From e90df456c3ad4428cbf4619cf900ba57ebf94f2b Mon Sep 17 00:00:00 2001
From: kdacosta0 <kristian.dacosta.menezes@gmail.com>
Date: Fri, 15 May 2026 15:53:46 +0200
Subject: [PATCH] ci: onboard Codecov with OIDC auth and org-standard config
 [SECURESIGN-4377]

Add codecov.yml with patch (70%) and project (auto/informational)
thresholds. Enable OIDC token auth and use_oidc flag in the existing
unit-tests workflow instead of adding a separate coverage workflow.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/unit-tests.yml |  3 +++
 codecov.yml                      | 15 +++++++++++++++
 2 files changed, 18 insertions(+)
 create mode 100644 codecov.yml

diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
index 12c35c5..2afb1cd 100644
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/unit-tests.yml
@@ -17,6 +17,7 @@ name: Unit Tests
 on: [push, pull_request]
 
 permissions:
+  id-token: write
   contents: read
 
 jobs:
@@ -40,6 +41,8 @@ jobs:
         uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
         with:
           files: ./coverage.out
+          flags: unit
+          use_oidc: true
           fail_ci_if_error: false
 
   test-pkcs11:
diff --git a/codecov.yml b/codecov.yml
new file mode 100644
index 0000000..d85a2ec
--- /dev/null
+++ b/codecov.yml
@@ -0,0 +1,15 @@
+coverage:
+  status:
+    project:
+      default:
+        target: auto
+        informational: true
+    patch:
+      default:
+        target: 70%
+        threshold: 5%
+        informational: true
+
+flag_management:
+  default_rules:
+    carryforward: true