From 04ec9fe285985e7f031042bef6d05cf35a2fefdd Mon Sep 17 00:00:00 2001
From: joseph-sentry <joseph.sawaya@sentry.io>
Date: Tue, 24 Jun 2025 14:10:37 -0400
Subject: [PATCH 1/3] fix: check reqs

---
 .github/workflows/main.yml | 112 ++++++++++++++++++++++++++++++++++---
 action.yml                 |  20 +++++++
 2 files changed, 125 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 695b50852..381e9b90b 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -14,11 +14,12 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4.2.2
         with:
-          submodules: 'true'
+          submodules: "true"
       - name: Install dependencies
         run: pip install -r src/scripts/app/requirements.txt
       - name: Run tests and collect coverage
         run: pytest src/scripts/app/ --cov
+
       - name: Upload coverage to Codecov (script)
         uses: ./
         with:
@@ -55,7 +56,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4.2.2
         with:
-          submodules: 'true'
+          submodules: "true"
       - name: Install dependencies
         run: pip install -r src/scripts/app/requirements.txt
       - name: Run tests and collect coverage
@@ -104,15 +105,16 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4.2.2
         with:
-          submodules: 'true'
+          submodules: "true"
       - name: Install deps
         run: |
-          apt-get install git
+          apt-get update && apt-get install -y git
+
       - name: Upload coverage to Codecov (script)
         uses: ./
         with:
           files: ./coverage/script/coverage-final.json
-          flags: script-${{ matrix.os }}
+          flags: script-container
           name: codecov-script
           verbose: true
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -120,7 +122,7 @@ jobs:
         uses: ./
         with:
           files: ./coverage/calculator/coverage-final.json,./coverage/coverage-test/coverage-final.json,./coverage/coverage-final.json
-          flags: demo-${{ matrix.os }}
+          flags: demo-container
           name: codecov-demo
           verbose: true
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -128,8 +130,104 @@ jobs:
         uses: ./
         with:
           files: ./coverage/calculator/coverage-final.json,./coverage/coverage-test/coverage-final.json,./coverage/coverage-final.json
-          flags: version-${{ matrix.os }}
+          flags: version-container
+          name: codecov-version
+          version: v9.1.0
+          verbose: true
+          token: ${{ secrets.CODECOV_TOKEN }}
+
+  run-alpine-missing-deps:
+    runs-on: ubuntu-latest
+    container: alpine:latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4.2.2
+        with:
+          submodules: "true"
+      - name: Upload coverage to Codecov (should fail due to missing dependencies)
+        id: codecov-upload
+        continue-on-error: true
+        uses: ./
+        with:
+          files: ./coverage/script/coverage-final.json
+          flags: script-alpine-missing-deps
+          name: codecov-script
+          verbose: true
+          token: ${{ secrets.CODECOV_TOKEN }}
+      - name: Verify dependency check failed
+        run: |
+          if [ "${{ steps.codecov-upload.outcome }}" = "failure" ]; then
+            echo "✓ Action correctly failed due to missing dependencies"
+            exit 0
+          else
+            echo "✗ Action should have failed but didn't"
+            exit 1
+          fi
+
+  run-alpine-success:
+    runs-on: ubuntu-latest
+    container: alpine:latest
+    steps:
+      - name: Install all required deps
+        run: |
+          apk add git curl gnupg bash
+      - name: Checkout
+        uses: actions/checkout@v4.2.2
+        with:
+          submodules: "true"
+      - name: Upload coverage to Codecov (should succeed)
+        uses: ./
+        with:
+          files: ./coverage/script/coverage-final.json
+          flags: script-alpine-success
+          name: codecov-script
+          verbose: true
+          token: ${{ secrets.CODECOV_TOKEN }}
+      - name: Upload coverage to Codecov (demo)
+        uses: ./
+        with:
+          files: ./coverage/calculator/coverage-final.json,./coverage/coverage-test/coverage-final.json,./coverage/coverage-final.json
+          flags: demo-alpine-success
+          name: codecov-demo
+          verbose: true
+          token: ${{ secrets.CODECOV_TOKEN }}
+      - name: Upload coverage to Codecov (version)
+        uses: ./
+        with:
+          files: ./coverage/calculator/coverage-final.json,./coverage/coverage-test/coverage-final.json,./coverage/coverage-final.json
+          flags: version-alpine-success
           name: codecov-version
           version: v9.1.0
           verbose: true
           token: ${{ secrets.CODECOV_TOKEN }}
+
+  run-alpine-partial-deps:
+    runs-on: ubuntu-latest
+    container: alpine:latest
+    steps:
+      - name: Install only some deps (missing gpg and bash)
+        run: |
+          apk add git curl
+      - name: Checkout
+        uses: actions/checkout@v4.2.2
+        with:
+          submodules: "true"
+      - name: Upload coverage to Codecov (should fail due to missing gpg and bash)
+        id: codecov-upload
+        continue-on-error: true
+        uses: ./
+        with:
+          files: ./coverage/script/coverage-final.json
+          flags: script-alpine-partial-deps
+          name: codecov-script
+          verbose: true
+          token: ${{ secrets.CODECOV_TOKEN }}
+      - name: Verify dependency check failed
+        run: |
+          if [ "${{ steps.codecov-upload.outcome }}" = "failure" ]; then
+            echo "✓ Action correctly failed due to missing dependencies (gpg and bash)"
+            exit 0
+          else
+            echo "✗ Action should have failed but didn't"
+            exit 1
+          fi
diff --git a/action.yml b/action.yml
index f99bba61b..375b8b0fe 100644
--- a/action.yml
+++ b/action.yml
@@ -175,6 +175,26 @@ branding:
 runs:
   using: "composite"
   steps:
+    - name: Check system dependencies
+      shell: sh
+      run: |
+        missing_deps=""
+
+        # Check for required commands
+        for cmd in bash git curl gpg; do
+          if ! command -v "$cmd" >/dev/null 2>&1; then
+            missing_deps="$missing_deps $cmd"
+          fi
+        done
+
+        # Report missing required dependencies
+        if [ -n "$missing_deps" ]; then
+          echo "Error: The following required dependencies are missing:$missing_deps"
+          echo "Please install these dependencies before using this action."
+          exit 1
+        fi
+
+        echo "All required system dependencies are available."
     - name: Action version
       shell: bash
       run: |

