set up tokenless OIDC in CI

Author: onamfc

.github/workflows/ci.yml

@@ -10,6 +10,9 @@ jobs:
   test:
     name: Test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     strategy:
       matrix:
         node-version: [18.x, 20.x]
@@ -39,15 +42,37 @@ jobs:
       - name: Run tests
         run: npm run test:coverage
 
-      - name: Upload coverage to Codecov
+      # 🔹 Always upload the coverage folder so you can inspect reports from CI runs
+      - name: Upload coverage artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-${{ matrix.node-version }}
+          path: coverage/
+          retention-days: 7
+
+      # 🔹 Codecov upload using OIDC (skips forked PRs)
+      - name: Upload coverage to Codecov (OIDC)
+        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }}
         uses: codecov/codecov-action@v5
         with:
-          token: ${{ secrets.CODECOV_TOKEN }}  # or set `use_oidc: true` + permissions
+          use_oidc: true
           files: ./coverage/lcov.info
           flags: unittests
           name: codecov-umbrella
           fail_ci_if_error: true
 
+      # 🔹 Best-effort Codecov on forked PRs (won't fail CI if upload is blocked)
+      - name: Upload coverage to Codecov (best-effort on forks)
+        if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork }}
+        uses: codecov/codecov-action@v5
+        with:
+          use_oidc: true
+          files: ./coverage/lcov.info
+          flags: unittests
+          name: codecov-umbrella
+          fail_ci_if_error: false
+
   build:
     name: Build
     runs-on: ubuntu-latest
@@ -142,4 +167,3 @@ jobs:
       - name: Run dependency check
         if: github.event_name == 'pull_request'
         uses: actions/dependency-review-action@v4
-

coverage/index.html

@@ -116,7 +116,7 @@ <h1>All files</h1>
             <div class='footer quiet pad2 space-top1 center small'>
                 Code coverage generated by
                 <a href="https://istanbul.js.org/" target="_blank" rel="noopener noreferrer">istanbul</a>
-                at 2025-09-05T16:54:56.690Z
+                at 2025-09-05T17:41:46.581Z
             </div>
         <script src="prettify.js"></script>
         <script>

coverage/lcov-report/index.html

@@ -116,7 +116,7 @@ <h1>All files</h1>
             <div class='footer quiet pad2 space-top1 center small'>
                 Code coverage generated by
                 <a href="https://istanbul.js.org/" target="_blank" rel="noopener noreferrer">istanbul</a>
-                at 2025-09-05T16:54:56.681Z
+                at 2025-09-05T17:41:46.570Z
             </div>
         <script src="prettify.js"></script>
         <script>

coverage/lcov-report/tools/calculator.ts.html

@@ -430,7 +430,7 @@ <h1><a href="../index.html">All files</a> / <a href="index.html">tools</a> calcu
             <div class='footer quiet pad2 space-top1 center small'>
                 Code coverage generated by
                 <a href="https://istanbul.js.org/" target="_blank" rel="noopener noreferrer">istanbul</a>
-                at 2025-09-05T16:54:56.681Z
+                at 2025-09-05T17:41:46.570Z
             </div>
         <script src="../prettify.js"></script>
         <script>

coverage/lcov-report/tools/index.html

@@ -131,7 +131,7 @@ <h1><a href="../index.html">All files</a> tools</h1>
             <div class='footer quiet pad2 space-top1 center small'>
                 Code coverage generated by
                 <a href="https://istanbul.js.org/" target="_blank" rel="noopener noreferrer">istanbul</a>
-                at 2025-09-05T16:54:56.681Z
+                at 2025-09-05T17:41:46.570Z
             </div>
         <script src="../prettify.js"></script>
         <script>

coverage/lcov-report/tools/setup.ts.html

@@ -241,7 +241,7 @@ <h1><a href="../index.html">All files</a> / <a href="index.html">tools</a> setup
             <div class='footer quiet pad2 space-top1 center small'>
                 Code coverage generated by
                 <a href="https://istanbul.js.org/" target="_blank" rel="noopener noreferrer">istanbul</a>
-                at 2025-09-05T16:54:56.681Z
+                at 2025-09-05T17:41:46.570Z
             </div>
         <script src="../prettify.js"></script>
         <script>

coverage/lcov-report/tools/text-processing.ts.html

@@ -841,7 +841,7 @@ <h1><a href="../index.html">All files</a> / <a href="index.html">tools</a> text-
             <div class='footer quiet pad2 space-top1 center small'>
                 Code coverage generated by
                 <a href="https://istanbul.js.org/" target="_blank" rel="noopener noreferrer">istanbul</a>
-                at 2025-09-05T16:54:56.681Z
+                at 2025-09-05T17:41:46.570Z
             </div>
         <script src="../prettify.js"></script>
         <script>

coverage/lcov-report/utils/config.ts.html

@@ -340,7 +340,7 @@ <h1><a href="../index.html">All files</a> / <a href="index.html">utils</a> confi
             <div class='footer quiet pad2 space-top1 center small'>
                 Code coverage generated by
                 <a href="https://istanbul.js.org/" target="_blank" rel="noopener noreferrer">istanbul</a>
-                at 2025-09-05T16:54:56.681Z
+                at 2025-09-05T17:41:46.570Z
             </div>
         <script src="../prettify.js"></script>
         <script>

coverage/lcov-report/utils/errors.ts.html

@@ -601,7 +601,7 @@ <h1><a href="../index.html">All files</a> / <a href="index.html">utils</a> error
             <div class='footer quiet pad2 space-top1 center small'>
                 Code coverage generated by
                 <a href="https://istanbul.js.org/" target="_blank" rel="noopener noreferrer">istanbul</a>
-                at 2025-09-05T16:54:56.681Z
+                at 2025-09-05T17:41:46.570Z
             </div>
         <script src="../prettify.js"></script>
         <script>

coverage/lcov-report/utils/index.html

@@ -131,7 +131,7 @@ <h1><a href="../index.html">All files</a> utils</h1>
             <div class='footer quiet pad2 space-top1 center small'>
                 Code coverage generated by
                 <a href="https://istanbul.js.org/" target="_blank" rel="noopener noreferrer">istanbul</a>
-                at 2025-09-05T16:54:56.681Z
+                at 2025-09-05T17:41:46.570Z
             </div>
         <script src="../prettify.js"></script>
         <script>