AArnott / Library.Template

A template for a NuGet package with tests, stylecop, fxcop, versioning, and Azure Pipelines build ready to go.
MIT License
131 stars 26 forks source link

CodeCov binary uploader #164

Closed SteveBush closed 2 years ago

SteveBush commented 2 years ago

Replaces the bash CodeCov uploader with the latest binary version. A PowerShell script downloads the latest codecov binary. Another PowerShell script collects and uploads code coverage artifact files to CodeCov.io. You can pass flags and a coverage report name as parameters.

AArnott commented 2 years ago

I'm going to add codecov tool integrity checks to this before merging.

SteveBush commented 2 years ago

Makes sense. I didn’t add them because the original bash script didn’t validate the integrity of the downloaded script.

From: Andrew Arnott @.> Sent: Saturday, June 18, 2022 11:24 AM To: AArnott/Library.Template @.> Cc: Steve Bush @.>; Author @.> Subject: Re: [AArnott/Library.Template] CodeCov binary uploader (PR #164)

I'm going to add codecov tool integrity checks to this before merging.

— Reply to this email directly, view it on GitHubhttps://github.com/AArnott/Library.Template/pull/164#issuecomment-1159532474, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAVLFOXQ6YPCMBO2OW37J43VPYH5LANCNFSM5Y327BOQ. You are receiving this because you authored the thread.Message ID: @.**@.>>

AArnott commented 2 years ago

the original bash script didn’t validate the integrity of the downloaded script.

Totally understandable. You were going for parity. I just figured as long as we're developing this area and giving it a script, we ought to account for the latest best practices.

The original bash script comes from the same untrusted server, so it validating itself or what it downloads would be kinda pointless. In the past, this bash script (or the uploader?) was compromised and servers that used that script ran evil code. This validation step is the best practice now so that even if their server is compromised in the future, only code signed by their private key will ever be executed.