Implement Github OIDC authentication to Github actions

[zetaab]

What product do you want to improve?
uploader and codecov-api

Is your feature request related to a problem? Please describe.
no

Describe the solution you'd like
Currently minimal github action pipeline is following:

- uses: codecov/codecov-action@v3
  with:
    token: ${{ secrets.CODECOV_TOKEN }}

However, the I would like to propose removal of tokens in GHA pipelines. That can be achieved by using Github (or github enterprise) OIDC authentications (https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect).

After uploader and codecov-api supports Github oidc the new way of doing should be:

1. github oidc enabled to repository (is this needed or enabled by default?).
2. new gha pipeline:

jobs:
  build:
    permissions: # these are needed after oidc change
      id-token: write
      contents: read
    steps:
    ...
    - uses: codecov/codecov-action@v3

No more hassle with the hardcoded tokens and copy pasting them!

Basically, you can get the id token in github actions https://github.com/elisa-actions/healthcheck-event/blob/main/src/main.ts#L57 and that can be used for authenticating. Of course then codecov-api needs logic to verify the github id token correctly.

[rohan-at-sentry]

@zetaab I'm a PM at Codecov 👋

Thanks for raising this and opening up PRs for the the codecov action and codecov api as well. As @thomasrockhu-codecov noted in your PR, a vast majority of our customers aren't using the OIDC.

Having said that, I'd like to use discussion as way to gather more feedback on this, so I'm converting this into a discussion. I'll keep an eye on this here on out, and if we decide to move forward, I'll respond back here.