Security discussion: Codecov event

[effigies]

This morning (15 April 2021), I received a security update from CodeCov: https://about.codecov.io/security-update/

NiBabel was affected by this issue because we use the CodeCov GitHub action, which means tokens were potentially exposed. However, we have no authentication tokens set in our environment, so my assessment is that there was no potential for exploitation.

This thread will remain open for ~1 week to give others a chance to assess the situation and dispute my conclusion that we do not need to take any action.

[NicolasGensollen]

Linking the discussion on codecov action: jupyterhub/team-compass#398
There is a linked PR on adding a checksum validation on the uploader script. Hopefully this will be merged soon!
Based on what I understand so far, I also tend to think that, since you are not using any authentication tokens in your workflows, you shouldn't need to take any action.