CI: use OIDC for CodeCov

pjonsson · pjonsson · commit e8424dc1e75f · 2025-08-12T07:02:42.000+02:00
This uses a short-lived token
which is better for security.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -66,6 +66,8 @@ jobs:
 
   test-wheels:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     container:
       image: ghcr.io/${{ github.repository }}:latest
       credentials:
@@ -151,6 +153,6 @@ jobs:
 
         uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
         with:
-          token: ${{ secrets.CODECOV_TOKEN }}
+          use_oidc: true
           fail_ci_if_error: false
           verbose: false
