Document duplicated CODECOV_TOKEN in GitHub settings

.github/workflows/main.yml

@@ -6,20 +6,6 @@ on:
   push:
     branches:
     - main
-
-  # Though GitHub's documentation mostly says you only need this for reusable
-  # workflows (i.e. workflows that call other workflows), it seems that GitHub
-  # does not pass secrets to `pull_request` events that come from forks (which
-  # it seems Dependabot's PRs do?) unless they are explicitly passed through,
-  # because they do not want a forker's PR to be able to exfiltrate secret data
-  # from the forked repo. This behavior is not really documented with respect to
-  # Dependabot but some hints are here:
-  # - https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow
-  # - https://github.com/pypa/gh-action-pypi-publish/discussions/49
-  workflow_call:
-    secrets:
-      CODECOV_TOKEN:
-        required: true
 jobs:
   ci:
     name: CI
@@ -57,6 +43,9 @@ jobs:
       with:
         files: ./coverage/coverage.xml
         fail_ci_if_error: true # optional (default = false)
+        # NOTE: If you change this secret, you must change it under the repo
+        # secrets settings for both GitHub Actions *and* Dependabot secrets. For
+        # more context, see: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#responding-to-events
         token: ${{ secrets.CODECOV_TOKEN }}
         verbose: true # optional (default = false)
       if: matrix.ruby == 3.3