As of v4, a token is required for upload.
Changelog link

Some of our uploading workflows are in a pull_request trigger, which won't have access to secrets, and switching to pull_request_target just for that isn't worth the risk.

See this discussion for context: #3857 (comment)

Perhaps tokenless uploading will come back in later versions? maybe we use a different way of visualizing codecov?

This issue has been marked stale because it has been open for 60 days with no activity.