From f67d33dda8a42b51c42a8318a1f66468119e898b Mon Sep 17 00:00:00 2001
From: Tom Hu <88201630+thomasrockhu-codecov@users.noreply.github.com>
Date: Thu, 26 Mar 2026 22:54:10 +0900
Subject: [PATCH 1/8] Revert "Revert "build(deps): bump actions/github-script
 from 7.0.1 to 8.0.0"" (#1929)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Revert "Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0" …"

This reverts commit 87d39f4a2cec2673cf9505764fb20a38792ea722.
---
 action.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/action.yml b/action.yml
index 54c8195..0034400 100644
--- a/action.yml
+++ b/action.yml
@@ -230,7 +230,7 @@ runs:
         GITHUB_REPOSITORY: ${{ github.repository }}
 
     - name: Get OIDC token
-      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
       id: oidc
       with:
         script: |

From 57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 Mon Sep 17 00:00:00 2001
From: Tom Hu <88201630+thomasrockhu-codecov@users.noreply.github.com>
Date: Thu, 26 Mar 2026 23:00:19 +0900
Subject: [PATCH 2/8] Th/6.0.0 (#1928)

* chore(release): 5.5.4

* chore(release): 6.0.0

* fix: small fixes

---------

Co-authored-by: Tom Hu <tomhu1096@gmail.com>
---
 Makefile    | 6 +++---
 README.md   | 4 ++++
 src/version | 2 +-
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/Makefile b/Makefile
index f335ab3..929ae14 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,7 @@
 deploy:
 	$(eval VERSION := $(shell cat src/version))
-	git tag -d v5
-	git push origin :v5
-	git tag v5
+	git tag -d v6
+	git push origin :v6
+	git tag v6
 	git tag v$(VERSION) -s -m ""
 	git push origin --tags
diff --git a/README.md b/README.md
index c0d3744..6564cd1 100644
--- a/README.md
+++ b/README.md
@@ -6,6 +6,10 @@
 
 ### Easily upload coverage reports to Codecov from GitHub Actions
 
+## v6 Release
+
+`v6` of the Codecov GitHub Action support node24
+
 ## v5 Release
 
 `v5` of the Codecov GitHub Action will use the [Codecov Wrapper](https://github.com/codecov/wrapper) to encapsulate the [CLI](https://github.com/codecov/codecov-cli). This will help ensure that the Action gets updates quicker.
diff --git a/src/version b/src/version
index c8f1d09..09b254e 100644
--- a/src/version
+++ b/src/version
@@ -1 +1 @@
-5.5.4
+6.0.0

From 51e64229ac331acb0d7f7b17c67423995f991c79 Mon Sep 17 00:00:00 2001
From: Tom Hu <88201630+thomasrockhu-codecov@users.noreply.github.com>
Date: Thu, 14 May 2026 03:59:22 +0900
Subject: [PATCH 3/8] fix: prevent template injection in run: steps (VULN-1652)
 (#1947)

Replace direct ${{ inputs.skip_validation }}, ${{ inputs.use_oidc }},
${{ inputs.token }}, and ${{ env.CODECOV_TOKEN }} interpolation inside
run: shell scripts with env-var indirection. GitHub Actions resolves
template expressions before the shell sees the script, so any consumer
workflow that passes user-controlled data into these inputs could
achieve arbitrary command execution on the runner. Moving the values
into env: entries and referencing them as $INPUT_* shell variables
ensures the shell always treats them as data, not code.
---
 action.yml | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/action.yml b/action.yml
index 0034400..b247abe 100644
--- a/action.yml
+++ b/action.yml
@@ -177,6 +177,8 @@ runs:
   steps:
     - name: Check system dependencies
       shell: sh
+      env:
+        INPUT_SKIP_VALIDATION: ${{ inputs.skip_validation }}
       run: |
         missing_deps=""
 
