I am also interested in a way of using GitHub Actions without a token.
I feel that my case might be a bit unique in which directs me in needing this ability.
I am apart of an Open Source organization that has hundreds of projects which have separate communities of contributors. The organization administrators take security and repo management very strictly. I am only a member of the repos that can contribute directly to the repo. We do not have access to GH repo or org settings.
I feel that the organization admins are willing to get the upload token and add it to our repo settings as a “secret” for GH Actions. The downside is when they attempt to login to Codecov, it requires read and write access to repository webhooks and services.
Write access is something they can not approve of for security purposes.
As of right now, we can not use Codecov with GH Actions until you can find a solution that does not require tokens or remove write access so they can log in and get the token.
In the meantime, we can continue to use Codecov with Travis CI to use the service but we would like to move away from Travis CI. Their service resources are limited across the organization and as I said earlier there are hundreds of projects which consume so much of the resources.
I hope we find some solution!