SECURITY: Stop downloading and executing bash script from 3rd parties in light of recent hack

[x448]

On April 15, Security Week reported:

Security response professionals are scrambling to measure the fallout from a software supply chain compromise of Codecov Bash Uploader that went undetected since January and exposed sensitive secrets like tokens, keys and credentials from organizations around the world.

The hack occurred four months ago but was only discovered in the wild by a Codecov customer on the morning of April 1, 2021, the company said in a note acknowledging the severity of the breach. ... Codecov is strongly encouraging software development teams to “immediately re-roll all of your credentials, tokens, or keys located in the environment variables in your CI process.”

Here's how the hacked script might have been downloaded and executed to potentially steal credentials, tokens, or keys located in environment variables:

https://github.com/pyca/pynacl/blob/b5c7dd110e852bfb47807b0e29eee82948b261a1/.github/workflows/ci.yml#L57-L60

It's better to embed Python script in the workflow .yml file to compare coverage and generate a badge.

Projects like fxamacker/cbor avoided this for over a year by using a custom GitHub Actions workflow to generate a code coverage badge on GitHub. It was intended for Go coverage but the script embedded inside the .yml is written in Python.

[reaperhulk]

Thanks for the report. We published an official response to our exposure to this incident here: https://mail.python.org/pipermail/cryptography-dev/2021-April/001036.html

[x448]

Please accept my apologies for opening the same issue in pyca/cryptography. I didn't see this response.

BTW, I started using DJB's nacl in commercial software before libsodium was available and am thrilled to see it being so easily usable from Python. Nice work!!!