From 55e02f8fdc6885f4abe3db25ce48984a35e78f15 Mon Sep 17 00:00:00 2001
From: Hyeseong Kim <hey@hyeseong.kim>
Date: Wed, 17 Jun 2026 08:09:01 +0900
Subject: [PATCH 1/2] Update coverage.yml to use OIDC for Codecov

Always prefer the tokenless method if available. There are no needs to use permanent token here for public repo. It supports verifying repo via OIDC.
---
 .github/workflows/coverage.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
index 997f97a58fb..21c460a2490 100644
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -19,6 +19,8 @@ env:
 jobs:
   coverage:
     runs-on: ubuntu-24.04-arm
+    permissions:
+      id-token: write
     env:
       OS: ubuntu-24.04-arm
       OCAML_COMPILER: 5.3.0
@@ -200,4 +202,4 @@ jobs:
         with:
           files: _coverage/coverage.json
           fail_ci_if_error: false
-          token: ${{ secrets.CODECOV_TOKEN }}
+          use_oidc: true

From daadf3335ea1037c6469b91ef82d848e15bce87e Mon Sep 17 00:00:00 2001
From: Hyeseong Kim <hey@hyeseong.kim>
Date: Wed, 24 Jun 2026 21:56:01 +0900
Subject: [PATCH 2/2] fix & clarify permissions use

---
 .github/workflows/coverage.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
index 21c460a2490..d1966af776b 100644
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -20,7 +20,8 @@ jobs:
   coverage:
     runs-on: ubuntu-24.04-arm
     permissions:
-      id-token: write
+      actions: write # For build cache overwriting
+      id-token: write # For CodeCov OIDC
     env:
       OS: ubuntu-24.04-arm
       OCAML_COMPILER: 5.3.0