From e2567a680e6327153769ec61c2a9a486d28dbf23 Mon Sep 17 00:00:00 2001
From: Ran Benita <ran@unusedvar.com>
Date: Sun, 16 May 2021 11:12:23 +0300
Subject: [PATCH] scripts: improve upload-coverage.sh

Mostly, verify the bash uploader hash and make it more strict and
verbose.
---
 scripts/upload-coverage.sh | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/scripts/upload-coverage.sh b/scripts/upload-coverage.sh
index ad3dd4828..089fb67bf 100755
--- a/scripts/upload-coverage.sh
+++ b/scripts/upload-coverage.sh
@@ -1,16 +1,28 @@
 #!/usr/bin/env bash
 
-set -e
+set -euo pipefail
 set -x
 
-if [ -z "$TOXENV" ]; then
+# Install coverage.
+if [[ -z ${TOXENV+x} || -z $TOXENV ]]; then
   python -m pip install coverage
 else
   # Add last TOXENV to $PATH.
   PATH="$PWD/.tox/${TOXENV##*,}/bin:$PATH"
 fi
 
+# Run coverage.
 python -m coverage xml
+
+# Download and verify latest Codecov bash uploader.
 # Set --connect-timeout to work around https://github.com/curl/curl/issues/4461
-curl -S -L --connect-timeout 5 --retry 6 -s https://codecov.io/bash -o codecov-upload.sh
-bash codecov-upload.sh -Z -X fix -f coverage.xml "$@"
+curl --silent --show-error --location --connect-timeout 5 --retry 6 -o codecov https://codecov.io/bash
+VERSION=$(grep --only-matching 'VERSION=\"[0-9\.]*\"' codecov | cut -d'"' -f2)
+if command -v sha256sum; then
+    sha256sum --check --strict --ignore-missing --quiet <(curl --silent "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA256SUM")
+else
+    shasum --algorithm 256 --check --strict --ignore-missing --quiet <(curl --silent "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA256SUM")
+fi
+
+# Upload coverage.
+bash codecov -Z -X fix -f coverage.xml "$@"