From 0e695d6eb41f24a21183fc9d8f9527e835bc7c16 Mon Sep 17 00:00:00 2001
From: "njzjz-bot[bot]" <48687836+njzjz-bot@users.noreply.github.com>
Date: Sat, 24 Jan 2026 05:20:05 +0000
Subject: [PATCH] ci: use OIDC for codecov-action

Replace token-based authentication with OIDC (OpenID Connect) for codecov-action.
This is more secure and eliminates the need to manage upload tokens.

Changes:
- Add use_oidc: true to codecov-action configuration
- Add id-token: write permission at workflow level
- Remove token parameter from codecov-action (ignored when using OIDC)

This improves security and follows codecov-action best practices.

Generated by the task: njzjz-bot/njzjz-bot#25.
---
 .github/workflows/test.yaml | 44 +++++++++++++++++++------------------
 1 file changed, 23 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index b718f23..1f0cc25 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -3,7 +3,7 @@ name: Test Python package
 on:
   push:
     branches:
-      - master
+    - master
   pull_request:
 
 env:
@@ -15,23 +15,25 @@ jobs:
       id-token: write
       contents: read # for private repos
     steps:
-      - uses: actions/checkout@v5
-      - name: Set up uv
-        uses: astral-sh/setup-uv@v7
-        with:
-          enable-cache: true
-          cache-dependency-glob: |
-            **/requirements*.txt
-            **/pyproject.toml
-      - name: Set up Python
-        uses: actions/setup-python@v6
-        with:
-          python-version: 3.14
-      - name: Install dependencies
-        run: uv pip install nox[uv]
-      - name: Test with pytest
-        run: nox -db uv
-      - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@v5
-        with:
-          use_oidc: ${{ !(github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork) }}
+    - uses: actions/checkout@v5
+    - name: Set up uv
+      uses: astral-sh/setup-uv@v7
+      with:
+        enable-cache: true
+        cache-dependency-glob: |
+          **/requirements*.txt
+          **/pyproject.toml
+    - name: Set up Python
+      uses: actions/setup-python@v6
+      with:
+        python-version: 3.14
+    - name: Install dependencies
+      run: uv pip install nox[uv]
+    - name: Test with pytest
+      run: nox -db uv
+    - name: Upload coverage reports to Codecov
+      uses: codecov/codecov-action@v5
+      with:
+        use_oidc: true
+permissions:
+  id-token: write