update setup-just, move codecov to oidc and scorecard token to a prot… (#164)

* update setup-just, move codecov to oidc and scorecard token to a protected env

* fix oidc perms

Author: bckohan

.github/workflows/release.yml

@@ -25,9 +25,8 @@ jobs:
     permissions:
       contents: read
       actions: write
+      id-token: write
     uses: ./.github/workflows/test.yml
-    secrets:
-      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
   build:
     name: Build Package

.github/workflows/scorecard.yml

@@ -15,6 +15,10 @@ jobs:
   analysis:
     name: Scorecard analysis
     runs-on: ubuntu-latest
+    environment:
+      name: scorecard
+      deployment: false  # Prevents creating a GitHub deployment object
+    
     permissions:
       security-events: write
       id-token: write

.github/workflows/test.yml

@@ -10,9 +10,6 @@ on:
   pull_request:
   merge_group:
   workflow_call:
-    secrets:
-      CODECOV_TOKEN:
-        required: true
   workflow_dispatch:
     inputs:
       debug:
@@ -192,6 +189,9 @@ jobs:
   coverage-combine:
     needs: [linux, macos, windows]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
@@ -225,5 +225,6 @@ jobs:
       - name: Upload coverage to Codecov
         uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2
         with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          file: ./coverage.xml
+          use_oidc: true
+          files:
+            ./coverage.xml