chore: harden ci and refresh dependencies

[anand-testcompare]

Summary

• move code-running PR validation off pull_request_target and onto read-only pull_request
• replace PR-title/repository-dispatch helper actions with official actions/github-script, and number workflow/job/step names in kebab-case
• harden release/publish permissions while preserving npm OIDC publishing behavior
• refresh runtime/tooling/package dependencies and docs parquet snapshot
• keep generated opencode.jsonc Foundry config env-backed for both FOUNDRY_URL and FOUNDRY_TOKEN

Verification

• mise run setup
• DOCS_SUMMARY_PATH=.memory/docs-refresh-summary.json bun run src/docs/fetch-cli.ts
• bun run validate-parquet.ts
• mise run lint
• mise run typecheck
• mise run test
• mise run build
• mise run smoke
• mise run pkgjsonlint
• mise run publish -- --dry-run --tag next
• actionlint .github/workflows/*.yml
• git diff --check
• temp env-backed opencode debug config

Notes

• Docs snapshot refresh fetched 3858 pages with 0 failures.
• No pull_request_target workflow remains.
• PR workflows have no id-token: write, contents: write, packages: write, or secrets.* usage.

[anand-testcompare]

@codex - review

[anand-testcompare]

@codex - review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5493e7b603

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".