fix: pin codecov CLI version and verify checksum

AdamSaleh · claude · AdamSaleh · commit 3f9c47730dc1 · 2026-06-01T15:12:05.000+02:00
Pin the codecov CLI download to a specific version (v11.2.8) and
verify the SHA256 checksum before executing, addressing the
supply-chain risk of fetching an unpinned "latest" binary.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
Signed-off-by: Adam Saleh &lt;adam@asaleh.net&gt;
diff --git a/scripts/openshiftci-presubmit-unittests.sh b/scripts/openshiftci-presubmit-unittests.sh
@@ -36,7 +36,10 @@ make test
     echo "Codecov token not found at ${CODECOV_TOKEN_FILE}, skipping upload"
     exit 0
   fi
-  curl -OSs --fail-with-body https://cli.codecov.io/latest/linux/codecov
+  CODECOV_VERSION="v11.2.8"
+  CODECOV_SHA="8930c4bb30254a42f3d8c340706b1be340885e20c0df5160a24efa2e030e662b"
+  curl -OSs --fail-with-body "https://cli.codecov.io/${CODECOV_VERSION}/linux/codecov"
+  echo "${CODECOV_SHA}  codecov" | sha256sum --check --status
   chmod +x codecov
   CODECOV_TOKEN="$(cat "${CODECOV_TOKEN_FILE}")" ./codecov upload-process --flag unit-tests --file cover.out
 ) || echo "Coverage upload to codecov.io failed, continuing"
