ci: add qa-npm-signatures workflow

[GirlBossRush]

Summary

Adds a new QA - npm signatures workflow that runs npm audit signatures against each workspace lockfile (root, web/, website/, lifecycle/aws/).

npm audit signatures verifies that every package in the lockfile has a valid Sigstore provenance attestation from the npm registry. It catches:

• packages whose signatures don't match (post-publish tampering)
• packages whose signatures disappear between resolution and audit
• new direct/transitive deps with no provenance at all

This is an incremental defense — it does not stop a maintainer-account-hijack that publishes a properly signed malicious version (the attack class the recent "Mini Shai-Hulud" incident used). For that, our existing defenses do the heavy lifting:

• .npmrc sets ignore-scripts=true, neutralizing the preinstall/postinstall payload vector
• Dependabot npm cooldown (3/7/14 days) means we don't pull versions during their first-published window
• save-exact=true + npm ci keeps the lockfile authoritative

The workflow runs on:

• PRs touching any package.json / package-lock.json
• pushes to main touching the same
• daily on a schedule (so retroactive unpublishes/signature drift surface even without dep-touching PRs)

npm audit signatures works directly off the lockfile and does not require node_modules to be populated, so the workflow skips npm ci entirely — fast and isolated from build concerns.

Test plan

• Workflow appears under "Actions" and runs on this PR
• All four matrix entries (., web, website, lifecycle/aws) pass against current lockfiles
• The scheduled run fires at 07:37 UTC the day after merge

[netlify]

✅ Deploy Preview for authentik-docs ready!

Name	Link
🔨 Latest commit	e6100db
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-docs/deploys/6a0c49c51aa166000887961f
😎 Deploy Preview	https://deploy-preview-22459--authentik-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 52.92%. Comparing base (bc3c12a) to head (e6100db).
✅ All tests successful. No failed tests found.

❗ There is a different number of reports uploaded between BASE (bc3c12a) and HEAD (e6100db). Click for more details.

HEAD has 26 uploads less than BASE

Flag	BASE (bc3c12a)	HEAD (e6100db)
e2e	11	5
conformance	5	3
unit	10	2
unit-migrate	10	0

Additional details and impacted files

@@             Coverage Diff             @@
##             main   #22459       +/-   ##
===========================================
- Coverage   93.27%   52.92%   -40.35%     
===========================================
  Files        1032     1032               
  Lines       60059    60059               
  Branches      400      400               
===========================================
- Hits        56018    31789    -24229     
- Misses       4041    28270    +24229     

Flag	Coverage Δ
conformance	36.19% <ø> (-0.39%)	⬇️
e2e	37.93% <ø> (-3.92%)	⬇️
integration	32.55% <ø> (-0.50%)	⬇️
rust	0.00% <ø> (ø)
unit	48.50% <ø> (-43.70%)	⬇️
unit-migrate	?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.