From c45275951dd19db4a621656be66680d28fad8ae2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc=20Andr=C3=A9=20Tanner?= <mat@brain-dump.org>
Date: Tue, 20 Apr 2021 21:19:21 +0200
Subject: ci: verify codecov script before using it

---
 .github/workflows/macos.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to '.github/workflows/macos.yml')

diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
index b0468ee..173a520 100644
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@@ -49,4 +49,10 @@ jobs:
       env:
         CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
       run: |
-        bash <(curl -s https://codecov.io/bash)
+        curl -s https://codecov.io/bash > codecov
+        curl -s https://raw.githubusercontent.com/codecov/codecov-bash/master/SHA256SUM > codecov.sha256
+        if ! sha256sum -c --ignore-missing --status codecov.sha256 ; then
+          echo "Download checksum verification failed"
+          exit 1
+        fi
+        bash < codecov
-- 
cgit v1.2.3