move codecov from token to oidc #37

	name: Bandit

	on:
	push:
	branches: [ main ]
	pull_request:
	paths:
	- "src/**"
	- "pyproject.toml"
	- "justfile"
	- ".github/workflows/bandit.yml"
	workflow_dispatch:

	permissions:
	contents: read

	jobs:
	bandit-analysis:
	name: Run Bandit
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write

	steps:
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
	with:
	persist-credentials: false
	- name: Set up Python
	uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
	id: sp
	with:
	python-version: '3.x'
	allow-prereleases: true
	- name: Install uv
	uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57
	with:
	enable-cache: false
	- name: Install Just
	uses: extractions/setup-just@53165ef7e734c5c07cb06b3c8e7b647c5aa16db3

	- name: Run Bandit
	run: \|
	just bandit

	- name: Upload analysis results
	if: ${{ always() }}
	uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
	with:
	name: bandit-results
	path: bandit.sarif
	retention-days: 7

	- name: Upload to code-scanning
	if: ${{ always() }}
	uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13
	with:
	sarif_file: bandit.sarif

Provide feedback