refactor: freeze dependencies for plugins and move it to build time

[yeelali14]

✨ PR Description

Purpose: Move plugin dependency installation from runtime workflow to build time to improve action execution performance and eliminate npm cache operations.

Main changes:

• Removed runtime npm installation steps (cache clean and dependency install) from GitHub Action workflow
• Added vendor-plugins script to package.json that installs frozen plugin dependencies during build process
• Configured NODE_PATH environment variable to reference bundled node_modules for plugin resolution at runtime

Generated by LinearB AI and added by gitStream.
_{AI-generated content may contain inaccuracies. Please verify before using.
💡 Tip: You can customize your AI Description using Guidelines Learn how}

[orca-security-us]

Orca Security Scan Summary

Status	Check	Issues by priority
Passed	Infrastructure as Code	0   0   0   0	View in Orca
Passed	OSS Licenses	0   0   0   0	View in Orca
Passed	SAST	0   0   0   0	View in Orca
Passed	Secrets	0   0   0   0	View in Orca
Passed	Vulnerabilities	0   0   0   0	View in Orca

[linearb]

✨ PR Review

Agentic review
Freezing plugin deps to build time raises a concern: the vendor script pins non-existent package versions that break the build, so this needs work.

1 issues detected:

🐞 Bug - Non-existent package versions break build-time vendor step

Details: The vendor-plugins script in package.json:33 pins non-existent package versions: lodash@4.18.1 (max published is 4.17.21) and @octokit/rest@20.1.1 (lock file shows 20.1.2). Since npm run package now chains this script, a failing npm install will hard-abort the entire build pipeline, unlike the previous continue-on-error: true step. Update the pins to lodash@4.17.21 and @octokit/rest@20.1.2 to match published versions and the lock file.
File: package.json (33-33)

Generated by LinearB AI and added by gitStream.
_{AI-generated content may contain inaccuracies. Please verify before using.
💡 Tip: You can customize your AI Review using Guidelines Learn how}

[yeelali14]

✨ PR Review

Agentic review Freezing plugin deps to build time raises a concern: the vendor script pins non-existent package versions that break the build, so this needs work.

1 issues detected:

🐞 Bug - Non-existent package versions break build-time vendor step
Details: The vendor-plugins script in package.json:33 pins non-existent package versions: lodash@4.18.1 (max published is 4.17.21) and @octokit/rest@20.1.1 (lock file shows 20.1.2). Since npm run package now chains this script, a failing npm install will hard-abort the entire build pipeline, unlike the previous continue-on-error: true step. Update the pins to lodash@4.17.21 and @octokit/rest@20.1.2 to match published versions and the lock file.
File: package.json (33-33)

Generated by LinearB AI and added by gitStream. AI-generated content may contain inaccuracies. Please verify before using. 💡 Tip: You can customize your AI Review using Guidelines Learn how

false positive

[yeelali14]

/dev env=yeela rune2e=true