diff --git a/.editorconfig b/.editorconfig
index 2d0ad6a2d..9e3048773 100644
--- a/.editorconfig
+++ b/.editorconfig
@@ -7,3 +7,6 @@ indent_size = 4
 max_line_length = 100
 trim_trailing_whitespace = true
 insert_final_newline = true
+
+[.github/*.yaml]
+indent_size = 2
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index 93909fbef..81226ed02 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -8,6 +8,8 @@ jobs:
 
   test:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     strategy:
       matrix:
         python-version:
@@ -41,7 +43,6 @@ jobs:
         sudo add-apt-repository 'deb http://ppa.launchpad.net/sri-csl/formal-methods/ubuntu bionic main'
         sudo apt-get update
         sudo apt-get install yices2
-        pip install codecov build
         pdm install --dev
     - name: Cache YoWASP build products
       uses: actions/cache@v4
@@ -53,9 +54,16 @@ jobs:
     - name: Run tests
       run: |
         pdm run test
-    - name: Submit code coverage
-      run: |
-        codecov
+        pdm run python -m coverage xml
+    - name: Upload coverage to Codecov
+      uses: codecov/codecov-action@v4
+      env:
+        PYTHON: ${{ matrix.python-version }}
+      with:
+        use_oidc: true
+        token: ${{ secrets.CODECOV_TOKEN }}
+        env_vars: PYTHON
+        file: ./coverage.xml
 
   smoketest: # If we plug this into downstream projects, does magic smoke escape?
     runs-on: ubuntu-latest
@@ -260,4 +268,4 @@ jobs:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:
         tag_name: ${{ github.ref_name }}
-        release_name: ${{ steps.metadata.outputs.name }}
\ No newline at end of file
+        release_name: ${{ steps.metadata.outputs.name }}