ci: upload Codecov via token or OIDC

cuihairu · cuihairu · commit f2e31cd3afde · 2025-12-28T19:38:32.000+08:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -57,6 +57,9 @@ jobs:
   coverage:
     name: Coverage (Codecov)
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - uses: actions/checkout@v4
 
@@ -98,8 +101,8 @@ jobs:
             --ignore-errors unused
           lcov --list coverage.info --rc branch_coverage=1
 
-      - name: Upload to Codecov
-        if: github.event_name == 'push'
+      - name: Upload to Codecov (token)
+        if: github.event_name == 'push' && secrets.CODECOV_TOKEN != ''
         uses: codecov/codecov-action@v5
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -108,3 +111,14 @@ jobs:
           plugins: noop
           fail_ci_if_error: true
           verbose: true
+
+      - name: Upload to Codecov (OIDC)
+        if: github.event_name == 'push' && secrets.CODECOV_TOKEN == ''
+        uses: codecov/codecov-action@v5
+        with:
+          use_oidc: true
+          files: coverage.info
+          disable_search: true
+          plugins: noop
+          fail_ci_if_error: true
+          verbose: true
