diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 20aeb39..e176a2e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -66,7 +66,7 @@ jobs:
 
       - name: Upload coverage to Codecov
         if: matrix.python-version == '3.13'
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v6
         with:
           files: coverage.xml
           fail_ci_if_error: false
diff --git a/CHANGELOG.md b/CHANGELOG.md
index ea5cd0c..012dad2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
+- **Bump github-actions group: codecov/codecov-action 5→6** (#23)
 - **`.github/dependabot.yml`** commit-message prefix changed from `"chore(deps)"` to `"chore"` across all three ecosystems (pip, github-actions, docker). Combined with the existing `include: "scope"` setting, this restores the canonical Dependabot title format `chore(deps): bump <pkg>` instead of the doubled `chore(deps)(deps): bump <pkg>` produced by the previous config (Dependabot auto-appends `(deps)` when `include: scope` is set, so the prefix must be bare). Surfaced live on PRs #23 and #24, which exhibited the doubled prefix.
 
 - `deploy/README.md` gains an `## Alternative HTTPS exposure: