	git push origin :v6
+	git push origin :v7
-	git tag v6
+	git tag v7
 	git tag v$(VERSION) -s -m ""
 	git push origin --tags

README.md

@@ -6,6 +6,10 @@
 
 ### Easily upload coverage reports to Codecov from GitHub Actions
 
+## v7 Release
+
+`v7` of the Codecov GitHub Action bumps the [Codecov Wrapper](https://github.com/codecov/wrapper) submodule, which now fetches the Codecov Uploader PGP verification key from the `codecovsecops` Keybase account.
+
 ## v6 Release
 
 `v6` of the Codecov GitHub Action support node24

action.yml

@@ -177,6 +177,8 @@ runs:
   steps:
     - name: Check system dependencies
       shell: sh
+      env:
+        INPUT_SKIP_VALIDATION: ${{ inputs.skip_validation }}
       run: |
         missing_deps=""
 
@@ -188,7 +190,7 @@ runs:
         done
 
         # Check for gpg only if validation is not being skipped
-        if [ "${{ inputs.skip_validation }}" != "true" ]; then
+        if [ "$INPUT_SKIP_VALIDATION" != "true" ]; then
           if ! command -v gpg >/dev/null 2>&1; then
             missing_deps="$missing_deps gpg"
           fi
@@ -245,24 +247,27 @@ runs:
     - name: Get and set token
       shell: bash
       run: |
-        if [ "${{ inputs.use_oidc }}" == 'true' ] && [ "$CC_FORK" != 'true' ];
+        if [ "$INPUT_USE_OIDC" == 'true' ] && [ "$CC_FORK" != 'true' ];
         then
           echo "CC_TOKEN=$CC_OIDC_TOKEN" >> "$GITHUB_ENV"
-        elif [ -n "${{ env.CODECOV_TOKEN }}" ];
+        elif [ -n "$INPUT_CODECOV_TOKEN" ];
         then
           echo -e "\033[0;32m==>\033[0m Token set from env"
-            echo "CC_TOKEN=${{ env.CODECOV_TOKEN }}" >> "$GITHUB_ENV"
+            echo "CC_TOKEN=$INPUT_CODECOV_TOKEN" >> "$GITHUB_ENV"
         else
-          if [ -n "${{ inputs.token }}" ];
+          if [ -n "$INPUT_TOKEN" ];
           then
             echo -e "\033[0;32m==>\033[0m Token set from input"
-            CC_TOKEN=$(echo "${{ inputs.token }}" | tr -d '\n')
+            CC_TOKEN=$(echo "$INPUT_TOKEN" | tr -d '\n')
             echo "CC_TOKEN=$CC_TOKEN" >> "$GITHUB_ENV"
           fi
         fi
       env:
         CC_OIDC_TOKEN: ${{ steps.oidc.outputs.result }}
         CC_OIDC_AUDIENCE: ${{ inputs.url || 'https://codecov.io' }}
+        INPUT_USE_OIDC: ${{ inputs.use_oidc }}
+        INPUT_TOKEN: ${{ inputs.token }}
+        INPUT_CODECOV_TOKEN: ${{ env.CODECOV_TOKEN }}
 
     - name: Override branch for forks
       shell: bash

dist/codecov.sh

@@ -37,7 +37,7 @@ g="\033[0;32m"  # info/debug
 r="\033[0;31m"  # errors
 x="\033[0m"
 retry="--retry 5 --retry-delay 2"
-CC_WRAPPER_VERSION="0.2.7"
+CC_WRAPPER_VERSION="0.2.9"
 CC_VERSION="${CC_VERSION:-latest}"
 CC_FAIL_ON_ERROR="${CC_FAIL_ON_ERROR:-false}"
 CC_RUN_CMD="${CC_RUN_CMD:-upload-coverage}"
@@ -69,7 +69,13 @@ then
     exit_if_error "Could not install via pypi."
     exit
   fi
-  CC_COMMAND="${CC_CLI_TYPE}"
+  if [[ "$CC_CLI_TYPE" == "codecov-cli" ]]; then
+    CC_COMMAND="codecovcli"
+  elif [[ "$CC_CLI_TYPE" == "sentry-prevent-cli" ]]; then
+    CC_COMMAND="sentry-prevent-cli"
+  else
+    CC_COMMAND="${CC_CLI_TYPE}"
+  fi
 else
   if [ -n "$CC_OS" ];
   then
@@ -110,7 +116,7 @@ then
     chmod +x "$CC_COMMAND"
   fi
 else
-  echo "$(curl -s https://keybase.io/codecovsecurity/pgp_keys.asc)" | \
+  echo "$(curl -s https://keybase.io/codecovsecops/pgp_keys.asc)" | \
     gpg --no-default-keyring --import
   # One-time step
   say "$g==>$x Verifying GPG signature integrity"

src/version

@@ -1 +1 @@
-6.0.0
+7.0.0