Add Codecov upload to existing unit test workflow

[kdacosta0]

Summary

• Adds Codecov upload steps to the existing unit_tests.yml workflow for the ubuntu-latest / Python 3.12 matrix entry, avoiding a duplicate test run.
• Adds push trigger on main to unit_tests.yml so Codecov can track baseline coverage.
• Adds id-token: write permission for OIDC-based Codecov upload.
• Adds codecov.yml with coverage status thresholds:
  • Patch coverage: 70% target with 5% threshold — new/changed lines in a PR must maintain at least 70% coverage (with 5% tolerance before the check fails).
  • Project coverage: auto target, informational only — tracks overall project coverage trend without blocking PRs.
• Adds coverage.xml and htmlcov/ to .gitignore to keep generated coverage artifacts out of version control.

Setup Required

CODECOV_TOKEN must be configured as a repository secret in GitHub. Without this token, the Codecov upload step will fail (fail_ci_if_error: true). Repository admins should:

1. Create an account/project at codecov.io for this repository
2. Copy the upload token
3. Add it as a repository secret named CODECOV_TOKEN in GitHub Settings > Secrets and variables > Actions

Test Plan

• Verify the unit test workflow triggers on PRs targeting main and on pushes to main
• Verify Codecov upload only runs for the ubuntu-latest / Python 3.12 matrix entry
• Verify coverage.xml and htmlcov/ are listed in .gitignore and not tracked by git
• Verify Codecov receives the coverage report after a successful workflow run
• Verify Codecov PR status checks appear (patch and project)

Implements SECURESIGN-4375

🤖 Generated with Claude Code

Based on the doc

[codecov-commenter]

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

Thanks for integrating Codecov - We've got you covered ☂️