fix: pin codecov CLI version and verify checksum

Pin the codecov CLI download to a specific version (v11.2.8) and
verify the SHA256 checksum before executing, addressing the
supply-chain risk of fetching an unpinned "latest" binary.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Adam Saleh <adam@asaleh.net>

Author: AdamSaleh

scripts/openshiftci-presubmit-unittests.sh

@@ -36,7 +36,20 @@ make test
     echo "Codecov token not found at ${CODECOV_TOKEN_FILE}, skipping upload"
     exit 0
   fi
-  curl -OSs --fail-with-body https://cli.codecov.io/latest/linux/codecov
+  CODECOV_VERSION="v11.2.8"
+  curl -OSs --fail-with-body "https://keybase.io/codecovsecurity/pgp_keys.asc"
+  gpg --no-default-keyring --keyring trustedkeys.gpg --import pgp_keys.asc
+  curl -OSs --fail-with-body "https://cli.codecov.io/${CODECOV_VERSION}/linux/codecov"
+  curl -OSs --fail-with-body "https://cli.codecov.io/${CODECOV_VERSION}/linux/codecov.SHA256SUM"
+  curl -OSs --fail-with-body "https://cli.codecov.io/${CODECOV_VERSION}/linux/codecov.SHA256SUM.sig"
+  if ! gpgv codecov.SHA256SUM.sig codecov.SHA256SUM; then
+    echo "Codecov CLI GPG signature verification failed, aborting upload"
+    exit 1
+  fi
+  if ! grep 'codecov$' codecov.SHA256SUM | sha256sum --check --status; then
+    echo "Codecov CLI checksum verification failed, aborting upload"
+    exit 1
+  fi
   chmod +x codecov
   CODECOV_TOKEN="$(cat "${CODECOV_TOKEN_FILE}")" ./codecov upload-process --flag unit-tests --file cover.out
 ) || echo "Coverage upload to codecov.io failed, continuing"