feat: ACNA-4537 add dependabot coverage upload workflow

[chsrimanaswi]

Description

Fixes the reusable dependabot-coverage-upload.yml workflow so Codecov correctly processes coverage reports uploaded via the /upload-coverage admin comment trigger on Dependabot PRs. Previously every upload was marked "Unusable report".

Three root causes fixed:

Missing actions/checkout: Codecov embeds a local file listing in the upload payload to map SF: paths in lcov; without source files present the report is always unusable
Artifact pattern included Windows runs — Windows lcov uses backslash paths (SF:src\auth.js) that Codecov cannot resolve against the repo; narrowed to ubuntu-latest only
Missing override_pr / override_commit — Codecov was not associating the upload with the correct Dependabot PR
Also aligns the startswith() filter in "Find original CI run" with the download pattern to prevent false "artifact not found" comments.

Related Issue

ACNA-4537

Motivation and Context

When Dependabot opens a PR, GitHub restricts secret access so CODECOV_TOKEN is unavailable and the normal upload in node.js.yml is skipped. Coverage artifacts are saved instead, and an admin triggers re-upload via /upload-coverage comment. This PR makes that re-upload actually work.

How Has This Been Tested?

Tested end-to-end on adobe/aio-e2e-tests using the dependabot-codecov-fix branch (which aio-e2e-tests calls):

Commented /upload-coverage as an admin on a Dependabot PR
Confirmed Codecov successfully processed the report (no "Unusable report", coverage % shown)
Confirmed Codecov posted a coverage comment on the PR

Screenshots (if appropriate):

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• I have signed the Adobe Open Source CLA.
• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my changes.
• All new and existing tests passed.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[github-actions]

🤖 PR Reviewer

The workflow uses a comment-triggered gate to allow authorized users to upload coverage for Dependabot PRs. The overall approach is reasonable, but there is a command injection risk via the COMMENT_USER_LOGIN value being passed as an environment variable (mitigated somewhat by using env vars rather than direct interpolation), and the permission check only allows 'admin' or 'maintain' but excludes 'write' which is typically the minimum trusted collaborator level. The reusable workflow is pinned to @main which is mutable and could be a supply-chain risk.

📝 2 suggestion(s) - Please review inline comments below.

---

💡 How to re-trigger

Comment /review or /pr-reviewer on this PR

proposed changes not required.