Fix PR check CI failure on fork PRs (403 when posting comment)

[sbryngelson]

Problem

The PR Check workflow fails with a 403 when run on pull requests from forks:

Error: POST .../issues/1802/comments returned 403 Forbidden:
{"message":"Resource not accessible by integration"}

This happens because GitHub Actions intentionally restricts the GITHUB_TOKEN
to read-only permissions for fork PRs — even when the workflow declares
pull-requests: write. The check itself runs fine; it only fails when trying
to post the comment.

Fix

This uses the standard split-workflow pattern for fork-safe comment posting:

1. pr-check.yml — drops pull-requests: write (no longer needed). When
   triggered by a pull_request event, passes COMMENT_OUTPUT_FILE to the
   binary so the rendered comment is written to a file instead of posted via
   the API. Saves the file + PR number as a workflow artifact. Still exits
   non-zero when criteria are not met, so the check correctly blocks the PR.

2. pr-comment.yml (new) — triggered by workflow_run on PR Check completed. Downloads the artifact and posts/updates the comment using the
   full pull-requests: write token, which workflow_run jobs have even for
   fork PRs.

3. ci/pr-check/src/main.rs — honours a new COMMENT_OUTPUT_FILE env
   var: when set, writes the rendered comment body to that path instead of
   posting via the API. Falls back to the existing API-posting path when the
   var is absent (preserves the workflow_dispatch manual-run behaviour
   unchanged).

No changes to the YAML schema, contributing criteria, or comment template.

[mre]

Thanks, yes, I believe that could work. Code looks fine to me. Merging. Let's see if that makes it work.

[mre]

One downside is that it's failing the build if we don't touch an tool yaml files.
https://github.com/analysis-tools-dev/static-analysis/actions/runs/24286858149

Would you like to send a follow-up PR? 😊

[sbryngelson]

#1805