ci: wire CACHE_PUSH_TOKEN so the coverage-map refresh actually pushes

[sbryngelson]

Follow-up to #1461. The coverage-refresh workflow pushed to protected master with the default GITHUB_TOKEN, which branch protection rejects — so the auto-refresh (the anti-rot mechanism) would never update the committed map.

The repo already has a CACHE_PUSH_TOKEN secret (created when the original cache was built) that was wired nowhere — part of why the old committed cache never auto-refreshed. This uses it, via the same x-access-token push pattern deploy-tap.yml uses for the homebrew repo.

With this, the weekly (+ cases.py/src-fpp-triggered) refresh can commit the rebuilt map back to master, and coverage-health stays green instead of going red after ~10 days.

(Requires that CACHE_PUSH_TOKEN has contents: write and branch-protection bypass for MFlowCode/MFC — it was presumably created for exactly this.)

[Copilot]

Pull request overview

This PR fixes the coverage-map refresh workflow so it can push refreshed tests/coverage_map.json.gz back to protected master using the repository’s CACHE_PUSH_TOKEN, keeping coverage-health from going stale.

Changes:

• Adds CACHE_PUSH_TOKEN to the commit/push step environment.
• Replaces the default origin push with an explicit x-access-token push URL.
• Updates the workflow comment to document the protected-branch token requirement.