Description
The Codecov upload step in CI uses ${{ secrets.CODECOV_TOKEN }}, which is unavailable on pull_request runs from forks (GitHub does not expose repository secrets to fork PRs). For a public repo the upload still works without a token, but it may be unreliable or produce confusing warnings. The step should be hardened so it degrades gracefully.
Scope
Notes
Description
The Codecov upload step in CI uses
${{ secrets.CODECOV_TOKEN }}, which is unavailable onpull_requestruns from forks (GitHub does not expose repository secrets to fork PRs). For a public repo the upload still works without a token, but it may be unreliable or produce confusing warnings. The step should be hardened so it degrades gracefully.Scope
ifcondition so it only runs when the token is available (e.g.if: secrets.CODECOV_TOKEN != ''or restrict topushevents / non-fork PRs)continue-on-error: trueso a missing token doesn't fail the workflowNotes
files: coverage.xmlalongside the token, so autodiscovery is no longer a concern.github/workflows/ci.yml, lines 35–40