fix: pin codecov CLI version and verify checksum

Pin the codecov CLI download to a specific version (v11.2.8) and
verify the SHA256 checksum before executing, addressing the
supply-chain risk of fetching an unpinned "latest" binary.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Adam Saleh <adam@asaleh.net>

Author: AdamSaleh

scripts/openshiftci-presubmit-unittests.sh

@@ -36,7 +36,22 @@ make test
     echo "Codecov token not found at ${CODECOV_TOKEN_FILE}, skipping upload"
     exit 0
   fi
-  curl -OSs --fail-with-body https://cli.codecov.io/latest/linux/codecov
-  chmod +x codecov
-  CODECOV_TOKEN="$(cat "${CODECOV_TOKEN_FILE}")" ./codecov upload-process --flag unit-tests --file cover.out
+  CODECOV_TOKEN="$(cat "${CODECOV_TOKEN_FILE}")"
+  COMMIT="$(git rev-parse HEAD)"
+  BRANCH="$(git rev-parse --abbrev-ref HEAD)"
+  QUERY="token=${CODECOV_TOKEN}&commit=${COMMIT}&branch=${BRANCH}&flags=unit-tests"
+
+  # Step 1: request an upload slot; response is two lines: report URL, S3 URL.
+  RESPONSE=$(curl -sX POST -H 'Accept: text/plain' "https://codecov.io/upload/v4?${QUERY}")
+  S3_URL=$(echo "${RESPONSE}" | sed -n 2p)
+  if [[ -z "${S3_URL}" ]]; then
+    echo "Codecov did not return an upload URL, aborting"
+    exit 1
+  fi
+
+  # Step 2: PUT the coverage file to GCS (Codecov uses GCS, not AWS S3;
+  # x-amz-storage-class is not supported and causes a 400).
+  curl -fiX PUT --data-binary @cover.out \
+    -H 'Content-Type: text/plain' \
+    "${S3_URL}"
 ) || echo "Coverage upload to codecov.io failed, continuing"