ci: post sticky PR comment with fallow audit findings

Reviewers shouldn't have to dig through CI logs to see what fallow
flagged. With this change, on every PR the fallow job posts (or
updates) a sticky comment containing the full audit report formatted
as a collapsible markdown table.

The comment uses fallow's built-in `pr-comment-github` format, which
already emits a `<!-- fallow-id: fallow-results -->` sentinel.
`marocchino/sticky-pull-request-comment@v2.9.1` matches that header so
each run replaces the previous comment instead of stacking new ones.

The job now runs in three steps:
1. Run `fallow audit ... --format pr-comment-github` with
   `continue-on-error: true` so the comment posts even when the audit
   fails. Exit code is captured.
2. Post (or update) the sticky comment with the captured output.
3. Re-emit the audit exit code so the job still fails-the-build on
   new findings.

Bumps the workflow's `pull-requests` permission from read to write,
needed for the sticky-comment poster to call the issues API.

Author: jrusso1020

.github/workflows/ci.yml

@@ -2,7 +2,10 @@ name: CI
 
 permissions:
   contents: read
-  pull-requests: read
+  # `pull-requests: write` is needed for the `Fallow audit` job to post the
+  # sticky comment summarizing findings. All read-only consumers (paths-filter,
+  # semantic-pr-title) work fine with this scope.
+  pull-requests: write
 
 on:
   pull_request:
@@ -86,6 +89,9 @@ jobs:
   # the changed files. The default `--gate new-only` means existing legacy
   # findings don't fail the build — only NEW issues introduced by the PR do.
   # This stops bleeding while letting incremental cleanup land separately.
+  #
+  # On findings, the job posts (or updates) a sticky comment on the PR so
+  # reviewers see the full list inline instead of digging through CI logs.
   fallow:
     name: Fallow audit
     needs: changes
@@ -103,7 +109,30 @@ jobs:
           node-version: 22
       # Pinned version — bumps land via a deliberate PR. Keep in sync with
       # the version that produced the current `.fallowrc.jsonc` config.
-      - run: npx -y fallow@2.75.0 audit --base origin/main --fail-on-issues
+      - name: Run fallow audit
+        id: audit
+        # Capture markdown output for the PR comment; let the step finish so
+        # we can post the comment even when the audit fails. Re-emit the exit
+        # status from the final step.
+        continue-on-error: true
+        run: |
+          npx -y fallow@2.75.0 audit --base origin/main --fail-on-issues \
+            --format pr-comment-github \
+            > /tmp/fallow-comment.md
+          echo "exit_code=$?" >> "$GITHUB_OUTPUT"
+      - name: Post sticky comment on PR
+        uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 # v2.9.1
+        with:
+          # Matches the `<!-- fallow-id: fallow-results -->` sentinel that
+          # fallow's pr-comment-github format already includes, so each run
+          # updates the same comment instead of creating new ones.
+          header: fallow-results
+          path: /tmp/fallow-comment.md
+      - name: Fail if audit found issues
+        if: steps.audit.outputs.exit_code != '0'
+        run: |
+          echo "::error::Fallow audit found new issues — see the PR comment above for details."
+          exit 1
 
   format:
     name: Format