This works by uploading the data from the main workflow with low
permissions as an artifact, then downloading the data in a workflow with
higher permissions to post the comment.
Third party actions are fixed at a commit, in case they get compromised.
Also set the build-firmware VM to ubuntu-22.04, which was missed when
updating workflow deps earlier.
