fix: pin codecov CLI version and verify checksum

Pin the codecov CLI download to a specific version (v11.2.8) and
verify the SHA256 checksum before executing, addressing the
supply-chain risk of fetching an unpinned "latest" binary.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Adam Saleh <adam@asaleh.net>

Author: AdamSaleh

scripts/openshiftci-presubmit-unittests.sh

@@ -36,7 +36,13 @@ make test
     echo "Codecov token not found at ${CODECOV_TOKEN_FILE}, skipping upload"
     exit 0
   fi
-  curl -OSs --fail-with-body https://cli.codecov.io/latest/linux/codecov
+  CODECOV_VERSION="v11.2.8"
+  CODECOV_SHA="8930c4bb30254a42f3d8c340706b1be340885e20c0df5160a24efa2e030e662b"
+  curl -OSs --fail-with-body "https://cli.codecov.io/${CODECOV_VERSION}/linux/codecov"
+  if ! echo "${CODECOV_SHA}  codecov" | sha256sum --check --status; then
+    echo "Codecov CLI checksum verification failed, aborting upload"
+    exit 1
+  fi
   chmod +x codecov
   CODECOV_TOKEN="$(cat "${CODECOV_TOKEN_FILE}")" ./codecov upload-process --flag unit-tests --file cover.out
 ) || echo "Coverage upload to codecov.io failed, continuing"