fix: add id-token write permission to reusable workflow calls
Add explicit id-token: write permission to build, dynamic_tests, and examples
jobs in main.yaml to allow nested jobs to use OIDC authentication.
This fixes the error: "The nested job 'build_typescript' is requesting
'id-token: write', but is only allowed 'id-token: read'."
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
1bcff35
10 hours ago
by kamiazya
fix: restore CODECOV_TOKEN support with OIDC fallback
Restore CODECOV_TOKEN as a fallback authentication method while keeping
OIDC support. This hybrid approach ensures bundle analysis works regardless
of the authentication method configured:
- Token authentication: Uses uploadToken when CODECOV_TOKEN is available
- OIDC authentication: Uses GitHub OIDC when token is not available
- Coverage uploads: Automatically chooses between token and OIDC
Configuration logic:
- enableBundleAnalysis: process.env.CI === 'true' (always enabled in CI)
- uploadToken: Set only if CODECOV_TOKEN exists
- useGitHubOIDC: true only when CODECOV_TOKEN is not available
This fixes the issue where bundle reports were not being uploaded after
removing CODECOV_TOKEN entirely.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>