Merge pull request #5907 from freedomofpress/codecov-barndoor-close

Added codecov checksum validation, updated CircleCI machine to Focal.
freedomofpress · Apr 22, 2021 · 14c9d3a · 14c9d3a
2 parents 826c178 + 31b05b0
commit 14c9d3a
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 3 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -97,6 +97,7 @@ version: 2
 jobs:
   lint:
     machine:
+      image: ubuntu-2004:202010-01
       enabled: true
     environment:
       DOCKER_API_VERSION: 1.23
@@ -124,6 +125,7 @@ jobs:
 
   focal-app-tests:
     machine:
+      image: ubuntu-2004:202010-01
       enabled: true
     environment:
       DOCKER_API_VERSION: 1.23
@@ -157,6 +159,7 @@ jobs:
 
   app-tests:
     machine:
+      image: ubuntu-2004:202010-01
       enabled: true
     environment:
       DOCKER_API_VERSION: 1.23
@@ -190,7 +193,7 @@ jobs:
 
   translation-tests:
     machine:
-      image: ubuntu-1604:202007-01
+      image: ubuntu-2004:202010-01
       enabled: true
     environment:
       DOCKER_API_VERSION: 1.23
@@ -277,6 +280,7 @@ jobs:
 
   static-analysis-and-no-known-cves:
     machine:
+      image: ubuntu-2004:202010-01
       enabled: true
     environment:
       DOCKER_API_VERSION: 1.23
@@ -306,6 +310,7 @@ jobs:
 
   staging-test-with-rebase:
     machine:
+      image: ubuntu-2004:202010-01
       enabled: true
 
     working_directory: ~/sd
@@ -337,6 +342,7 @@ jobs:
 
   staging-test-with-rebase-focal:
     machine:
+      image: ubuntu-2004:202010-01
       enabled: true
 
     working_directory: ~/sd

diff --git a/securedrop/bin/dev-shell b/securedrop/bin/dev-shell
@@ -61,7 +61,13 @@ function docker_run() {
 
     # If this is a CI run, pass CodeCov settings into the container.
     if [ -n "${CIRCLE_BRANCH:-}" ] ; then
-        ci_env=$(bash <(curl -s https://codecov.io/env))
+        tmpdir=$(mktemp -d -t codecov-XXXX)
+        curl -s https://codecov.io/bash > "$tmpdir"/codecov;
+        curl -s https://codecov.io/env > "$tmpdir"/env;
+        VERSION="$(curl --silent "https://api.github.com/repos/codecov/codecov-bash/releases/latest" | grep '"tag_name":' |sed -E 's/.*"([^"]+)".*/\1/')"
+        curl -s https://raw.githubusercontent.com/codecov/codecov-bash/"${VERSION}"/SHA256SUM > "$tmpdir"/codecov-hashes
+        pushd "$tmpdir" && shasum -a 256 -c codecov-hashes && popd
+        ci_env=$(/bin/bash "$tmpdir"/env)
     else
         ci_env=""
     fi

diff --git a/securedrop/bin/run-test b/securedrop/bin/run-test
@@ -26,7 +26,13 @@ if [ -n "${CIRCLE_BRANCH:-}" ] ; then
     touch tests/log/firefox.log
     function finish {
         cp tests/log/firefox.log ../test-results
-        bash <(curl -s https://codecov.io/bash -cF "$BASE_OS")
+        tmpdir=$(mktemp -d -t codecov-XXXX)
+        curl -s https://codecov.io/bash > "$tmpdir"/codecov;
+        VERSION="$(curl --silent "https://api.github.com/repos/codecov/codecov-bash/releases/latest" | grep '"tag_name":' |sed -E 's/.*"([^"]+)".*/\1/')"
+        curl -s https://raw.githubusercontent.com/codecov/codecov-bash/"${VERSION}"/SHA256SUM > "$tmpdir"/codecov-hashes
+        pushd "$tmpdir" && shasum -a 256 -c --ignore-missing codecov-hashes && popd
+        chmod +x "$tmpdir"/codecov
+        /bin/bash "$tmpdir"/codecov
     }
     trap finish EXIT
 fi