Currently, GitHub Action and Travis CI run a codecov bash downloaded from https://codecov.io/bash without validating it.

The script was recently compromised:
https://about.codecov.io/security-update/

We should validate the shell script integrity by checking its checksum. Example from the documentation:
-------------
curl -s https://codecov.io/bash > codecov;
VERSION=$(grep -o 'VERSION=\"[0-9\.]*\"' codecov | cut -d'"' -f2);
for i in 1 256 512
do
  shasum -a $i -c --ignore-missing <(curl -s "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM") ||
  shasum -a $i -c <(curl -s "https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM")
done
-------------

See: https://docs.codecov.io/docs/about-the-codecov-bash-uploader

See also https://github.com/python/cpython/pull/25679 where we're proposing just removing the coverage build altogether.

I agree that we should just remove the code coverage runs rather than trying to improve their security. It seems to me to be rude of us to use so much of the open source build resources for an activity that appears to have little benefit.

With issue43888 being fixed with the removal of the coverage build, this is now obsolete. Thanks for pointing out the codecov breach, we will make sure to follow this if we ever re-add codecov.