Codecov Bash Uploader Security Notice

[GenevieveBuckley]

Anderson just posted this over in the Dask community repository - seems like it might affect napari as well.

As some of you may already know, codecov recently announced that earlier this month someone exploited a security hole in their bash uploader (full security notice) which may have resulted in the theft of private tokens/secrets used in CI services.

Every repository that uses the Codecov Bash Uploader to upload code coverage results to Codecov.io should reroll all of their security tokens, as they may have been stolen from a hack to the utility.

Just thought I'd bring this to folks' attention in case there are repos in the dask org that uses GitHub action secrets and are affected by this notice.

https://github.com/dask/community/issues/149#issue-859124532

A quick search for repositories in the napari organisation including codecov turns up:

• [ ] napari
• [ ] magicgui
• [ ] napari.github.io
• [ ] cookiecutter-napari-plugin
• [ ] napari-animation
• [ ] napari-core
• [ ] napari-console
• [ ] napari-plugin-engine
• [ ] napari-plugin-devtools
• [ ] napari-svg

[sofroniewn]

Ok good to know, it looks we need to remove our old tokens/ make new ones. Maybe @jni you can do this if you know what needs to be done? Thanks for flagging!!