Replace codecov-action with vendored upload script.

The codecov action downloads a script from the internet and executes
it without verifying that it has not been tampered with. That script
was recently compromised, and there hasn't been an update to the
action, so rather than trust that it will not be compromised again,
the latest script (with checksum
89c658e261d5f25533598a222fd96cf17a5fa0eb3772f2defac754d9970b2ec8
retrieved from
https://raw.githubusercontent.com/codecov/codecov-bash/f181fd261aad57d39e8d355547ff5850cc6725b1/SHA256SUM)
is now vendored in with the rest of the Github Actions config.

https://about.codecov.io/security-update/

Signed-off-by: Ben Luddy <[email protected]>

Author: benluddy