diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index fce7118..debdfe8 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -108,8 +108,27 @@ jobs:
       - name: cargo test
         run: cargo test --locked --all-features --all-targets
   coverage:
-    # use llvm-cov to build and collect coverage and outputs in a format that is compatible with
-    # codecov.io
+    # use llvm-cov to build and collect coverage and outputs in a format that
+    # is compatible with codecov.io
+    #
+    # note that codecov as of v4 requires that CODECOV_TOKEN from
+    #
+    #   https://app.codecov.io/gh/<user or org>/<project>/settings
+    #
+    # is set in two places on your repo:
+    #
+    # - https://github.com/jonhoo/guardian/settings/secrets/actions
+    # - https://github.com/jonhoo/guardian/settings/secrets/dependabot
+    #
+    # (the former is needed for codecov uploads to work with Dependabot PRs)
+    #
+    # PRs coming from forks of your repo will not have access to the token, but
+    # for those, codecov allows uploading coverage reports without a token.
+    # it's all a little weird and inconvenient. see
+    #
+    #   https://github.com/codecov/feedback/issues/112
+    #
+    # for lots of more discussion
     runs-on: ubuntu-latest
     name: ubuntu / stable / coverage
     steps:
@@ -127,7 +146,11 @@ jobs:
         run: cargo generate-lockfile
       - name: cargo llvm-cov
         run: cargo llvm-cov --locked --all-features --lcov --output-path lcov.info
+      - name: record Rust version
+        run: echo "RUST=$(rustc --version)" >> "$GITHUB_ENV"
       - name: Upload to codecov.io
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
         with:
           fail_ci_if_error: true
+          token: ${{ secrets.CODECOV_TOKEN }}
+          env_vars: OS,RUST