From 2bcd081ff25ef7cc08e6c8ea4674ff2129b085a3 Mon Sep 17 00:00:00 2001
From: fargito <fr.farge96@gmail.com>
Date: Tue, 18 Nov 2025 14:33:47 +0100
Subject: [PATCH] docs: recommend OpenID Connect instead of static token

---
 README.md                               | 24 ++++++++++++++++++------
 examples/nodejs-typescript-codspeed.yml |  6 ++++--
 examples/python-pytest-codspeed.yml     |  4 +++-
 examples/rust-cargo-codspeed.yml        |  4 +++-
 4 files changed, 28 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index 7c50083..c9e21f7 100644
--- a/README.md
+++ b/README.md
@@ -23,10 +23,16 @@ GitHub Actions for running [CodSpeed](https://codspeed.io) in your CI.
     # More details on the instruments at https://docs.codspeed.io/instruments/
     mode: "instrumentation"
 
-    # [REQUIRED for private repositories]
-    # The CodSpeed upload token: can be found at https://codspeed.io/<org>/<repo>/settings
+    # [OPTIONAL]
+    # CodSpeed recommends using OpenID Connect (OIDC) for authentication.
+    #
+    # If you are not using OpenID Connect, set the CodSpeed upload token
+    # that can be found at https://codspeed.io/<org>/<repo>/settings
     # It's strongly recommended to use a secret for this value
-    # If you're instrumenting a public repository, you can omit this value
+    # If you're instrumenting a public repository, you can omit this value altogether
+    #
+    # More information in the CodSpeed documentation:
+    # https://codspeed.io/docs/integrations/ci/github-actions#authentication
     token: ""
 
     # [OPTIONAL]
@@ -84,6 +90,9 @@ jobs:
   benchmarks:
     name: Run benchmarks
     runs-on: ubuntu-latest
+    permissions: # optional for public repositories
+      contents: read
+      id-token: write # for OpenID Connect authentication with CodSpeed
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v3
@@ -97,7 +106,6 @@ jobs:
         uses: CodSpeedHQ/action@v4
         with:
           mode: instrumentation
-          token: ${{ secrets.CODSPEED_TOKEN }}
           run: pytest tests/ --codspeed
 ```
 
@@ -123,6 +131,9 @@ jobs:
   name: Run benchmarks
   benchmarks:
     runs-on: ubuntu-latest
+    permissions: # optional for public repositories
+      contents: read
+      id-token: write # for OpenID Connect authentication with CodSpeed
     steps:
       - uses: actions/checkout@v4
 
@@ -141,7 +152,6 @@ jobs:
         with:
           mode: instrumentation
           run: cargo codspeed run
-          token: ${{ secrets.CODSPEED_TOKEN }}
 ```
 
 ## Node.js with `codspeed-node`, TypeScript and `vitest`
@@ -166,6 +176,9 @@ jobs:
   benchmarks:
     name: Run benchmarks
     runs-on: ubuntu-latest
+    permissions: # optional for public repositories
+      contents: read
+      id-token: write # for OpenID Connect authentication with CodSpeed
     steps:
       - uses: actions/checkout@v4
 
@@ -179,5 +192,4 @@ jobs:
         with:
           mode: instrumentation
           run: npx vitest bench
-          token: ${{ secrets.CODSPEED_TOKEN }}
 ```
diff --git a/examples/nodejs-typescript-codspeed.yml b/examples/nodejs-typescript-codspeed.yml
index d6b5c5d..8780575 100644
--- a/examples/nodejs-typescript-codspeed.yml
+++ b/examples/nodejs-typescript-codspeed.yml
@@ -10,9 +10,12 @@ on:
   workflow_dispatch:
 
 jobs:
-  name: Run benchmarks
   codspeed:
+    name: Run benchmarks
     runs-on: ubuntu-latest
+    permissions: # optional for public repositories
+      contents: read
+      id-token: write # for OpenID Connect authentication with CodSpeed
     steps:
       - uses: actions/checkout@v4
 
@@ -26,4 +29,3 @@ jobs:
         with:
           mode: instrumentation
           run: node -r esbuild-register benches/bench.ts
-          token: ${{ secrets.CODSPEED_TOKEN }}
diff --git a/examples/python-pytest-codspeed.yml b/examples/python-pytest-codspeed.yml
index 5a5ab38..1f52755 100644
--- a/examples/python-pytest-codspeed.yml
+++ b/examples/python-pytest-codspeed.yml
@@ -13,6 +13,9 @@ jobs:
   codspeed:
     name: Run benchmarks
     runs-on: ubuntu-latest
+    permissions: # optional for public repositories
+      contents: read
+      id-token: write # for OpenID Connect authentication with CodSpeed
     steps:
       - uses: actions/checkout@v4
 
@@ -28,4 +31,3 @@ jobs:
         with:
           mode: instrumentation
           run: pytest tests/ --codspeed
-          token: ${{ secrets.CODSPEED_TOKEN }}
diff --git a/examples/rust-cargo-codspeed.yml b/examples/rust-cargo-codspeed.yml
index f7da761..e93f6ab 100644
--- a/examples/rust-cargo-codspeed.yml
+++ b/examples/rust-cargo-codspeed.yml
@@ -13,6 +13,9 @@ jobs:
   codspeed:
     name: Run benchmarks
     runs-on: ubuntu-latest
+    permissions: # optional for public repositories
+      contents: read
+      id-token: write # for OpenID Connect authentication with CodSpeed
     steps:
       - uses: actions/checkout@v4
 
@@ -31,4 +34,3 @@ jobs:
         with:
           mode: instrumentation
           run: cargo codspeed run
-          token: ${{ secrets.CODSPEED_TOKEN }}