ci: use OIDC for codecov-action

[njzjz-bot]

Replace token-based authentication with OIDC (OpenID Connect) for codecov-action.
This is more secure and eliminates the need to manage upload tokens.

Changes:

• Add use_oidc: true to codecov-action configuration
• Add id-token: write permission at workflow level
• Remove token parameter from codecov-action (ignored when using OIDC)

This improves security and follows codecov-action best practices.

Generated by the task: njzjz-bot/njzjz-bot#25.

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflow configuration to improve the build and testing process.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[codspeed-hq]

CodSpeed Performance Report

Merging this PR will not alter performance

_{Comparing njzjz-bot:codecov-oidc (59e5484) with devel (61a0cc6)}

⚠️ Unknown Walltime execution environment detected

Using the Walltime instrument on standard Hosted Runners will lead to inconsistent data.

For the most accurate results, we recommend using CodSpeed Macro Runners: bare-metal machines fine-tuned for performance measurement consistency.

Summary

✅ 2 untouched benchmarks
⏩ 2 skipped benchmarks¹

Footnotes

1. 2 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.06%. Comparing base (61a0cc6) to head (59e5484).
⚠️ Report is 1 commits behind head on devel.

Additional details and impacted files

@@           Coverage Diff           @@
##            devel     #926   +/-   ##
=======================================
  Coverage   86.06%   86.06%           
=======================================
  Files          83       83           
  Lines        7886     7886           
=======================================
  Hits         6787     6787           
  Misses       1099     1099           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

📝 Walkthrough

Walkthrough

Modified GitHub Actions workflow configuration to enhance security posture by adding OpenID Connect (OIDC) authentication. Added use_oidc: true to the codecov step and introduced a permissions block with id-token: write capability.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Configuration .github/workflows/test.yml	Reformatted workflow trigger declarations; added OIDC authentication (use_oidc: true) to codecov step; introduced new permissions block granting id-token: write access

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: switching codecov-action authentication from token-based to OIDC. It is specific, concise, and clearly conveys the primary purpose of the pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.github/workflows/test.yml:
- Around line 33-37: The workflow sets CODECOV_TOKEN in the env block for the
codecov/codecov-action even though use_oidc: true is enabled; remove the env:
CODECOV_TOKEN declaration so the action relies on OIDC instead (delete the env
block that contains CODECOV_TOKEN from the codecov/codecov-action step), and
optionally remove the CODECOV_TOKEN secret from repository settings if it's no
longer needed.
- Around line 47-48: The workflow's permissions block only grants "id-token:
write" which leaves all other scopes as none and breaks actions/checkout; update
the permissions section to also include "contents: read" so actions/checkout can
access repository files (modify the permissions block that currently contains
"id-token: write" to add "contents: read").

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

codecov/codecov-action v5 OIDC CODECOV_TOKEN required documentation

💡 Result:

For codecov/codecov-action@v5, CODECOV_TOKEN is not required if you use OIDC.

• OIDC upload (no token): set use_oidc: true and grant the workflow/job id-token: write. Any token / CODECOV_TOKEN you provide will be ignored when OIDC is enabled. [1]

  permissions:
    id-token: write
  
  steps:
    - uses: actions/checkout@v4
    - uses: codecov/codecov-action@v5
      with:
        use_oidc: true

• Token upload (when OIDC is not used): you may still need CODECOV_TOKEN depending on your repo/org settings (e.g., private repos require a token, and public repos may require one for protected branches unless token authentication is disabled). [2]

Sources: Codecov Action v5 README (OIDC section) [1]; Codecov “When do I need a token?” docs [2].

---

Remove CODECOV_TOKEN when using OIDC.

With use_oidc: true, the CODECOV_TOKEN environment variable is unnecessary and ignored. Exporting the secret keeps it in the runner environment without purpose. Remove the env block and consider deleting the secret from repo settings if no longer needed.

