Fix Codecov upload for fork pull requests

[albertodebortoli]

Description

• The run-tests.yml workflow used secrets.CODECOV_TOKEN directly in the pull_request event context. GitHub does not expose secrets to workflows triggered by PRs from forks, so the Codecov upload step was failing (and failing CI) for any fork-originated PR.
• The fix splits coverage upload into a dedicated upload-coverage.yml workflow triggered via workflow_run. The test jobs now save lcov reports as GitHub Actions artifacts (coverage-macos, coverage-linux). The new workflow downloads those artifacts and uploads them to Codecov after the test run completes — running in the base repository context where secrets are available.
• Trade-off: coverage results appear slightly after the test status check, since upload happens asynchronously in a follow-up workflow.

Type of Change

• Feature
• Bug fix
• Maintenance / Refactor
• Documentation
• CI / Tooling
• Other (specify)

How Has This Been Tested?

• Added / updated unit tests
• Manually tested locally (describe)
• Tested on macOS (arch: arm64 / x86_64)
• Other

Verified the workflow logic by inspection. The change can be validated end-to-end by opening a PR from a fork and confirming the run-tests jobs pass and coverage is subsequently uploaded by the upload-coverage workflow.

Screenshots / Demo (if applicable)

N/A

Checklist

• Swift code builds locally (swift build)
• Tests pass locally (swift test)
• Code style / formatting respected
• Documentation updated (README / comments)
• Version / tag alignment considered (if release related)
• PR title follows conventional style (optional)

CI Considerations

• Affects build time notably
• Requires new secrets / env vars — uses the existing CODECOV_TOKEN secret; no new secrets needed
• Alters release process

Breaking Changes?

• No
• Yes (describe impact and migration path)

Additional Notes

The install curl step in the Linux job has been removed as it was only needed for the Codecov upload, which now happens in the separate workflow.