To follow up on my own question, looking at the Github Actions console output, the default git fetch command used by actions/checkout does include --depth=1.
So, the answer is yes: If using actions/checkout in a workflow, fetch-depth needs to be explicitly set to override the default value of 1. Our workflow now contains this step:
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
Which cleared up the Codecov error message regarding the commit SHA.