[BUG] CLI version defaults to latest #1889
Description
Describe the bug
👋🏾 Howdy! This is partially a feature request but I didn't find a specific template for that. CLI version isn't pinned and defaults to latest, increasing supply chain attack surface and risk of unexpected breaking changes.
We discovered this while troubleshooting code coverage upload failures, the underlying issue appears to have started with CLI 11.2.4 release, and there's an open ticket tracking it: getsentry/prevent-cli#101.
To Reproduce
Steps to reproduce the behavior:
- Pin codecov-action version without setting the
version:input, e.g.uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 - Monitor the CLI version used
Expected behavior
CLI version is only updated when a new codecov/codecov-action version is released.
Versions
- OS: ubuntu-24.04
- Git Host: GitHub
- CI/CD: GitHub Actions
- Uploader:
codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
Commit and CI link
https://github.com/bitwarden/ios/actions/runs/18889125845/job/53913800720