Proposed change

-    - name: Run codecov
-      uses: codecov/codecov-action@v5
-      env:
-        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-      with:
-        use_oidc: true
+    - name: Run codecov
+      uses: codecov/codecov-action@v5
+      with:
+        use_oidc: true

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: codecov/codecov-action@v5
	env:
	CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
	with:
	use_oidc: true
	uses: codecov/codecov-action@v5
	with:
	use_oidc: true

🤖 Prompt for AI Agents

In @.github/workflows/test.yml around lines 33 - 37, The workflow sets
CODECOV_TOKEN in the env block for the codecov/codecov-action even though
use_oidc: true is enabled; remove the env: CODECOV_TOKEN declaration so the
action relies on OIDC instead (delete the env block that contains CODECOV_TOKEN
from the codecov/codecov-action step), and optionally remove the CODECOV_TOKEN
secret from repository settings if it's no longer needed.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

GitHub Actions workflow permissions defaults unspecified none

💡 Result:

• If your workflow/job does not include a permissions: block at all, GitHub uses the repository’s (or org’s) default GITHUB_TOKEN permissions. Repos/orgs created on or after Feb 2, 2023 default to read-only, while those created before Feb 2, 2023 default to read/write (unless an admin changed the default in settings). [1][3]
• If you do include a permissions: block, then any permission scope you don’t specify is set to none (i.e., unspecified scopes become no-access). [2]
• Practical takeaway:
  • Want “use the repo/org default”? omit permissions: entirely. [3]
  • Want “everything not explicitly granted should be none”? add permissions: and list only what you need. [2][3]

Sources: [1] GitHub Docs (enterprise/org default workflow permissions) • [2] GitHub Changelog (missing scopes => none) • [3] CodeQL help (no explicit permissions => repo/org defaults)

---

🌐 Web query:

actions/checkout contents read permission required

💡 Result:

actions/checkout needs the workflow’s GITHUB_TOKEN to be able to read repository contents, so you must grant contents: read (unless you provide another auth method via the action’s token or ssh-key inputs). The actions/checkout README explicitly recommends this permission block. [1]

Add one of these:

Workflow-wide

permissions:
  contents: read

Job-only

jobs:
  build:
    permissions:
      contents: read

Common gotcha: if you set any permissions: in a workflow/job, any scope you don’t list becomes none, so checkout fails unless contents: read is included. GitHub’s docs confirm unspecified permissions become none. [2]

If you still can’t use actions/checkout: your org/repo may be configured to allow only actions from your organization, which blocks GitHub-authored actions like actions/checkout. [3]

Sources: [1] [2] [3]

---

🌐 Web query:

GitHub Actions permissions scope default behavior private repository

💡 Result:

In a private GitHub repository, the default GitHub Actions GITHUB_TOKEN permission scope is not “always write”—it depends on the repo/org/enterprise “Workflow permissions” default (and, for orgs/enterprises, often the creation date of the org/enterprise).

• Default for new repos/orgs/enterprises (created on/after Feb 2, 2023): GITHUB_TOKEN defaults to read-only (effectively the “restricted” default, i.e., read access for contents (and typically packages) unless you grant more). (github.blog)
• Older orgs/enterprises (created before Feb 2, 2023): may still default to read/write for all scopes unless an admin changed the “Workflow permissions” setting. (docs.github.com)
• You can override in workflow YAML with permissions: at the workflow/job level; any permission you don’t list becomes none (with special cases like fork PR behavior). (github.blog)
• Fork PRs are treated specially (e.g., token is constrained/read-only in those contexts), and for forks the token may only have read access to the parent repo. (github.blog)

Citations:

• 1: https://github.blog/changelog/2023-02-02-github-actions-updating-the-default-github_token-permissions-to-read-only?utm_source=openai
• 2: https://docs.github.com/github-ae%40latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise?utm_source=openai
• 3: https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token?utm_source=openai
• 4: https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token?utm_source=openai

---

Add contents: read permission for actions/checkout to work.

When a permissions: block is present, any unspecified permission scope is set to none. Since actions/checkout requires read access to repository contents, you must explicitly grant contents: read alongside id-token: write.

Proposed change

 permissions:
+  contents: read
   id-token: write

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	permissions:
	id-token: write
	permissions:
	contents: read
	id-token: write

🤖 Prompt for AI Agents

In @.github/workflows/test.yml around lines 47 - 48, The workflow's permissions
block only grants "id-token: write" which leaves all other scopes as none and
breaks actions/checkout; update the permissions section to also include
"contents: read" so actions/checkout can access repository files (modify the
permissions block that currently contains "id-token: write" to add "contents:
read").