I believe that the utility that we use is the Python codecov tool[1], not the bash uploader[2]. Specifically, the upload seems to happen in Python here[3].
Why do I think we use the Python tool? Because it seems to be installed by tox around the link Udi shared[4] So it seems we're okay? [1] https://github.com/codecov/codecov-python [2] https://docs.codecov.io/docs/about-the-codecov-bash-uploader [3] https://github.com/codecov/codecov-python/blob/158a38eed7fd6f0d2f9c9f4c5258ab1f244b6e13/codecov/__init__.py#L1129-L1157 [4] https://github.com/apache/beam/blob/39923d8f843ecfd3d89443dccc359c14aea8f26f/sdks/python/tox.ini#L105 On Thu, Apr 15, 2021 at 11:38 AM Udi Meiri <[email protected]> wrote: > From the notice: "We strongly recommend affected users immediately re-roll > all of their credentials, tokens, or keys located in the environment > variables in their CI processes that used one of Codecov’s Bash Uploaders." > > > On Thu, Apr 15, 2021 at 11:35 AM Udi Meiri <[email protected]> wrote: > >> I got this email: https://about.codecov.io/security-update/ >> >> This is where we use codecov: >> >> https://github.com/apache/beam/blob/39923d8f843ecfd3d89443dccc359c14aea8f26f/sdks/python/tox.ini#L105 >> >> I'm not sure if this runs the "bash uploader", but we do set >> a CODECOV_TOKEN environment variable. >> >
