From bcde0a768c843049e3c2a4ca32be0ad91e533148 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc=20Andr=C3=A9=20Tanner?= <mat@brain-dump.org>
Date: Tue, 20 Apr 2021 21:21:37 +0200
Subject: [PATCH] ci: verify coverity scan script before using it

---
 .github/workflows/coverity-scan.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/coverity-scan.yml b/.github/workflows/coverity-scan.yml
index 3a58aa3ae..48dfa9d40 100644
--- a/.github/workflows/coverity-scan.yml
+++ b/.github/workflows/coverity-scan.yml
@@ -24,9 +24,14 @@ jobs:
 
     - name: Download Coverity Build Tool
       run: |
-        wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=$TOKEN&project=martanne/vis" -O cov-analysis-linux64.tar.gz
+        wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=$TOKEN&project=martanne/vis" -O coverity_tool.tgz
+        wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=$TOKEN&project=martanne/vis&md5=1" -O coverity_tool.md5
+        if ! (cat coverity_tool.md5; echo "  coverity_tool.tgz") | md5sum -c --status; then
+          echo "Download checksum verification failed"
+          exit 1
+        fi
         mkdir cov-analysis-linux64
-        tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64
+        tar xzf coverity_tool.tgz --strip 1 -C cov-analysis-linux64
       env:
         TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}