diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml
index 2ed84470298db..4b74efeb42b79 100644
--- a/.github/workflows/codecov.yml
+++ b/.github/workflows/codecov.yml
@@ -11,6 +11,8 @@ jobs:
     name: collect
     if: github.repository == 'aws/aws-cdk'
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -34,9 +36,9 @@ jobs:
         run: cd packages/aws-cdk && yarn test
 
       - name: Upload results to Codecov
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
         with:
           files: packages/aws-cdk/coverage/cobertura-coverage.xml,packages/aws-cdk-lib/coverage/cobertura-coverage.xml
           fail_ci_if_error: true
           flags: suite.unit
-          token: ${{ secrets.CODECOV_TOKEN }}
+          use_oidc: true