In response to the bash security update, Codecov has added steps to make it easier to validate the bash uploader. As an additional layer of security, users may wish to check the script against the provided SHASUMs. This document shares current best practices to validate the script locally and on CI/CDs.
Adding a validation step
The below code snippet can be used to validate the downloaded bash script
curl -fLso codecov https://codecov.io/bash;
VERSION=$(grep -o 'VERSION=\"[0-9\.]*\"' codecov | cut -d'"' -f2);
for i in 1 256 512
do
shasum -a $i -c --ignore-missing <(curl -s "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM")
doneThe above snippet does the following:
- The first line downloads the script and stores it as
codecov. - Since we are always pushing updates to the script, the second line greps for the version and assigns it to the VERSION variable.
- Codecov provides SHASUM1, SHASUM256, and SHASUM512 checksums on GitHub. The following lines check all 3 of these checksums against the
codecovscript.
Handling older shasum versions
Older versions of shasum do not support the --ignore-missing option. For all code snippets provided below, we assume that the latest version is available. For users where this is not possible, the alternative to
shasum -a $i -c --ignore-missing <(curl -s "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM")
is
shasum -a $i -c <(curl -s "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM" | grep -w “codecov”)If you are unable to test the shasum version, you can run
shasum -a $i -c --ignore-missing <(curl -s "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM) ||
shasum -a $i -c <(curl -s "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM | grep -w “codecov”)
GitHub Actions
We recommend using the latest versions of Codecov Action since it uses a local, validated copy of the bash script. For users that cannot or wish to use the bash uploader, you can update your workflows from
- name: Upload coverage reports to Codecov
run: bash <(curl -s https://codecov.io/bash)
to
- name: Download and validate Codecov script
run: |
curl -fLso codecov https://codecov.io/bash;
VERSION=$(grep -o 'VERSION=\"[0-9\.]*\"' codecov | cut -d'"' -f2);
for i in 1 256 512
do
shasum -a $i -c --ignore-missing <(curl -s "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM")
done
- name: Upload coverage reports to Codecov
run: bash ./codecov
CircleCI
We recommend using the Codecov CircleCI Orb as it contains the supplied validation of the bash script. For users that cannot or wish to use the bash uploader, you can update your workflows from
- run:
name: Upload coverage reports to Codecov
command: |
bash <(curl -s https://codecov.io/bash)
to
- run:
name: Download and validate Codecov script
command: |
curl -fLso codecov https://codecov.io/bash;
VERSION=$(grep -o 'VERSION=\"[0-9\.]*\"' codecov | cut -d'"' -f2);
for i in 1 256 512
do
shasum -a $i -c --ignore-missing <(curl -s "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM")
done
- run:
name: Upload coverage reports to Codecov
command: bash ./codecov
