feat: add base-sha input for exact commit comparison

[tatusamel]

Summary

• Adds a new optional base-sha input that allows specifying an explicit base commit SHA to compare coverage and test results against
• When provided, the action first looks for workflow runs matching that exact SHA, then gracefully falls back to branch-based lookup if no matching runs are found
• Extracts shared workflow run fetching logic into a fetchValidWorkflowRuns() helper to avoid duplication between test and coverage download paths

Motivation

Currently the action always compares against the latest successful run on the base branch. This doesn't work well when you need to compare against a specific known-good commit — for example, when the base branch has moved forward but you want to compare against the actual merge base of your PR.

Changes

• action.yml: Added base-sha input definition
• src/utils/artifact-manager.ts: Added fetchValidWorkflowRuns() private method that handles SHA-first-then-branch lookup; added baseSha parameter to downloadBaseResults() and downloadBaseCoverageResults()
• src/index.ts: Reads the base-sha input and threads it through processTestResults() and processCoverage()
• src/__tests__/artifact-manager.test.ts: 8 tests covering SHA hit (no fallback), SHA miss (fallback to branch), no SHA (branch only), invalid conclusion filtering, and coverage equivalents

Test plan

• All 202 existing tests pass
• 8 new artifact-manager tests pass
• dist/index.js rebuilt successfully
• Manual test: run action with base-sha pointing to a commit with a successful workflow run
• Manual test: run action with base-sha pointing to a commit with no runs (verify fallback to branch)
• Manual test: run action without base-sha (verify existing behavior unchanged)

[sentry]

Bug: Artifact download fails silently if baseSha is from a different branch than baseBranch because the artifact name is constructed using the wrong branch.
_{Severity: MEDIUM}

Suggested Fix

The code should be updated to handle this case. One option is to extract the actual branch from the workflow run metadata associated with the baseSha and use that branch name to construct the artifact name for downloading. Alternatively, the action's documentation could be updated to explicitly state that baseSha must be a commit that exists on the baseBranch, or a warning could be displayed when this mismatch is detected.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: src/utils/artifact-manager.ts#L203-L211

Potential issue: When a `baseSha` is provided that points to a commit on a different
branch than the `baseBranch`, the artifact download will silently fail. The artifact
upload process uses the branch name at the time of the run (e.g., `feature-x`) to name
the artifact. However, the download logic in `downloadBaseResults()` and
`downloadBaseCoverageResults()` constructs the artifact name using the `baseBranch`
(e.g., `main`). This mismatch causes the artifact lookup to find nothing, leading to a
silent failure where no comparison is performed, which is incorrect behavior for the
feature.

_{Did we get this right? 👍 / 👎 to inform future reviews.}