From 55e02f8fdc6885f4abe3db25ce48984a35e78f15 Mon Sep 17 00:00:00 2001
From: Hyeseong Kim <hey@hyeseong.kim>
Date: Wed, 17 Jun 2026 08:09:01 +0900
Subject: [PATCH] Update coverage.yml to use OIDC for Codecov

Always prefer the tokenless method if available. There are no needs to use permanent token here for public repo. It supports verifying repo via OIDC.
---
 .github/workflows/coverage.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
index 997f97a58fb..21c460a2490 100644
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -19,6 +19,8 @@ env:
 jobs:
   coverage:
     runs-on: ubuntu-24.04-arm
+    permissions:
+      id-token: write
     env:
       OS: ubuntu-24.04-arm
       OCAML_COMPILER: 5.3.0
@@ -200,4 +202,4 @@ jobs:
         with:
           files: _coverage/coverage.json
           fail_ci_if_error: false
-          token: ${{ secrets.CODECOV_TOKEN }}
+          use_oidc: true