From 243559ef68c84e9e19b0550bdef1732ef52d166e Mon Sep 17 00:00:00 2001
From: joseph-sentry <joseph.sawaya@sentry.io>
Date: Tue, 24 Jun 2025 15:20:59 -0400
Subject: [PATCH 2/3] fix

---
 .github/workflows/main.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 381e9b90b..73f0c1790 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -140,6 +140,9 @@ jobs:
     runs-on: ubuntu-latest
     container: alpine:latest
     steps:
+      - name: Install only some deps (missing gpg and bash)
+        run: |
+          apk add git
       - name: Checkout
         uses: actions/checkout@v4.2.2
         with:

From e7d5e9bc58d850f1763f0cebaedd8d89f4f54663 Mon Sep 17 00:00:00 2001
From: joseph-sentry <joseph.sawaya@sentry.io>
Date: Tue, 24 Jun 2025 16:49:41 -0400
Subject: [PATCH 3/3] docs: update README to reflect dependency needs

---
 README.md | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 302bbc8a3..f342d82f6 100644
--- a/README.md
+++ b/README.md
@@ -49,10 +49,11 @@ You can see their usage in the `action.yml` [file](https://github.com/codecov/co
 
 ## Usage
 
+> [!CAUTION]
+> In order for the Action to work seamlessly, you will need to have `bash`, `curl`, `git`, and `gpg` installed on your runner. You will also need to run [actions/checkout](https://github.com/actions/checkout) before calling the Codecov action. If these are not present, the Action will fail. Github Actions runners will have these installed by default. If you are using a custom runner or running in a container, you will need to ensure that these are installed.
+
 To integrate Codecov with your Actions pipeline, specify the name of this repository with a tag number (`@v5` is recommended) as a `step` within your `workflow.yml` file.
 
-> [!WARNING]
-> In order for the Action to work seamlessly, you will need to have `curl`, `git`, and `gpg` installed on your runner. You will also need to run the [actions/checkout](https://github.com/actions/checkout) before calling the Codecov action.
 
 This Action also requires you to [provide an upload token](https://docs.codecov.io/docs/frequently-asked-questions#section-where-is-the-repository-upload-token-found-) from [codecov.io](https://www.codecov.io) (tip: in order to avoid exposing your token, [store it](https://docs.codecov.com/docs/adding-the-codecov-token#github-actions) as a `secret`).
 
@@ -96,7 +97,7 @@ steps:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 ```
 
-> [!NOTE]
+> [!IMPORTANT]
 > This assumes that you've set your Codecov token inside _Settings > Secrets_ as `CODECOV_TOKEN`. If not, you can [get an upload token](https://docs.codecov.io/docs/frequently-asked-questions#section-where-is-the-repository-upload-token-found-) for your specific repo on [codecov.io](https://www.codecov.io). Keep in mind that secrets are _not_ available to forks of repositories.
 
 ### Using OIDC