From 66f634ed8a0bae42cdf0dedfa3b63815d684508b Mon Sep 17 00:00:00 2001
From: Adam Saleh <adam@asaleh.net>
Date: Fri, 27 Feb 2026 12:48:25 +0100
Subject: [PATCH 1/2] Added unit-test codecov upload.

Signed-off-by: Adam Saleh <adam@asaleh.net>
---
 scripts/openshiftci-presubmit-unittests.sh | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/scripts/openshiftci-presubmit-unittests.sh b/scripts/openshiftci-presubmit-unittests.sh
index 9b858df9d48..fd738415268 100755
--- a/scripts/openshiftci-presubmit-unittests.sh
+++ b/scripts/openshiftci-presubmit-unittests.sh
@@ -27,3 +27,16 @@ cd ../..
 
 # Run unit
 make test
+
+# Upload coverage to codecov.io - failures here should not fail the build
+(
+  set +e
+  CODECOV_TOKEN_FILE="/var/run/codecov-token/CODECOV_TOKEN"
+  if [[ ! -f "${CODECOV_TOKEN_FILE}" ]]; then
+    echo "Codecov token not found at ${CODECOV_TOKEN_FILE}, skipping upload"
+    exit 0
+  fi
+  curl -OSs --fail-with-body https://cli.codecov.io/latest/linux/codecov
+  chmod +x codecov
+  CODECOV_TOKEN="$(cat "${CODECOV_TOKEN_FILE}")" ./codecov upload-process --flag unit-tests --file cover.out
+) || echo "Coverage upload to codecov.io failed, continuing"

From a730b8b3bec4060b2092c061473ee4b57c898947 Mon Sep 17 00:00:00 2001
From: Adam Saleh <adam@asaleh.net>
Date: Mon, 1 Jun 2026 15:12:05 +0200
Subject: [PATCH 2/2] fix: pin codecov CLI version and verify checksum

Pin the codecov CLI download to a specific version (v11.2.8) and
verify the SHA256 checksum before executing, addressing the
supply-chain risk of fetching an unpinned "latest" binary.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Adam Saleh <adam@asaleh.net>
---
 scripts/openshiftci-presubmit-unittests.sh | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/scripts/openshiftci-presubmit-unittests.sh b/scripts/openshiftci-presubmit-unittests.sh
index fd738415268..5ed41d32090 100755
--- a/scripts/openshiftci-presubmit-unittests.sh
+++ b/scripts/openshiftci-presubmit-unittests.sh
@@ -36,7 +36,20 @@ make test
     echo "Codecov token not found at ${CODECOV_TOKEN_FILE}, skipping upload"
     exit 0
   fi
-  curl -OSs --fail-with-body https://cli.codecov.io/latest/linux/codecov
+  CODECOV_VERSION="v11.2.8"
+  curl -OSs --fail-with-body "https://keybase.io/codecovsecurity/pgp_keys.asc"
+  gpg --no-default-keyring --keyring trustedkeys.gpg --import pgp_keys.asc
+  curl -OSs --fail-with-body "https://cli.codecov.io/${CODECOV_VERSION}/linux/codecov"
+  curl -OSs --fail-with-body "https://cli.codecov.io/${CODECOV_VERSION}/linux/codecov.SHA256SUM"
+  curl -OSs --fail-with-body "https://cli.codecov.io/${CODECOV_VERSION}/linux/codecov.SHA256SUM.sig"
+  if ! gpgv codecov.SHA256SUM.sig codecov.SHA256SUM; then
+    echo "Codecov CLI GPG signature verification failed, aborting upload"
+    exit 1
+  fi
+  if ! grep 'codecov$' codecov.SHA256SUM | sha256sum --check --status; then
+    echo "Codecov CLI checksum verification failed, aborting upload"
+    exit 1
+  fi
   chmod +x codecov
   CODECOV_TOKEN="$(cat "${CODECOV_TOKEN_FILE}")" ./codecov upload-process --flag unit-tests --file cover.out
 ) || echo "Coverage upload to codecov.io failed, continuing"