improve github actions security

- pin cancel-workflow-action to a specific SHA, since it has access to a
  GITHUB_TOKEN
- remove codecov token from action, since it's not needed for public repos

Author: willnorris

.github/workflows/tests.yml

@@ -30,7 +30,7 @@ jobs:
 
     steps:
     - name: Cancel previous
-      uses: styfle/cancel-workflow-action@0.8.0
+      uses: styfle/cancel-workflow-action@89f242ee29e10c53a841bfe71cc0ce7b2f065abc #0.9.0
       with:
         access_token: ${{ github.token }}
 
@@ -72,5 +72,3 @@ jobs:
     - name: Upload coverage to Codecov
       if: ${{ matrix.update-coverage }}
       uses: codecov/codecov-action@v1
-      with:
-        token: ${{ secrets.CODECOV_TOKEN }}