I am planning to use the upload token in the codecov yaml file so that even PRs using local builds sends the correct coverage report. That being said, I am a little concerned about its security. Is it safe to hard code the token and let the whole world see it? The other alternative seems to be using it as an env variable. But the CircleCI doc mentions there are some security issues there. You can read it here: https://circleci.com/docs/2.0/oss/#pass-secrets-to-builds-from-forked-pull-requests.
Overall, I want to ask what will the problems be if the upload token is exposed? I would really appreciate if you help me out here.