diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 74e4c14cd..00722b0e3 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -38,9 +38,24 @@ jobs:
       - uses: codecov/codecov-action@v4
         with:
           file: lcov.info
-          fail_ci_if_error: true
-        env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+          # This is a public repo.
+          # We are using v4 of the codecov-action.
+          # If the PR is from a fork, then Codecov allows us to use
+          # tokenless Codecov uploads (because the repo is public).
+          # If the PR is not from a fork, then Codecov does not allow
+          # us to use tokenless Codecov uploads, and thus we must use
+          # the `CODECOV_TOKEN` token.
+          # Tokenless Codecov uploads are prone to random failures,
+          # due to Codecov's servers hitting GitHub rate limits.
+          # Therefore:
+          # 1. If this CI run is not a PR run, we set `fail_ci_if_error` to `true`.
+          # 2. If this CI run is a PR run and the PR is not from a fork, we set `fail_ci_if_error` to `true`.
+          # 3. If this CI run is a PR run and the PR is from a fork, we set `fail_ci_if_error` to `false`.
+          fail_ci_if_error: ${{ (github.event_name != 'pull_request') || (github.repository == github.event.pull_request.head.repo.full_name) }}
+          # `${{ secrets.CODECOV_TOKEN }}` will be empty if the PR is from a fork,
+          # because GitHub does not make secrets available if the PR is from a fork
+          # and the base repo is public.
+          token: ${{ secrets.CODECOV_TOKEN }}
   docs:
     permissions:
       contents: write