search

codecov / codecov-bash

Global coverage report uploader for Codecov
https://codecov.io
Apache License 2.0
234 stars 155 forks source link

Fix instructions to verify checksum #426

Closed haampie closed 3 years ago

haampie commented 3 years ago

After forcing all users to cycle their keys/tokens/passwords as a result of a security breach at Codecov, can you please give proper advice on how to run the script?

Also please provide versioned URLs. It's not like a bash script is cutting edge technology that needs rolling updates every day... Just provide a script that works, create a permanent URL for it, and let users verify the checksum; if the version has issues, return a 404.

Thanks

codecov[bot] commented 3 years ago

Codecov Report

Merging #426 (6fbbe6d) into master (e42edd8) will increase coverage by 0.08%. The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #426      +/-   ##
==========================================
+ Coverage   45.78%   45.87%   +0.08%     
==========================================
  Files          20       20              
  Lines        2859     2860       +1     
==========================================
+ Hits         1309     1312       +3     
+ Misses       1550     1548       -2
Flag Coverage Δ
test 39.22% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
codecov 67.72% <0.00%> (+0.14%) :arrow_up:

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update e42edd8...6fbbe6d. Read the comment docs.

mdaniel commented 3 years ago

For your consideration, the curl -s > file mechanism does not bomb the pipeline on non-200 outcomes (which I understand is partially addressed by using shasum, but overall is a suboptimal habit to get into), and it will cheerfully create a file filled with possible server 500 html response text, depending on the exact failure. Using curl's -f option will cause it to exit with a non-zero status code on failed server responses. Further using curl's -o option also has the pleasing side effect of not writing any file on those error outcomes, which won't be true of the shell redirection mechanism

- curl -Ls https://codecov.io/bash > codecov.sh && \
+ curl -fLso codecov.sh https://codecov.io/bash && \
thomasrockhu commented 3 years ago

@haampie @mdaniel thank you for your contributions. I wasn't able to make changes to this PR and will be using https://github.com/codecov/codecov-bash/pull/430. Let me know there if I'm missing anything.