@@ -188,7 +190,7 @@ runs:
         done
 
         # Check for gpg only if validation is not being skipped
-        if [ "${{ inputs.skip_validation }}" != "true" ]; then
+        if [ "$INPUT_SKIP_VALIDATION" != "true" ]; then
           if ! command -v gpg >/dev/null 2>&1; then
             missing_deps="$missing_deps gpg"
           fi
@@ -245,24 +247,27 @@ runs:
     - name: Get and set token
       shell: bash
       run: |
-        if [ "${{ inputs.use_oidc }}" == 'true' ] && [ "$CC_FORK" != 'true' ];
+        if [ "$INPUT_USE_OIDC" == 'true' ] && [ "$CC_FORK" != 'true' ];
         then
           echo "CC_TOKEN=$CC_OIDC_TOKEN" >> "$GITHUB_ENV"
-        elif [ -n "${{ env.CODECOV_TOKEN }}" ];
+        elif [ -n "$INPUT_CODECOV_TOKEN" ];
         then
           echo -e "\033[0;32m==>\033[0m Token set from env"
-            echo "CC_TOKEN=${{ env.CODECOV_TOKEN }}" >> "$GITHUB_ENV"
+            echo "CC_TOKEN=$INPUT_CODECOV_TOKEN" >> "$GITHUB_ENV"
         else
-          if [ -n "${{ inputs.token }}" ];
+          if [ -n "$INPUT_TOKEN" ];
           then
             echo -e "\033[0;32m==>\033[0m Token set from input"
-            CC_TOKEN=$(echo "${{ inputs.token }}" | tr -d '\n')
+            CC_TOKEN=$(echo "$INPUT_TOKEN" | tr -d '\n')
             echo "CC_TOKEN=$CC_TOKEN" >> "$GITHUB_ENV"
           fi
         fi
       env:
         CC_OIDC_TOKEN: ${{ steps.oidc.outputs.result }}
         CC_OIDC_AUDIENCE: ${{ inputs.url || 'https://codecov.io' }}
+        INPUT_USE_OIDC: ${{ inputs.use_oidc }}
+        INPUT_TOKEN: ${{ inputs.token }}
+        INPUT_CODECOV_TOKEN: ${{ env.CODECOV_TOKEN }}
 
     - name: Override branch for forks
       shell: bash

From e79a6962e0d4c0c17b229090214935d2e33f8354 Mon Sep 17 00:00:00 2001
From: Tom Hu <88201630+thomasrockhu-codecov@users.noreply.github.com>
Date: Tue, 19 May 2026 03:35:56 +0900
Subject: [PATCH 4/8] chore(release): 6.0.1 (#1949)

---
 src/version | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/version b/src/version
index 09b254e..5fe6072 100644
--- a/src/version
+++ b/src/version
@@ -1 +1 @@
-6.0.0
+6.0.1

From ca0a928a4cb3911011e868128a5cd90437c12db1 Mon Sep 17 00:00:00 2001
From: Tom Hu <88201630+thomasrockhu-codecov@users.noreply.github.com>
Date: Fri, 22 May 2026 06:26:10 -0600
Subject: [PATCH 5/8] ci: remove Enforce License Compliance workflow (#1950)

Removes the Enforce License Compliance GitHub Actions workflow.
---
 .github/workflows/enforce-license-compliance.yml | 14 --------------
 1 file changed, 14 deletions(-)
 delete mode 100644 .github/workflows/enforce-license-compliance.yml

diff --git a/.github/workflows/enforce-license-compliance.yml b/.github/workflows/enforce-license-compliance.yml
deleted file mode 100644
index 80c04ac..0000000
--- a/.github/workflows/enforce-license-compliance.yml
+++ /dev/null
@@ -1,14 +0,0 @@
-name: Enforce License Compliance
-
-on:
-  pull_request:
-    branches: [main]
-
-jobs:
-  enforce-license-compliance:
-    runs-on: ubuntu-latest
-    steps:
-      - name: 'Enforce License Compliance'
-        uses: getsentry/action-enforce-license-compliance@57ba820387a1a9315a46115ee276b2968da51f3d # main
-        with:
-          fossa_api_key: ${{ secrets.FOSSA_API_KEY }}

From fb8b3582c8e4def4969c97caa2f19720cb33a72f Mon Sep 17 00:00:00 2001
From: Tom Hu <88201630+thomasrockhu-codecov@users.noreply.github.com>
Date: Sat, 6 Jun 2026 19:43:45 -0600
Subject: [PATCH 6/8] chore(release): 7.0.0 (#1957)

Bump the wrapper submodule (src/scripts) to the latest main
(bad8df5), which fetches the Codecov Uploader PGP key from the
codecovsecops Keybase account, and cut a new major version.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 Makefile        |  6 +++---
 README.md       |  4 ++++
 dist/codecov.sh | 12 +++++++++---
 src/scripts     |  2 +-
 src/version     |  2 +-
 5 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/Makefile b/Makefile
index 929ae14..442b9a7 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,7 @@
 deploy:
 	$(eval VERSION := $(shell cat src/version))
-	git tag -d v6
-	git push origin :v6
-	git tag v6
+	git tag -d v7
+	git push origin :v7
+	git tag v7
 	git tag v$(VERSION) -s -m ""
 	git push origin --tags
diff --git a/README.md b/README.md
index 6564cd1..245eb55 100644
--- a/README.md
+++ b/README.md
@@ -6,6 +6,10 @@
 
