From df056a8a56bd4349481bbceb1251f866532956a7 Mon Sep 17 00:00:00 2001 From: "Daniel A. Wozniak" Date: Mon, 13 Jul 2026 14:18:03 -0700 Subject: [PATCH] Fix Codecov CLI installation: keybase.io PGP key gone The `Install Codecov CLI` step fetches the Codecov signing key from `https://keybase.io/codecovsecurity/pgp_keys.asc`, which now returns HTTP 404 (Keybase is effectively dead post-Zoom acquisition). This breaks the `Combine Code Coverage` job in `ci.yml` and the equivalent step in `depcheck.yml` on every push and PR. Swap the URL for `https://uploader.codecov.io/verification.gpg`, which returns HTTP 200 with the Codecov Uploader Verification Key (keyid `27034E7FDB850E0BBC2C62FF806BB28AED779869`) -- the same key that signs the `codecov.SHA256SUM.sig` the workflow already downloads and verifies. Fixes #69800 --- .github/workflows/ci.yml | 2 +- .github/workflows/depcheck.yml | 2 +- .github/workflows/templates/ci.yml.jinja | 2 +- changelog/69800.fixed.md | 1 + 4 files changed, 4 insertions(+), 3 deletions(-) create mode 100644 changelog/69800.fixed.md diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9ee0a8cedd50..8e8f0ce63229 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -571,7 +571,7 @@ jobs: # We can't yet use tokenless uploads with the codecov CLI # python3 -m pip install codecov-cli # - curl https://keybase.io/codecovsecurity/pgp_keys.asc | gpg --no-default-keyring --import + curl -s https://uploader.codecov.io/verification.gpg | gpg --no-default-keyring --import curl -Os https://uploader.codecov.io/latest/linux/codecov curl -Os https://uploader.codecov.io/latest/linux/codecov.SHA256SUM curl -Os https://uploader.codecov.io/latest/linux/codecov.SHA256SUM.sig diff --git a/.github/workflows/depcheck.yml b/.github/workflows/depcheck.yml index c5e8ffb59c92..1852a5df1476 100644 --- a/.github/workflows/depcheck.yml +++ b/.github/workflows/depcheck.yml @@ -569,7 +569,7 @@ jobs: # We can't yet use tokenless uploads with the codecov CLI # python3 -m pip install codecov-cli # - curl https://keybase.io/codecovsecurity/pgp_keys.asc | gpg --no-default-keyring --import + curl -s https://uploader.codecov.io/verification.gpg | gpg --no-default-keyring --import curl -Os https://uploader.codecov.io/latest/linux/codecov curl -Os https://uploader.codecov.io/latest/linux/codecov.SHA256SUM curl -Os https://uploader.codecov.io/latest/linux/codecov.SHA256SUM.sig diff --git a/.github/workflows/templates/ci.yml.jinja b/.github/workflows/templates/ci.yml.jinja index 0456bace8202..6d07d1e49640 100644 --- a/.github/workflows/templates/ci.yml.jinja +++ b/.github/workflows/templates/ci.yml.jinja @@ -355,7 +355,7 @@ # We can't yet use tokenless uploads with the codecov CLI # python3 -m pip install codecov-cli # - curl https://keybase.io/codecovsecurity/pgp_keys.asc | gpg --no-default-keyring --import + curl -s https://uploader.codecov.io/verification.gpg | gpg --no-default-keyring --import curl -Os https://uploader.codecov.io/latest/linux/codecov curl -Os https://uploader.codecov.io/latest/linux/codecov.SHA256SUM curl -Os https://uploader.codecov.io/latest/linux/codecov.SHA256SUM.sig diff --git a/changelog/69800.fixed.md b/changelog/69800.fixed.md new file mode 100644 index 000000000000..06d643d51b4d --- /dev/null +++ b/changelog/69800.fixed.md @@ -0,0 +1 @@ +Fix Codecov CLI installation step by replacing dead keybase.io PGP key URL.