`codecov` API token exposed in workflow file

[matt-graham]

Currently the Codecov API token is included directly in the workflow file:

https://github.com/astro-informatics/s2fft/blob/2c3d9e5af52940846b265d8912fc7ab0296f6891/.github/workflows/tests.yml#L38

In general tokens like this should be stored as a GitHub Actions secret (see for example this guide in Codecov documentation). Ideally we should also use the codecov-action GitHub Actions action to upload.