Fix Codecov CLI installation: keybase.io PGP key gone (404)#69801
Merged
Conversation
The `Install Codecov CLI` step fetches the Codecov signing key from `https://keybase.io/codecovsecurity/pgp_keys.asc`, which now returns HTTP 404 (Keybase is effectively dead post-Zoom acquisition). This breaks the `Combine Code Coverage` job in `ci.yml` and the equivalent step in `depcheck.yml` on every push and PR. Swap the URL for `https://uploader.codecov.io/verification.gpg`, which returns HTTP 200 with the Codecov Uploader Verification Key (keyid `27034E7FDB850E0BBC2C62FF806BB28AED779869`) -- the same key that signs the `codecov.SHA256SUM.sig` the workflow already downloads and verifies. Fixes saltstack#69800
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What's broken
The
Install Codecov CLIstep in theCombine Code Coveragejob (.github/workflows/ci.yml) and the equivalent step in.github/workflows/depcheck.ymlfail on every push and PR:Reference failing run: https://github.com/saltstack/salt/actions/runs/29173817946
Why
The step fetches the Codecov signing key from
https://keybase.io/codecovsecurity/pgp_keys.asc, which now returns HTTP 404. Keybase is effectively dead post-Zoom acquisition.Fix
Swap the dead Keybase URL for
https://uploader.codecov.io/verification.gpg-- the Codecov Uploader Verification Key (keyid27034E7FDB850E0BBC2C62FF806BB28AED779869), which is the same key that signs thecodecov.SHA256SUM.sigfile the workflow already downloads and verifies. Minimum-blast-radius change: one URL, no new action pins, coverage semantics unchanged.I also considered switching to
codecov/codecov-action@v5; deferred because it's a broader refactor and would need to be re-evaluated for tokenless/token semantics. The URL swap unblocks CI now.Verification
Confirmed valid OpenPGP data (not HTML).
Scope / merge-forward
Same broken block exists on
3007.x,3008.x, andmaster. This PR targets3006.x; the maintainer merge-forward pipeline will carry it to the newer branches. No sibling PRs.Fixes #69800