From a57ebebfb8e6f68daac95a98f86218ee8e270886 Mon Sep 17 00:00:00 2001
From: "njzjz-bot[bot]" <48687836+njzjz-bot@users.noreply.github.com>
Date: Sat, 24 Jan 2026 05:17:32 +0000
Subject: [PATCH] ci: use OIDC for codecov-action

Replace token-based authentication with OIDC (OpenID Connect) for codecov-action.
This is more secure and eliminates the need to manage upload tokens.

Changes:
- Add use_oidc: true to codecov-action configuration
- Add id-token: write permission at workflow level
- Remove token parameter from codecov-action (ignored when using OIDC)

This improves security and follows codecov-action best practices.

Generated by the task: njzjz-bot/njzjz-bot#25.
---
 .github/workflows/push.yml   | 8 +++++---
 .github/workflows/testjs.yml | 6 ++++--
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index 94c863fa6..05fd5d30a 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -1,9 +1,9 @@
 on:
   push:
     branches:
-      - master
+    - master
     tags:
-      - v*
+    - v*
   pull_request:
   merge_group:
 
@@ -26,4 +26,6 @@ jobs:
     - run: tox
     - uses: codecov/codecov-action@v5
       with:
-        token: ${{ secrets.CODECOV_TOKEN }}
+        use_oidc: true
+permissions:
+  id-token: write
diff --git a/.github/workflows/testjs.yml b/.github/workflows/testjs.yml
index 5054919be..a38b96dcd 100644
--- a/.github/workflows/testjs.yml
+++ b/.github/workflows/testjs.yml
@@ -1,7 +1,7 @@
 on:
   push:
     branches:
-      - master
+    - master
   pull_request:
   merge_group:
 
@@ -29,4 +29,6 @@ jobs:
     - run: yarn coverage
     - uses: codecov/codecov-action@v5
       with:
-        token: ${{ secrets.CODECOV_TOKEN }}
+        use_oidc: true
+permissions:
+  id-token: write