build: adopt supply chain defaults

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: dgreif

.github/dependabot.yml

@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 3

.github/workflows/nodejs.yml

@@ -6,13 +6,14 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
+      # TODO: Pin third-party actions to full commit SHAs after validating the current tags.
       - uses: actions/checkout@v4
       - name: Use Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 24
+          node-version: 26
           cache: npm
-      - run: npm install
+      - run: npm ci
       - run: npx playwright install chromium
       - run: npm run build
       - run: npm test

.github/workflows/publish.yml

@@ -12,10 +12,11 @@ jobs:
   publish-npm:
     runs-on: ubuntu-latest
     steps:
+      # TODO: Pin third-party actions to full commit SHAs after validating the current tags.
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: 24
+          node-version: 26
           registry-url: https://registry.npmjs.org/
           cache: npm
       - run: npm ci
@@ -24,6 +25,7 @@ jobs:
       - run: npm version ${TAG_NAME} --git-tag-version=false
         env:
           TAG_NAME: ${{ github.event.release.tag_name }}
+      # TODO: This job publishes with an npm token; review secret scope before widening triggers or permissions.
       - run: npm whoami; npm --ignore-scripts publish --provenance
         env:
           NODE_AUTH_TOKEN: ${{secrets.npm_token}}

.npmrc

@@ -0,0 +1 @@
+min-release-age=3