fix(ci): use workflow_run for fork-safe PR coverage comments

[apuchmarcos]

Summary

Fix CI failure (GraphQL: Resource not accessible by integration) when posting coverage comments on PRs from forks.

The GITHUB_TOKEN for fork-based PRs is read-only, so gh pr comment fails. This PR moves coverage comment posting to a separate workflow_run-triggered workflow, which runs from main with the base repo's token — making it fork-safe.

Changes:

• ci-cd.yml: Removed pull-requests: write permission and the direct gh pr comment step from build-and-test. Added steps to save coverage data (summary, total, PR number) as an artifact.
• coverage-comment.yml (new): Triggered by workflow_run on CI/CD completion. Downloads coverage artifact, validates PR number and coverage total, and posts the comment.

Type of change

• Bug fix
• New feature
• Breaking change
• Documentation update
• Refactor / maintenance

How to test

1. Merge to main (required — workflow_run workflows only run from the default branch).
2. Open a PR and verify the coverage comment is posted after CI completes.
3. Optionally test with a fork PR to confirm fork-safety.

Checklist

• I ran make test (or equivalent) and it passed.
• I ran make lint (if applicable) and it passed.
• I updated docs (README/CONTRIBUTING) if needed.
• I added or updated tests where appropriate.
• I linked relevant issues and provided context.

Notes for reviewers

• coverage-comment.yml must be on main before it will trigger. The first PR after merging this will be the first one that gets coverage comments.
• Artifact data (PR number, coverage total) is validated with strict regex before use to prevent injection from crafted artifacts.
• The coverage-report artifact has a 1-day retention — it's ephemeral and only needed for the comment workflow.