 ### Easily upload coverage reports to Codecov from GitHub Actions
 
+## v7 Release
+
+`v7` of the Codecov GitHub Action bumps the [Codecov Wrapper](https://github.com/codecov/wrapper) submodule, which now fetches the Codecov Uploader PGP verification key from the `codecovsecops` Keybase account.
+
 ## v6 Release
 
 `v6` of the Codecov GitHub Action support node24
diff --git a/dist/codecov.sh b/dist/codecov.sh
index 0b77171..b7eba51 100755
--- a/dist/codecov.sh
+++ b/dist/codecov.sh
@@ -37,7 +37,7 @@ g="\033[0;32m"  # info/debug
 r="\033[0;31m"  # errors
 x="\033[0m"
 retry="--retry 5 --retry-delay 2"
-CC_WRAPPER_VERSION="0.2.7"
+CC_WRAPPER_VERSION="0.2.9"
 CC_VERSION="${CC_VERSION:-latest}"
 CC_FAIL_ON_ERROR="${CC_FAIL_ON_ERROR:-false}"
 CC_RUN_CMD="${CC_RUN_CMD:-upload-coverage}"
@@ -69,7 +69,13 @@ then
     exit_if_error "Could not install via pypi."
     exit
   fi
-  CC_COMMAND="${CC_CLI_TYPE}"
+  if [[ "$CC_CLI_TYPE" == "codecov-cli" ]]; then
+    CC_COMMAND="codecovcli"
+  elif [[ "$CC_CLI_TYPE" == "sentry-prevent-cli" ]]; then
+    CC_COMMAND="sentry-prevent-cli"
+  else
+    CC_COMMAND="${CC_CLI_TYPE}"
+  fi
 else
   if [ -n "$CC_OS" ];
   then
@@ -110,7 +116,7 @@ then
     chmod +x "$CC_COMMAND"
   fi
 else
-  echo "$(curl -s https://keybase.io/codecovsecurity/pgp_keys.asc)" | \
+  echo "$(curl -s https://keybase.io/codecovsecops/pgp_keys.asc)" | \
     gpg --no-default-keyring --import
   # One-time step
   say "$g==>$x Verifying GPG signature integrity"
diff --git a/src/scripts b/src/scripts
index 473e292..bad8df5 160000
--- a/src/scripts
+++ b/src/scripts
@@ -1 +1 @@
-Subproject commit 473e2924695f5dbe1cca4a5f6f8a7182c2ddadc5
+Subproject commit bad8df56cd845fa9c6115a924bbd3215e1926ec8
diff --git a/src/version b/src/version
index 5fe6072..66ce77b 100644
--- a/src/version
+++ b/src/version
@@ -1 +1 @@
-6.0.1
+7.0.0

From f00ac4b7660ead0a45492bc6c7a589c974dc8400 Mon Sep 17 00:00:00 2001
From: Tom Hu <tom.hu@harness.io>
Date: Mon, 8 Jun 2026 18:18:37 -0600
Subject: [PATCH 7/8] fix: fetch Codecov PGP key from keybase.io/codecovsecops

The Codecov security PGP key moved from keybase.io/codecovsecurity to
keybase.io/codecovsecops. Update the bundled uploader script so GPG
signature validation imports the key from the correct location.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 dist/codecov.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dist/codecov.sh b/dist/codecov.sh
index 0b77171..897574f 100755
--- a/dist/codecov.sh
+++ b/dist/codecov.sh
@@ -110,7 +110,7 @@ then
     chmod +x "$CC_COMMAND"
   fi
 else
-  echo "$(curl -s https://keybase.io/codecovsecurity/pgp_keys.asc)" | \
+  echo "$(curl -s https://keybase.io/codecovsecops/pgp_keys.asc)" | \
     gpg --no-default-keyring --import
   # One-time step
   say "$g==>$x Verifying GPG signature integrity"

From 0fb7174895f61a3b6b78fc075e0cd60383518dac Mon Sep 17 00:00:00 2001
From: Tom Hu <tom.hu@harness.io>
Date: Mon, 8 Jun 2026 18:18:38 -0600
Subject: [PATCH 8/8] chore(release): 5.5.5

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 CHANGELOG.md | 8 ++++++++
 src/version  | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2091711..ab88b2e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,11 @@
+## v5.5.5
+
+### What's Changed
+* fix: fetch Codecov PGP key from keybase.io/codecovsecops
+
+**Full Changelog**: https://github.com/codecov/codecov-action/compare/v5.5.4..v5.5.5
+
+
 ## v5.5.2
 
 ### What's Changed
diff --git a/src/version b/src/version
index c8f1d09..e69889c 100644
--- a/src/version
+++ b/src/version
@@ -1 +1 @@
-5.5.4
+5.5.5