From 297052306cf2333541709217f69c0228c93e319f Mon Sep 17 00:00:00 2001
From: "njzjz-bot[bot]" <48687836+njzjz-bot@users.noreply.github.com>
Date: Sat, 24 Jan 2026 05:18:03 +0000
Subject: [PATCH] ci: use OIDC for codecov-action

Replace token-based authentication with OIDC (OpenID Connect) for codecov-action.
This is more secure and eliminates the need to manage upload tokens.

Changes:
- Add use_oidc: true to codecov-action configuration
- Add id-token: write permission at workflow level
- Remove token parameter from codecov-action (ignored when using OIDC)

This improves security and follows codecov-action best practices.

Generated by the task: njzjz-bot/njzjz-bot#25.
---
 .github/workflows/coverage.yml | 150 +++++++++++++++++----------------
 1 file changed, 76 insertions(+), 74 deletions(-)

diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
index bb2190d9ee..b0a5834d2c 100644
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -4,85 +4,87 @@ on:
   workflow_dispatch:
   push:
     tags:
-      - 'v*'
+    - 'v*'
 jobs:
   test-coverage:
     name: Generate Coverage Report
     runs-on: X64
     container: ghcr.io/deepmodeling/abacus-gnu
     steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          submodules: recursive
-      
-      - name: Install Perl Dependencies and Coverage Tools
-        run: |
-          apt update && apt install -y curl jq ca-certificates python3-pip
-          apt install -y lcov perl-modules
-          apt install -y libcapture-tiny-perl libdatetime-perl libjson-perl libperlio-gzip-perl
-          lcov --version
-      
-      - name: Building with Coverage
-        run: |
-          rm -rf build/
-          rm -f CMakeCache.txt
+    - name: Checkout
+      uses: actions/checkout@v6
+      with:
+        submodules: recursive
 
-          mkdir -p build
-          chmod -R 755 build/
+    - name: Install Perl Dependencies and Coverage Tools
+      run: |
+        apt update && apt install -y curl jq ca-certificates python3-pip
+        apt install -y lcov perl-modules
+        apt install -y libcapture-tiny-perl libdatetime-perl libjson-perl libperlio-gzip-perl
+        lcov --version
 
-          cmake -B build \
-            -DENABLE_COVERAGE=ON \
-            -DBUILD_TESTING=ON \
-            -DENABLE_MLALGO=ON \
-            -DENABLE_LIBXC=ON \
-            -DENABLE_LIBRI=ON \
-            -DENABLE_GOOGLEBENCH=ON \
-            -DENABLE_RAPIDJSON=ON \
-            -DCMAKE_BUILD_TYPE=Debug \
-            -DCMAKE_CXX_FLAGS="--coverage -fprofile-arcs -ftest-coverage" \
-            -DCMAKE_EXE_LINKER_FLAGS="--coverage"
-          cmake --build build -j`nproc`
-          cmake --install build
-      
-      - name: Testing
-        env:
-          OMP_NUM_THREADS: 1
-        run: |
-          chmod -R 755 build/
-          cmake --build build --target test ARGS="-V --timeout 21600" || echo "Some tests failed but continuing for coverage"
-      
-      - name: Generate Coverage Data
-        run: |
-          cd build
-          
-          lcov --directory . --capture --output-file coverage.info
-          
-          lcov --remove coverage.info '/usr/*' '*/test/*' '*/external/*' '*/build/*' --output-file coverage.filtered.info
-          
-          genhtml coverage.filtered.info --output-directory coverage-report
-          
-          cd ..
-      
-      - name: Upload Coverage to Codecov
-        uses: codecov/codecov-action@v5
-        if: ${{ ! cancelled() }}
-        with:
-          fail_ci_if_error: true
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: ./build/coverage.xml,./build/coverage.info
-          directory: ./build/
-          flags: unittests
-          name: codecov-umbrella
-          verbose: true
-      
-      - name: Upload Coverage Report Artifact
-        uses: actions/upload-artifact@v6
-        if: always()
-        with:
-          name: coverage-report
-          path: |
-            build/coverage-report/
-            build/coverage.info
-            build/coverage.xml
-          retention-days: 30
+    - name: Building with Coverage
+      run: |
+        rm -rf build/
+        rm -f CMakeCache.txt
+
+        mkdir -p build
+        chmod -R 755 build/
+
+        cmake -B build \
+          -DENABLE_COVERAGE=ON \
+          -DBUILD_TESTING=ON \
+          -DENABLE_MLALGO=ON \
+          -DENABLE_LIBXC=ON \
+          -DENABLE_LIBRI=ON \
+          -DENABLE_GOOGLEBENCH=ON \
+          -DENABLE_RAPIDJSON=ON \
+          -DCMAKE_BUILD_TYPE=Debug \
+          -DCMAKE_CXX_FLAGS="--coverage -fprofile-arcs -ftest-coverage" \
+          -DCMAKE_EXE_LINKER_FLAGS="--coverage"
+        cmake --build build -j`nproc`
+        cmake --install build
+
+    - name: Testing
+      env:
+        OMP_NUM_THREADS: 1
+      run: |
+        chmod -R 755 build/
+        cmake --build build --target test ARGS="-V --timeout 21600" || echo "Some tests failed but continuing for coverage"
+
+    - name: Generate Coverage Data
+      run: |
+        cd build
+
+        lcov --directory . --capture --output-file coverage.info
+
+        lcov --remove coverage.info '/usr/*' '*/test/*' '*/external/*' '*/build/*' --output-file coverage.filtered.info
+
+        genhtml coverage.filtered.info --output-directory coverage-report
+
+        cd ..
+
+    - name: Upload Coverage to Codecov
+      uses: codecov/codecov-action@v5
+      if: ${{ ! cancelled() }}
+      with:
+        fail_ci_if_error: true
+        files: ./build/coverage.xml,./build/coverage.info
+        directory: ./build/
+        flags: unittests
+        name: codecov-umbrella
+        verbose: true
+
+        use_oidc: true
+    - name: Upload Coverage Report Artifact
+      uses: actions/upload-artifact@v6
+      if: always()
+      with:
+        name: coverage-report
+        path: |
+          build/coverage-report/
+          build/coverage.info
+          build/coverage.xml
+        retention-days: 30
+permissions:
+  id-token: write