actions/codecov-action
2
0
Fork 0
mirror of https://github.com/codecov/codecov-action.git synced 2026-05-23 19:05:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

fix: resolve CLI version before download to prevent sha256sum race condition

Browse source 
When CC_VERSION is 'latest', the binary and SHA256SUM checksum files were
downloaded in separate requests using the 'latest' redirect. If a new CLI
release deployed between those two requests, the binary and checksum would
be from different versions, causing sha256sum verification to fail.

Fix: query the version API before downloading the binary, resolve 'latest'
to a specific version tag, and use that tag for both the binary download
and the SHA256SUM download. Falls back to CC_VERSION if the API call fails.

Fixes #1940
This commit is contained in:
CrepuscularIRIS 2026-04-23 07:05:33 -04:00
parent 57e3a136b7
commit e21c216315
1 changed files with 6 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

11
dist/codecov.sh vendored
View file

@ -91,14 +91,15 @@ else
[[ $CC_OS == "macos" ]] && \
! command -v gpg 2>&1 >/dev/null && \
HOMEBREW_NO_AUTO_UPDATE=1 brew install gpg
v_url="https://cli.codecov.io/api/${CC_OS}/${CC_VERSION}"
v=$(curl $retry --retry-all-errors -s "$v_url" -H "Accept:application/json" | tr \{ '\n' | tr , '\n' | tr \} '\n' | grep "\"version\"" | awk -F'"' '{print $4}' | tail -1)
CC_RESOLVED_VERSION="${v:-$CC_VERSION}"
CC_URL="${CC_CLI_URL:-https://cli.codecov.io}"
CC_URL="$CC_URL/${CC_VERSION}"
CC_URL="$CC_URL/${CC_RESOLVED_VERSION}"
CC_URL="$CC_URL/${CC_OS}/${CC_FILENAME}"
say "$g ->$x Downloading $b${CC_URL}$x"
curl -O $retry "$CC_URL"
say "$g==>$x Finishing downloading $b${CC_OS}:${CC_VERSION}$x"
v_url="https://cli.codecov.io/api/${CC_OS}/${CC_VERSION}"
v=$(curl $retry --retry-all-errors -s "$v_url" -H "Accept:application/json" | tr \{ '\n' | tr , '\n' | tr \} '\n' | grep "\"version\"" | awk -F'"' '{print $4}' | tail -1)
say "$g==>$x Finishing downloading $b${CC_OS}:${CC_RESOLVED_VERSION}$x"
say " Version: $b$v$x"
say " "
fi
@ -115,7 +116,7 @@ else
# One-time step
say "$g==>$x Verifying GPG signature integrity"
sha_url="https://cli.codecov.io"
sha_url="${sha_url}/${CC_VERSION}/${CC_OS}"
sha_url="${sha_url}/${CC_RESOLVED_VERSION:-$CC_VERSION}/${CC_OS}"
sha_url="${sha_url}/${CC_FILENAME}.SHA256SUM"
say "$g ->$x Downloading $b${sha_url}$x"
say "$g ->$x Downloading $b${sha_url}.sig$x"