diff --git a/.github/workflows/build-pipeline.yml b/.github/workflows/build-pipeline.yml
index e4c475d0..abdc906e 100644
--- a/.github/workflows/build-pipeline.yml
+++ b/.github/workflows/build-pipeline.yml
@@ -6,7 +6,9 @@ on:
   pull_request:
     branches: [ master ]
   workflow_call:
-    secrets: {}
+    secrets:
+      CODECOV_TOKEN:
+        required: true
     outputs:
       hashes:
         description: "Hashes of the artifacts that were built"
@@ -152,8 +154,9 @@ jobs:
           pattern: coverage-*
           path: ./reports/
       - name: Upload all coverage reports to Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
         with:
+          token: ${{ secrets.CODECOV_TOKEN }}
           directory: ./reports/
           flags: unittests
           env_vars: OS,PYTHON
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 30d8d073..f5c459a4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,10 +11,12 @@ on:
 jobs:
   ci:
     name: Run CI pipeline
-    uses: MatthiasValvekens/pyHanko/.github/workflows/build-pipeline.yml@master
+    uses: MatthiasValvekens/pyHanko/.github/workflows/build-pipeline.yml@ci/codecov-bump
     permissions:
       actions: write
       contents: read
+    secrets:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
   extract-params:
     name: Determine release parameters
     runs-on: ubuntu-latest