From c45275951dd19db4a621656be66680d28fad8ae2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc=20Andr=C3=A9=20Tanner?= <mat@brain-dump.org>
Date: Tue, 20 Apr 2021 21:19:21 +0200
Subject: ci: verify codecov script before using it

---
 .github/workflows/macos.yml   | 8 +++++++-
 .github/workflows/ubuntu.yml  | 8 +++++++-
 .github/workflows/windows.yml | 9 ++++++++-
 3 files changed, 22 insertions(+), 3 deletions(-)

(limited to '.github')

diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
index b0468ee..173a520 100644
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@@ -49,4 +49,10 @@ jobs:
       env:
         CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
       run: |
-        bash <(curl -s https://codecov.io/bash)
+        curl -s https://codecov.io/bash > codecov
+        curl -s https://raw.githubusercontent.com/codecov/codecov-bash/master/SHA256SUM > codecov.sha256
+        if ! sha256sum -c --ignore-missing --status codecov.sha256 ; then
+          echo "Download checksum verification failed"
+          exit 1
+        fi
+        bash < codecov
diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml
index 2946588..d2750a9 100644
--- a/.github/workflows/ubuntu.yml
+++ b/.github/workflows/ubuntu.yml
@@ -55,4 +55,10 @@ jobs:
       env:
         CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
       run: |
-        bash <(curl -s https://codecov.io/bash)
+        curl -s https://codecov.io/bash > codecov
+        curl -s https://raw.githubusercontent.com/codecov/codecov-bash/master/SHA256SUM > codecov.sha256
+        if ! sha256sum -c --ignore-missing --status codecov.sha256 ; then
+          echo "Download checksum verification failed"
+          exit 1
+        fi
+        bash < codecov
diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
index 6a74b00..c09c69d 100644
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -54,4 +54,11 @@ jobs:
       shell: bash
       env:
         CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-      run: bash <(curl -s https://codecov.io/bash)
+      run: |
+        curl -s https://codecov.io/bash > codecov
+        curl -s https://raw.githubusercontent.com/codecov/codecov-bash/master/SHA256SUM > codecov.sha256
+        if ! sha256sum -c --ignore-missing --status codecov.sha256 ; then
+          echo "Download checksum verification failed"
+          exit 1
+        fi
+        bash < codecov
-- 
cgit v1.2.3