The issue is manifested in "tokenless" flow that was introduced to support v4. It would appear we're performing checks to verify provenance which doesn't afford that much protection.

• [a check to see whether there is a recent CI run for the PR that an upload claims to be from](https://github.com/codecov/codecov-api/blob/66f41fc2aeed3e588a12007d3d3b9203bc42c6a2/upload/tokenless/tokenless.py#L38)
• [a check to see whether the upload is from the upstream repo that it claims to be from](https://github.com/codecov/codecov-api/blob/ff43096e92b3dc3c174ddad6003cf812e008dd2b/codecov_auth/authentication/repo_auth.py#L297-L307)

ALso, explore making token requirement for open source repos optional to alleviate challenges to set up Codecov. However, this needs some level of privilege so a bad actor cannot simply make it a requirement.