Harden pr workflow permissions

[nebasuke]

---

Summary

• Strip pull-requests: write, checks: write, and secret access (CODECOV_TOKEN) from all PR-triggered workflows
  (test.yaml, coverage.yaml, integration-tests.yaml), so untrusted PR code runs with read-only permissions
• Move all write operations (GitHub Checks, PR comments, Codecov uploads) to a new reporting.yaml workflow triggered
  by workflow_run, which runs in the base repo context with the necessary permissions
• Remove secrets: inherit from release.yaml → deploy-docs.yaml call (GITHUB_TOKEN is auto-available to workflow_call
  workflows)

Motivation

PR workflows currently run untrusted code with tokens that can modify PRs and create checks. The workflow_run event
runs in the context of the base branch, not the PR, so secrets and write permissions are safe to use there.

Changes

File: cargo-check/action.yml
Change: Make github_token optional (only used by cargo audit, which is disabled)
────────────────────────────────────────
File: test.yaml
Change: Drop write perms, disable in-action check publishing, upload test result XMLs and event files as artifacts
────────────────────────────────────────
File: coverage.yaml
Change: Drop job-level write perms, remove PR comment and Codecov upload steps, upload LCOV/summary/event as artifacts
────────────────────────────────────────
File: integration-tests.yaml
Change: Drop write perms, remove 3 PR comment steps, upload event file as artifact
────────────────────────────────────────
File: release.yaml
Change: Remove secrets: inherit from deploy-docs job
────────────────────────────────────────
File: reporting.yaml (new)
Change: workflow_run-triggered workflow with 3 jobs: test-results (publishes per-platform GitHub Checks),
coverage-report (posts PR comment + Codecov upload), integration-report (posts report download links)

Permissions after this change

Workflow: test.yaml
Before: contents: read, pull-requests: write, checks: write
After: contents: read
────────────────────────────────────────
Workflow: coverage.yaml
Before: contents: read + job-level pull-requests: write
After: contents: read
────────────────────────────────────────
Workflow: integration-tests.yaml
Before: contents: read, pull-requests: write
After: contents: read
────────────────────────────────────────
Workflow: reporting.yaml (new)
Before: —
After: contents: read, actions: read, checks: write, pull-requests: write

Test plan

• Open a test PR — verify test.yaml runs with only contents: read (no permission errors)
• Verify reporting.yaml triggers after test.yaml completes and per-platform checks appear on the PR commit
• Apply ci:coverage label — verify coverage workflow runs, then reporting posts coverage PR comment and Codecov upload
  succeeds
• Apply ci:integration label — verify integration tests run, then reporting posts the 3 report download comments
• Verify release.yaml → deploy-docs.yaml still works without secrets: inherit (on a test tag)