feat: ACNA-4537 add dependabot coverage upload workflow

[chsrimanaswi]

Description

Fixes the reusable dependabot-coverage-upload.yml workflow so Codecov correctly processes coverage reports uploaded via the /upload-coverage admin comment trigger on Dependabot PRs. Previously every upload was marked "Unusable report".

Three root causes fixed:

Missing actions/checkout: Codecov embeds a local file listing in the upload payload to map SF: paths in lcov; without source files present the report is always unusable
Artifact pattern included Windows runs — Windows lcov uses backslash paths (SF:src\auth.js) that Codecov cannot resolve against the repo; narrowed to ubuntu-latest only
Missing override_pr / override_commit — Codecov was not associating the upload with the correct Dependabot PR
Also aligns the startswith() filter in "Find original CI run" with the download pattern to prevent false "artifact not found" comments.

Related Issue

ACNA-4537

Motivation and Context

When Dependabot opens a PR, GitHub restricts secret access so CODECOV_TOKEN is unavailable and the normal upload in node.js.yml is skipped. Coverage artifacts are saved instead, and an admin triggers re-upload via /upload-coverage comment. This PR makes that re-upload actually work.

How Has This Been Tested?

Tested end-to-end on adobe/aio-e2e-tests using the dependabot-codecov-fix branch (which aio-e2e-tests calls):

Commented /upload-coverage as an admin on a Dependabot PR
Confirmed Codecov successfully processed the report (no "Unusable report", coverage % shown)
Confirmed Codecov posted a coverage comment on the PR

Screenshots (if appropriate):

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• I have signed the Adobe Open Source CLA.
• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my changes.
• All new and existing tests passed.

[github-actions]

🤖 PR Reviewer

The workflow file is well-structured with a permission gate to prevent unauthorized coverage uploads. However, there is a potential security concern with the comment-triggered workflow and a minor robustness issue with permission checking.

📝 3 suggestion(s) - Please review inline comments below.

---

💡 How to re-trigger

Comment /review or /pr-reviewer on this PR

Proposed changes not required.