Validate codecov script against checksums. (#2330)

After the recent Codecov security incident[1] I've been reviewing
codecov usage across ROS repositories.

This repository is fetching the codecov bash uploader without performing
the recommended validation step.

The validation step does not appear to have been widely explained or
publicised and even the official codecov GitHub action was not
validating the script until the recent security incident.

I have made an attempt to validate the bash uploader here.

[1]: https://about.codecov.io/security-update/