fix(ci): Ensure CodeQL comment workflow runs on success or failure

The 'CodeQL - Post Comment' workflow was failing intermittently because it would attempt to download an artifact that was not always present. This occurred when the upstream 'CodeQL Analysis' workflow did not produce the artifact, for example, when it was cancelled or skipped.

This change modifies the trigger condition for the 'post-comment' job to only run when the upstream 'CodeQL Analysis' workflow has a conclusion of 'success' or 'failure'. This is because the analysis workflow intentionally fails when new alerts are detected, but it still uploads the comment artifact before exiting.

An explanatory comment has also been added to the workflow to clarify this behavior for future maintenance. This ensures the comment is posted reliably when new alerts are found or when existing ones are resolved, and prevents the workflow from running in situations where the artifact is not expected to exist.

Author: google-labs-jules[bot]

.github/workflows/codeql-comment.yaml

@@ -13,7 +13,13 @@ permissions:
 jobs:
   post-comment:
     runs-on: ubuntu-latest
-    if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
+    # This job runs on both 'success' and 'failure' of the 'CodeQL Analysis' workflow.
+    # The upstream workflow intentionally fails if it finds new alerts, but it uploads
+    # the comment artifact before doing so. This condition ensures the comment is posted
+    # in both cases (new alerts found, or existing alerts resolved).
+    # The workflow is resilient to other failures because the 'Post Comment' step
+    # only runs if the artifact was successfully downloaded.
+    if: github.event.workflow_run.event == 'pull_request' && (github.event.workflow_run.conclusion == 'success' || github.event.workflow_run.conclusion == 'failure')
     steps:
       - name: Download PR comment data
         uses: actions/download-artifact@fa0a91b85d4f404e8442c7c958156baef1102941 # v4.1.8