fix: download CLI to temp dir and retry GPG key import

[thomasrockhu-codecov]

Summary

• Dirty git state ([BUG] Use of codecov-action action leaves git repository in dirty state #1851, [BUG] upload creates files in the project root, leaving the repo dirty #1804): Downloads the CLI binary, SHA256SUM, and SHA256SUM.sig to a temp directory (mktemp -d) instead of the repo working directory. An EXIT trap automatically cleans up the temp dir when the script finishes. No more leftover codecov, codecov.SHA256SUM, codecov.SHA256SUM.sig files polluting git status.
• GPG import failures ([BUG] Random fails due to uploader verification key import failing #1876): Replaces the fragile echo "$(curl -s ...)" | gpg --import pattern (which strips trailing newlines and has no error handling) with a 3-attempt retry loop that pipes curl -sf directly to gpg --import, with explicit failure reporting.

Closes #1851
Closes #1804
Fixes #1876

Test plan

• Verify normal upload path: binary downloads to temp dir, upload succeeds, no leftover files in repo root
• Verify CC_BINARY_LOCATION path: binary is moved to the specified location correctly
• Verify CC_DOWNLOAD_ONLY path: binary is copied to working dir before exit
• Verify skip_validation path: binary downloads to temp dir, validation is skipped
• Verify GPG import retry: simulate transient keybase failure, confirm retry works
• Verify GPG import failure: confirm clear error message after 3 failed attempts
• Verify git status is clean after action completes (the core bug fix)

Notes

• dist/codecov.sh is sourced from the codecov/wrapper submodule. The same changes should be upstreamed to that repo.
• The symlink crash ([BUG] REGRESSION: v5 fails if a broken symlink is present in the repo #1890) is a bug in the codecov CLI binary itself, not the action wrapper — it needs a separate fix in codecov/codecov-cli.

Made with Cursor

[sentry]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.14%. Comparing base (671740a) to head (9dee4ad).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1916   +/-   ##
=======================================
  Coverage   97.14%   97.14%           
=======================================
  Files           2        2           
  Lines          35       35           
=======================================
  Hits           34       34           
  Misses          1        1           

Flag	Coverage Δ
demo-macos-latest	97.14% <ø> (ø)
demo-macos-latest-xlarge	97.14% <ø> (?)
demo-ubuntu-latest	97.14% <ø> (ø)
demo-windows-latest	97.14% <ø> (ø)
script-	97.14% <ø> (?)
script-macos-latest	97.14% <ø> (ø)
script-macos-latest-xlarge	97.14% <ø> (?)
script-ubuntu-latest	97.14% <ø> (ø)
script-windows-latest	97.14% <ø> (ø)
version-macos-latest	97.14% <ø> (ø)
version-maxos-latest-xlarge	97.14% <ø> (?)
version-ubuntu-latest	97.14% <ø> (ø)
version-windows-latest	97.14% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[thomasrockhu-codecov]

Closing — these changes belong in codecov/wrapper, not here. Opening PR there instead.