Fix post-transfer coverage and ownership metadata

[Fieldnote-Echo]

Summary

• switch core and binding Codecov uploads to OIDC so Codecov authenticates Project-Navi/ordvec after the transfer instead of using a stale repo-token slug
• add the joint maintainer note to the README provenance area
• add @toadkicker to CODEOWNERS

Root Cause

After the repository transfer, the README badge points at Project-Navi/ordvec, but Codecov still served unknown. The first token fix made the binding upload authenticate, but the accepted upload was queued under fieldnote-echo/ordvec, which confirmed the stored token path was still tied to the pre-transfer Codecov repository identity.

Using Codecov OIDC with id-token: write binds uploads to the current GitHub repository identity instead of depending on that stale token mapping.

Verification

• go install github.com/rhysd/actionlint/cmd/actionlint@v1.7.12 && "$(go env GOPATH)/bin/actionlint" -color .github/workflows/coverage.yml .github/workflows/coverage-python.yml
• git diff --check

Repo Settings

• Created a GitHub repository invitation for @toadkicker with write permission. CODEOWNERS will become active for that account once the invitation is accepted.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[qodo-code-review]

PR Summary by Qodo

Pass CODECOV_TOKEN to binding coverage upload on protected branches
🐞 Bug fix ⚙️ Configuration changes 🕐 Less than 5 minutes

Description

• Pass CODECOV_TOKEN to the Python binding coverage Codecov upload.
• Update workflow comments to reflect Codecov token requirements on protected branches.

Diagram

graph TD
  A["GitHub Actions"] --> B["coverage-python job"] --> C["codecov/codecov-action"] --> D["Codecov"]

Loading

High-Level Assessment

The following are alternative approaches to this PR:

1. Use Codecov GitHub App / OIDC-based auth (if supported)

• ➕ Avoids long-lived tokens in GitHub secrets
• ➕ Centralizes auth via GitHub/Codecov integration
• ➖ May not be available/viable for the current repo/org setup
• ➖ More setup effort than a one-line workflow change
• ➖ Doesn’t help if Codecov still enforces token on protected branches for this integration

2. Set CODECOV_TOKEN as an env var at job/workflow scope

• ➕ Avoids repeating token input across multiple Codecov upload steps
• ➕ Standardizes token usage across coverage workflows
• ➖ Slightly less explicit which step consumes the secret
• ➖ Still requires ensuring action version/inputs read env as expected

Recommendation: The PR’s approach is the most practical fix: explicitly passing secrets.CODECOV_TOKEN to the Codecov upload step matches Codecov’s protected-branch requirement and keeps behavior consistent with the core coverage workflow. Alternatives (GitHub App/OIDC or setting the token at workflow scope) are worth considering only if you want to reduce token management overhead across multiple workflows.

Files changed (1) +3 / -1

Other (1) +3 / -1

coverage-python.ymlAdd Codecov token to binding coverage upload step +3/-1

Add Codecov token to binding coverage upload step

• Updates the workflow documentation comment to reflect Codecov’s token requirement on protected branches. Passes 'secrets.CODECOV_TOKEN' to the Codecov upload step for the binding coverage report.

.github/workflows/coverage-python.yml

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📜 Skill insights (0)

1. Token missing on forks 🐞 Bug ☼ Reliability

Description

coverage-python.yml now always passes secrets.CODECOV_TOKEN to the Codecov upload step even when the
workflow runs on pull_request, where secrets are not available for forked PRs; this can produce
noisy/failed uploads (though non-blocking due to fail_ci_if_error: false). Consider skipping the
upload step when the token is unavailable to keep PR logs clean and avoid confusion.

Code

.github/workflows/coverage-python.yml[89]

+          token: ${{ secrets.CODECOV_TOKEN }}

Evidence

The workflow is configured to run on pull_request, and the modified upload step now always passes
secrets.CODECOV_TOKEN, so PR runs will attempt to use that secret.

.github/workflows/coverage-python.yml[24-31]
.github/workflows/coverage-python.yml[83-89]
.github/workflows/coverage.yml[107-113]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The Codecov upload step unconditionally references `secrets.CODECOV_TOKEN` in a workflow that also runs on `pull_request`. For forked PRs, secrets are not available, so the upload will run without a token and may emit avoidable warnings/errors.

## Issue Context
The workflow is intentionally non-blocking (`fail_ci_if_error: false`), but reducing noisy failures makes CI output clearer.

## Fix Focus Areas
- .github/workflows/coverage-python.yml[83-89]
- .github/workflows/coverage-python.yml[24-31]

## Suggested change
Add a guard to the upload step so it only runs when the secret is present, e.g.:

```yaml
     - name: Upload binding coverage to Codecov
       if: ${{ secrets.CODECOV_TOKEN != '' }}
       uses: codecov/codecov-action@...
       with:
         ...
         token: ${{ secrets.CODECOV_TOKEN }}
```

(Alternative: gate uploads to `push`/`workflow_dispatch` only, depending on desired PR behavior.)

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[codecov]

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

ℹ️ You can also turn on project coverage checks and project coverage reporting on Pull Request comment

Thanks for integrating Codecov - We've got you covered ☂️