From e43402a5a644c639386db6cea48521c6a397657e Mon Sep 17 00:00:00 2001
From: Patryk Targowicz <patryk.targowicz@northern.tech>
Date: Mon, 4 May 2026 23:35:33 +0200
Subject: [PATCH 1/2] ci: Replace Coveralls with Codecov

Signed-off-by: Patryk Targowicz <patryk.targowicz@northern.tech>
Ticket: QA-1574
Signed-off-by: Patryk Targowicz <patryk.targowicz@northern.tech>
---
 .gitlab-ci-check-docker-acceptance.yml   | 11 +++++++----
 .gitlab-ci-check-golang-unittests-v2.yml | 11 +++++++----
 .gitlab-ci-check-golang-unittests.yml    | 12 +++++++-----
 3 files changed, 21 insertions(+), 13 deletions(-)

diff --git a/.gitlab-ci-check-docker-acceptance.yml b/.gitlab-ci-check-docker-acceptance.yml
index 90eb72b..45c9f07 100644
--- a/.gitlab-ci-check-docker-acceptance.yml
+++ b/.gitlab-ci-check-docker-acceptance.yml
@@ -140,10 +140,13 @@ publish:acceptance:
   image: curlimages/curl-base
   allow_failure: true
   script:
-    - curl -Os https://uploader.codecov.io/latest/linux/codecov
+    - curl -Os https://cli.codecov.io/latest/alpine/codecov
     - chmod +x codecov
-    - unset GITLAB_CI
-    - ./codecov --token ${CODECOV_TOKEN} --file ./tests/coverage-acceptance.txt --flag acceptance --nonZero
+    - ./codecov upload-process
+      --fail-on-error
+      --git-service github
       --slug mendersoftware/${CI_PROJECT_NAME}
+      --sha ${CI_COMMIT_SHA}
       --pr $(echo "${CI_COMMIT_BRANCH}" | sed 's/^pr_//')
-      --service github
+      --file ./tests/coverage-acceptance.txt
+      --flag acceptance
diff --git a/.gitlab-ci-check-golang-unittests-v2.yml b/.gitlab-ci-check-golang-unittests-v2.yml
index d5fd5cb..a4907d2 100644
--- a/.gitlab-ci-check-golang-unittests-v2.yml
+++ b/.gitlab-ci-check-golang-unittests-v2.yml
@@ -79,10 +79,13 @@ publish:unittests:
   dependencies:
     - test:unit
   script:
-    - curl -Os https://uploader.codecov.io/latest/linux/codecov
+    - curl -Os https://cli.codecov.io/latest/alpine/codecov
     - chmod +x codecov
-    - unset GITLAB_CI
-    - ./codecov --token ${CODECOV_TOKEN} --file coverage.txt --flag unittests --nonZero
+    - ./codecov upload-process
+      --fail-on-error
+      --git-service github
       --slug mendersoftware/${CI_PROJECT_NAME}
+      --sha ${CI_COMMIT_SHA}
       --pr $(echo "${CI_COMMIT_BRANCH}" | sed 's/^pr_//')
-      --service github
+      --file coverage.txt
+      --flag unittests
diff --git a/.gitlab-ci-check-golang-unittests.yml b/.gitlab-ci-check-golang-unittests.yml
index b5287e5..87c8351 100644
--- a/.gitlab-ci-check-golang-unittests.yml
+++ b/.gitlab-ci-check-golang-unittests.yml
@@ -110,11 +110,13 @@ publish:unittests:
     - test:unit
   script:
     - tar -xvf unit-coverage.tar
-    - curl -Os https://uploader.codecov.io/latest/linux/codecov
+    - curl -Os https://cli.codecov.io/latest/alpine/codecov
     - chmod +x codecov
-    - unset GITLAB_CI
-    - ./codecov --token ${CODECOV_TOKEN} --flag unittests --nonZero
-      --file $(find tests/unit-coverage -name 'coverage.txt' | tr '\n' ',' | sed 's/,$//')
+    - ./codecov upload-process
+      --fail-on-error
+      --git-service github
       --slug mendersoftware/${CI_PROJECT_NAME}
+      --sha ${CI_COMMIT_SHA}
       --pr $(echo "${CI_COMMIT_BRANCH}" | sed 's/^pr_//')
-      --service github
+      --file $(find tests/unit-coverage -name 'coverage.txt' | tr '\n' ',' | sed 's/,$//')
+      --flag unittests

From 982db229f729376e06dd6687c75bda156355f9a2 Mon Sep 17 00:00:00 2001
From: Patryk Targowicz <patryk.targowicz@northern.tech>
Date: Wed, 13 May 2026 03:17:02 +0200
Subject: [PATCH 2/2] fix(coverage): verify codecov binary checksum before
 execution

Add SHA256SUM verification for the codecov binary download across all
three coverage templates to prevent running a tampered binary.

Signed-off-by: Patryk Targowicz <patryk.targowicz@northern.tech>
Ticket: QA-1574
Signed-off-by: Patryk Targowicz <patryk.targowicz@northern.tech>
---
 .gitlab-ci-check-docker-acceptance.yml   | 2 ++
 .gitlab-ci-check-golang-unittests-v2.yml | 2 ++
 .gitlab-ci-check-golang-unittests.yml    | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/.gitlab-ci-check-docker-acceptance.yml b/.gitlab-ci-check-docker-acceptance.yml
index 45c9f07..a37be97 100644
--- a/.gitlab-ci-check-docker-acceptance.yml
+++ b/.gitlab-ci-check-docker-acceptance.yml
@@ -141,6 +141,8 @@ publish:acceptance:
   allow_failure: true
   script:
     - curl -Os https://cli.codecov.io/latest/alpine/codecov
+    - curl -Os https://cli.codecov.io/latest/alpine/codecov.SHA256SUM
+    - sha256sum -c codecov.SHA256SUM
     - chmod +x codecov
     - ./codecov upload-process
       --fail-on-error
diff --git a/.gitlab-ci-check-golang-unittests-v2.yml b/.gitlab-ci-check-golang-unittests-v2.yml
index a4907d2..a05c77d 100644
--- a/.gitlab-ci-check-golang-unittests-v2.yml
+++ b/.gitlab-ci-check-golang-unittests-v2.yml
@@ -80,6 +80,8 @@ publish:unittests:
     - test:unit
   script:
     - curl -Os https://cli.codecov.io/latest/alpine/codecov
+    - curl -Os https://cli.codecov.io/latest/alpine/codecov.SHA256SUM
+    - sha256sum -c codecov.SHA256SUM
     - chmod +x codecov
     - ./codecov upload-process
       --fail-on-error
diff --git a/.gitlab-ci-check-golang-unittests.yml b/.gitlab-ci-check-golang-unittests.yml
index 87c8351..8f794ad 100644
--- a/.gitlab-ci-check-golang-unittests.yml
+++ b/.gitlab-ci-check-golang-unittests.yml
@@ -111,6 +111,8 @@ publish:unittests:
   script:
     - tar -xvf unit-coverage.tar
     - curl -Os https://cli.codecov.io/latest/alpine/codecov
+    - curl -Os https://cli.codecov.io/latest/alpine/codecov.SHA256SUM
+    - sha256sum -c codecov.SHA256SUM
     - chmod +x codecov
     - ./codecov upload-process
       --fail-on-error