https://github.com/TheKevJames/coveralls-python/blob/master/.github/workflows/build.yml gives OIDC privilege to transitive build deps. This has a risk of impersonation and privilege escalation in external systems.

Here's the guide showing how to split the jobs following the principle of least privilege: https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/.