CI: Submit coverage to codecov via pinned PyPI pkg

Following a security incident at Codecov, the GitHub action should be
considered unsafe as it internally runs `curl | bash`.

Moving to our CI scripts.

Author: effigies

.github/workflows/misc.yml

@@ -51,9 +51,8 @@ jobs:
       - name: Run tests
         run: tools/ci/check.sh
         if: ${{ matrix.check != 'skiptests' }}
-      - uses: codecov/codecov-action@v1
-        with:
-          file: for_testing/coverage.xml
+      - name: Submit coverage
+        run: tools/ci/submit_coverage.sh
         if: ${{ always() }}
       - name: Upload pytest test results
         uses: actions/upload-artifact@v2

.github/workflows/pre-release.yml

@@ -74,9 +74,8 @@ jobs:
       - name: Run tests
         run: tools/ci/check.sh
         if: ${{ matrix.check != 'skiptests' }}
-      - uses: codecov/codecov-action@v1
-        with:
-          file: for_testing/coverage.xml
+      - name: Submit coverage
+        run: tools/ci/submit_coverage.sh
         if: ${{ always() }}
       - name: Upload pytest test results
         uses: actions/upload-artifact@v2

.github/workflows/stable.yml

@@ -117,9 +117,8 @@ jobs:
       - name: Run tests
         run: tools/ci/check.sh
         if: ${{ matrix.check != 'skiptests' }}
-      - uses: codecov/codecov-action@v1
-        with:
-          file: for_testing/coverage.xml
+      - name: Submit coverage
+        run: tools/ci/submit_coverage.sh
         if: ${{ always() }}
       - name: Upload pytest test results
         uses: actions/upload-artifact@v2

tools/ci/submit_coverage.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+echo Submitting coverage
+
+source tools/ci/activate.sh
+
+set -eu
+
+set -x
+
+COVERAGE_FILE="for_testing/coverage.xml"
+
+if [ -e "$COVERAGE_FILE" ]; then
+    # Pin codecov version to reduce scope for malicious updates
+    python -m pip install "codecov==2.1.11"
+    python -m codecov --file for_testing/coverage.xml
+fi
+
+set +eux
+
+echo Done submitting coverage