Implement Github OIDC authentication to Github actions

[zetaab]

What product do you want to improve?
uploader and codecov-api

Is your feature request related to a problem? Please describe.
no

Describe the solution you'd like
Currently minimal github action pipeline is following:

- uses: codecov/codecov-action@v3
  with:
    token: ${{ secrets.CODECOV_TOKEN }}

However, the I would like to propose removal of tokens in GHA pipelines. That can be achieved by using Github (or github enterprise) OIDC authentications (https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect).

After uploader and codecov-api supports Github oidc the new way of doing should be:

1. github oidc enabled to repository (is this needed or enabled by default?).
2. new gha pipeline:

jobs:
  build:
    permissions: # these are needed after oidc change
      id-token: write
      contents: read
    steps:
    ...
    - uses: codecov/codecov-action@v3

No more hassle with the hardcoded tokens and copy pasting them!

Basically, you can get the id token in github actions https://github.com/elisa-actions/healthcheck-event/blob/main/src/main.ts#L57 and that can be used for authenticating. Of course then codecov-api needs logic to verify the github id token correctly.

[rohan-at-sentry]

@zetaab I'm a PM at Codecov 👋

Thanks for raising this and opening up PRs for the the codecov action and codecov api as well. As @thomasrockhu-codecov noted in your PR, a vast majority of our customers aren't using the OIDC.

Having said that, I'd like to use discussion as way to gather more feedback on this, so I'm converting this into a discussion. I'll keep an eye on this here on out, and if we decide to move forward, I'll respond back here.

[rohan-at-sentry]

@zetaab FYI converting an issue to discussion on Github locks the original issue so while it may appear like you're locked out of the discussion, that is most assuredly not the case.

[zetaab]

of course people are not using Github OIDC with Codecov because its not supported (yet). But as I see it: it is modern way of handling authentication. It is more secure than static tokens. After OIDC there is no need like "global tokens", because you just do not need those anymore.

We have been using codecov/codecov-action#1054 & codecov/codecov-api#90 2 weeks now in our self-hosted installation. And trust me: its better than sliced bread. It was really fast process to add 50+ repos, because there was no need to add any secrets. It was just copy pasting those few lines to Github action pipelines.

[eliatcodecov]

Hey @zetaab , this is really cool! Thanks for opening a this discussion, and thanks to you and @juho9000 for opening some draft PRs that take a stab at implementing this functionality. We'll pass it on to one of our engineers for review and see if/when/how we could get something like this integrated based on the work you've already done.

[zetaab]

@rohan-at-sentry & @eliatcodecov we are not really happy how codecov is currently handling different (opensourced) repositories. OIDC was already working for github sometime (and with our custom github-actions). However, codecov itself broke everything and there has been issue open for 3 weeks now. codecov/codecov-api#359

If you take contributions to your repositories, it is the least that you could do that you do not break everything between versions. Thank you!

[rohan-at-sentry]

@zetaab apologies for not responding to that issue earlier, it slipped thru the cracks. Drop of support was not intentional, we'll work on getting this working again quickly