feat(ci): switch to canonical fleet pnpm CI workflow

The hand-rolled `test.yml` ran `npm i` against a package.json
that declares `@socketsecurity/lib` via the `catalog:` protocol.
npm doesn't understand `catalog:` (it's pnpm-specific syntax)
and crashed with EUNSUPPORTEDPROTOCOL on every CI run.

Three changes:

  1. Add `.github/workflows/ci.yml` — the canonical fleet CI
     workflow that delegates to
     `SocketDev/socket-registry/.github/workflows/ci.yml@<sha>`.
     That reusable workflow sets up pnpm + node correctly and
     runs the fleet's standard lint/type/test pipeline. This
     is the same file every fleet repo carries (managed by
     wheelhouse sync-scaffolding's IDENTICAL_FILES).

  2. Delete `.github/workflows/test.yml` — the hand-rolled
     workflow that pre-dated the fleet pnpm policy. Its job
     ("run `pnpm test` on push/PR") is now done by the
     canonical CI workflow.

  3. Migrate `.github/workflows/provenance.yml` from
     `npm install -g npm@latest && npm ci` to
     `pnpm install --frozen-lockfile`. Keep `npm publish
     --provenance` at the end — that's still the canonical
     sigstore-attested publisher (pnpm publish forwards to it
     anyway).

After this, `oxlint --config .config/oxlintrc.json` is clean
and the wheelhouse `socket/workflow_npm_install` check
(committed alongside in socket-wheelhouse@3ff8e5e) reports
0 findings on this repo.

Author: jdalton

.github/workflows/ci.yml

@@ -0,0 +1,24 @@
+name: ⚡ CI
+
+# Dependencies:
+#   - SocketDev/socket-registry/.github/workflows/ci.yml
+
+on:
+  push:
+    branches: [main]
+    tags: ['*']
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  ci:
+    name: Run CI Pipeline
+    uses: SocketDev/socket-registry/.github/workflows/ci.yml@ba3d42dec13db8da746d695aac12f0d7d47f8719 # main

.github/workflows/provenance.yml

@@ -25,20 +25,26 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 (2026-05-15)
         with:
           persist-credentials: false
+      - name: Install pnpm
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0 (2026-05-18)
+        with:
+          run_install: false
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 (2026-05-15)
         with:
           node-version: '22'
           registry-url: 'https://registry.npmjs.org'
           scope: '@socketregistry'
-          package-manager-cache: false
-      - run: npm install -g npm@latest
-      - run: npm ci
+          cache: pnpm
+      - run: pnpm install --frozen-lockfile
       - name: Build package
-        run: npm run build
+        run: pnpm run build
       - name: Get package version
         id: package-version
         run: echo "version=$(node -p "require('./package.json').version")" >> $GITHUB_OUTPUT
-      - run: npm pack
+      - run: pnpm pack
+      # `pnpm publish --provenance` forwards to `npm publish --provenance`
+      # for sigstore attestation; keep `npm publish` here for explicitness
+      # so the provenance path is obvious in the workflow.
       - run: npm publish --provenance --access public
         env:
           SOCKET_CLI_DEBUG: ${{ inputs.debug }}