Fix CI checkout and coverage upload for fork PRs

[matt-ramotar]

Problem

CI fails at the Checkout step (~7s, before any build/test) for fork PRs. Example: #735 (run) died with:

A branch or tag with the name 'fix/mutable-store-write-queue-race' could not be found

The build-and-test checkout pins ref: ${{ github.head_ref || github.ref }} but never sets repository, so for a cross-repository (fork) PR actions/checkout looks for the head branch in the base repo (MobileNativeFoundation/Store), where it doesn't exist — the branch lives in the contributor's fork. This is a latent bug introduced in #673; it never surfaced because every PR since has come from a same-repo branch.

A second, downstream blocker: the Codecov step uses secrets.CODECOV_TOKEN, which GitHub does not expose to fork PRs, combined with fail_ci_if_error: true — so even after fixing checkout, fork PRs would fail at coverage upload.

Fix

• Checkout — resolve repository and ref from the PR head when present (github.event.pull_request.head.repo.full_name / head.sha), falling back to github.repository / github.ref for push builds. Fork PRs now check out the contributor's head commit; same-repo PRs and pushes to main are unchanged (still build the head commit, as before — not the merge ref).
• Codecov — skip the upload on fork PRs (where the token is unavailable). Coverage is still uploaded and enforced for same-repo PRs and pushes to main.

Notes / review call-outs

• Security: this is a pull_request trigger (not pull_request_target), so fork builds run with a read-only GITHUB_TOKEN and no secrets; persist-credentials: false is retained. Building untrusted fork code under pull_request is the standard, safe configuration.
• Codecov policy: skipping coverage upload for forks is a deliberate trade-off (forks can't authenticate to Codecov). If you'd rather keep attempting a tokenless upload, the alternative is fail_ci_if_error: false on that step instead of the if: guard — happy to switch.
• This workflow change only takes effect once merged to main; Fix RealMutableStore write-queue data race (inverted lock polarity) #735 will pass after it rebases on top of this (forks run the base branch's workflow definition for pull_request).

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 80.17%. Comparing base (213e574) to head (50a7416).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #737   +/-   ##
=======================================
  Coverage   80.17%   80.17%           
=======================================
  Files          42       42           
  Lines         928      928           
  Branches      177      177           
=======================================
  Hits          744      744           
  Misses        110      110           
  Partials       74       74           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.