Blog Post

Validating the Bash Script on CI

May 5, 2021 Tom Hu

In response to the bash security update, Codecov has added steps to make it easier to validate the bash uploader. As an additional layer of security, users may wish to check the script against the provided SHASUMs. This document shares current best practices to validate the script locally and on CI/CDs.

Adding a validation step

The below code snippet can be used to validate the downloaded bash script

curl -fLso codecov https://codecov.io/bash;
VERSION=$(grep -o 'VERSION=\"[0-9\.]*\"' codecov | cut -d'"' -f2);
for i in 1 256 512
do
  shasum -a $i -c --ignore-missing <(curl -s "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM")
done

The above snippet does the following:

  • The first line downloads the script and stores it as codecov.
  • Since we are always pushing updates to the script, the second line greps for the version and assigns it to the VERSION variable.
  • Codecov provides SHASUM1, SHASUM256, and SHASUM512 checksums on GitHub. The following lines check all 3 of these checksums against the codecov script.

 

Handling older shasum versions

Older versions of shasum do not support the --ignore-missing option. For all code snippets provided below, we assume that the latest version is available. For users where this is not possible, the alternative to

shasum -a $i -c --ignore-missing <(curl -s "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM")

is

shasum -a $i -c <(curl -s "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM" | grep -w “codecov”)

If you are unable to test the shasum version, you can run

shasum -a $i -c --ignore-missing <(curl -s "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM) ||
shasum -a $i -c <(curl -s "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM | grep -w “codecov”)

 

GitHub Actions

We recommend using the latest versions of Codecov Action since it uses a local, validated copy of the bash script. For users that cannot or wish to use the bash uploader, you can update your workflows from

  - name: Upload coverage reports to Codecov
    run: bash <(curl -s https://codecov.io/bash)

to

  - name: Download and validate Codecov script
    run: |
      curl -fLso codecov https://codecov.io/bash;
      VERSION=$(grep -o 'VERSION=\"[0-9\.]*\"' codecov | cut -d'"' -f2);
      for i in 1 256 512
      do
        shasum -a $i -c --ignore-missing <(curl -s "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM")
      done
  - name: Upload coverage reports to Codecov
    run: bash ./codecov

 

CircleCI

We recommend using the Codecov CircleCI Orb as it contains the supplied validation of the bash script. For users that cannot or wish to use the bash uploader, you can update your workflows from

  - run:
      name: Upload coverage reports to Codecov
      command: |
        bash <(curl -s https://codecov.io/bash)

to

  - run:
      name: Download and validate Codecov script
      command: |
        curl -fLso codecov https://codecov.io/bash;
        VERSION=$(grep -o 'VERSION=\"[0-9\.]*\"' codecov | cut -d'"' -f2);
        for i in 1 256 512
        do
          shasum -a $i -c --ignore-missing <(curl -s "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM")
        done
  - run:
      name: Upload coverage reports to Codecov
      command: bash ./codecov
Before we redirect you to GitHub...
In order to use Codecov an admin must approve your org.