CI: use OIDC for CodeCov

This uses a short-lived token
which is better for security.

Author: pjonsson

.github/workflows/main.yml

@@ -66,6 +66,8 @@ jobs:
 
   test-wheels:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     container:
       image: ghcr.io/opendatacube/odc-stats:latest
       credentials:
@@ -151,6 +153,6 @@ jobs:
 
         uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
         with:
-          token: ${{ secrets.CODECOV_TOKEN }}
+          use_oidc: true
           fail_ci_if_error: false
           verbose: false