Skip to content

Commit 143ef27

Browse files
thomasrockhuthomasrockhu
committed
fix: download CLI to temp dir and retry GPG key import
Fixes two regressions in the wrapper script: 1. Dirty git state (codecov/codecov-action#1851, codecov/codecov-action#1804): The binary, SHA256SUM, and SHA256SUM.sig files were downloaded into the working directory (repo root) and never cleaned up. Now downloads to a mktemp -d directory with an EXIT trap that removes it automatically. 2. GPG import failures (codecov/codecov-action#1876): The key import used `echo "$(curl ...)" | gpg --import` which strips trailing newlines from the PGP key, had no retries, and no error checking. Now pipes curl directly to gpg with a 3-attempt retry loop and explicit failure reporting. Made-with: Cursor
1 parent f6296cf commit 143ef27

1 file changed

Lines changed: 31 additions & 11 deletions

File tree

dist/codecov.sh

Lines changed: 31 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -71,6 +71,11 @@ then
7171
fi
7272
CC_COMMAND="${CC_CLI_TYPE}"
7373
else
74+
CC_DOWNLOAD_DIR=$(mktemp -d)
75+
cleanup_downloads() {
76+
rm -rf "$CC_DOWNLOAD_DIR"
77+
}
78+
trap cleanup_downloads EXIT
7479
if [ -n "$CC_OS" ];
7580
then
7681
say "$g==>$x Overridden OS: $b${CC_OS}$x"
@@ -87,15 +92,15 @@ else
8792
fi
8893
CC_FILENAME="${CC_CLI_TYPE%-cli}"
8994
[[ $CC_OS == "windows" ]] && CC_FILENAME+=".exe"
90-
CC_COMMAND="./$CC_FILENAME"
95+
CC_COMMAND="$CC_DOWNLOAD_DIR/$CC_FILENAME"
9196
[[ $CC_OS == "macos" ]] && \
9297
! command -v gpg 2>&1 >/dev/null && \
9398
HOMEBREW_NO_AUTO_UPDATE=1 brew install gpg
9499
CC_URL="${CC_CLI_URL:-https://cli.codecov.io}"
95100
CC_URL="$CC_URL/${CC_VERSION}"
96101
CC_URL="$CC_URL/${CC_OS}/${CC_FILENAME}"
97102
say "$g ->$x Downloading $b${CC_URL}$x"
98-
curl -O $retry "$CC_URL"
103+
curl -o "$CC_DOWNLOAD_DIR/$CC_FILENAME" $retry "$CC_URL"
99104
say "$g==>$x Finishing downloading $b${CC_OS}:${CC_VERSION}$x"
100105
v_url="https://cli.codecov.io/api/${CC_OS}/${CC_VERSION}"
101106
v=$(curl $retry --retry-all-errors -s "$v_url" -H "Accept:application/json" | tr \{ '\n' | tr , '\n' | tr \} '\n' | grep "\"version\"" | awk -F'"' '{print $4}' | tail -1)
@@ -110,24 +115,34 @@ then
110115
chmod +x "$CC_COMMAND"
111116
fi
112117
else
113-
echo "$(curl -s https://keybase.io/codecovsecurity/pgp_keys.asc)" | \
114-
gpg --no-default-keyring --import
115-
# One-time step
118+
gpg_key_url="https://keybase.io/codecovsecurity/pgp_keys.asc"
119+
gpg_import_ok=false
120+
for gpg_attempt in 1 2 3; do
121+
if curl -sf $retry "$gpg_key_url" | gpg --no-default-keyring --import 2>/dev/null; then
122+
gpg_import_ok=true
123+
break
124+
fi
125+
say "$r ->$x GPG key import attempt $gpg_attempt failed, retrying..."
126+
sleep 2
127+
done
128+
if [ "$gpg_import_ok" != "true" ]; then
129+
exit_if_error "Could not import GPG verification key after 3 attempts. Please contact Codecov if problem continues"
130+
fi
116131
say "$g==>$x Verifying GPG signature integrity"
117132
sha_url="https://cli.codecov.io"
118133
sha_url="${sha_url}/${CC_VERSION}/${CC_OS}"
119134
sha_url="${sha_url}/${CC_FILENAME}.SHA256SUM"
120135
say "$g ->$x Downloading $b${sha_url}$x"
121136
say "$g ->$x Downloading $b${sha_url}.sig$x"
122137
say " "
123-
curl -Os $retry --connect-timeout 2 "$sha_url"
124-
curl -Os $retry --connect-timeout 2 "${sha_url}.sig"
125-
if ! gpg --verify "${CC_FILENAME}.SHA256SUM.sig" "${CC_FILENAME}.SHA256SUM";
138+
curl -o "$CC_DOWNLOAD_DIR/${CC_FILENAME}.SHA256SUM" -s $retry --connect-timeout 2 "$sha_url"
139+
curl -o "$CC_DOWNLOAD_DIR/${CC_FILENAME}.SHA256SUM.sig" -s $retry --connect-timeout 2 "${sha_url}.sig"
140+
if ! gpg --verify "$CC_DOWNLOAD_DIR/${CC_FILENAME}.SHA256SUM.sig" "$CC_DOWNLOAD_DIR/${CC_FILENAME}.SHA256SUM";
126141
then
127142
exit_if_error "Could not verify signature. Please contact Codecov if problem continues"
128143
fi
129-
if ! (shasum -a 256 -c "${CC_FILENAME}.SHA256SUM" 2>/dev/null || \
130-
sha256sum -c "${CC_FILENAME}.SHA256SUM");
144+
if ! (cd "$CC_DOWNLOAD_DIR" && (shasum -a 256 -c "${CC_FILENAME}.SHA256SUM" 2>/dev/null || \
145+
sha256sum -c "${CC_FILENAME}.SHA256SUM"));
131146
then
132147
exit_if_error "Could not verify SHASUM. Please contact Codecov if problem continues"
133148
fi
@@ -137,11 +152,16 @@ else
137152
fi
138153
if [ -n "$CC_BINARY_LOCATION" ];
139154
then
140-
mkdir -p "$CC_BINARY_LOCATION" && mv "$CC_FILENAME" $_
155+
mkdir -p "$CC_BINARY_LOCATION" && mv "$CC_COMMAND" "$CC_BINARY_LOCATION/$CC_FILENAME"
156+
CC_COMMAND="$CC_BINARY_LOCATION/$CC_FILENAME"
141157
say "$g==>$x ${CC_CLI_TYPE} binary moved to ${CC_BINARY_LOCATION}"
142158
fi
143159
if [ "$CC_DOWNLOAD_ONLY" = "true" ];
144160
then
161+
if [ -n "$CC_DOWNLOAD_DIR" ] && [ -z "$CC_BINARY_LOCATION" ]; then
162+
cp "$CC_COMMAND" "./$CC_FILENAME"
163+
CC_COMMAND="./$CC_FILENAME"
164+
fi
145165
say "$g==>$x ${CC_CLI_TYPE} download only called. Exiting..."
146166
exit
147167
fi

0 commit comments

Comments
 (0)