Tokenless support in the new CLI (for public repos and forks) #112
Description
Hello! I've recently updated a number of projects in our org to use the latest versions of the codecov action.
I see now that the codecov CLI is used to power this action, and that it requires a token. No problem, I went and got the token for the repositories in question, and all seemed to work... until we got a PR from a fork (something that happens quite frequently in our case). This results in a problem: secrets aren't available in PRs from forks (unless we use the pull_request_target trigger, which would allow malicious actors to potentially exfiltrate our secret(s)).
So my question is, as an open-source project, how am I supposed to use the new action? I want to run the coverage analysis on the new code (which is untrusted) but in order to do that, I need to run in a trusted environment to get access to the secret. Am I missing something? 🤔