chore(deps): bump pnpm to v11 (#29)

* chore(deps): bump pnpm to v11

* build: make the pnpm 11 bump pass CI

The packageManager bump to pnpm@11.5.2 broke every job: pnpm 11 requires
Node >= 22.13 (it loads node:sqlite), but all workflows pinned Node 20, so
install crashed before doing anything.

- bump node-version 20 -> 22 in all five workflows (test, pr-title,
  cli-binaries, drift-check, watchdog); binaries still compile under bun, Node
  is only used for pnpm + tooling scripts
- add pnpm-workspace.yaml with two pnpm-11 defaults neutralized:
  - allowBuilds.lefthook: true — pnpm 11 blocks dependency build scripts by
    default; lefthook needs its postinstall to install the git hooks
  - minimumReleaseAge: 0 — pnpm 11's release-age policy rejects deps published
    inside the cooldown window, which would intermittently fail
    --frozen-lockfile whenever drift-check bumps @rendobar/sdk the same day it
    publishes

Verified locally: pnpm@11.5.2 install --frozen-lockfile exits 0 with no
lockfile drift.

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Abdelrahman Essawy <abdelrahman.mo.essawy@gmail.com>

Author: renovate[bot]

.github/workflows/cli-binaries.yml

@@ -42,7 +42,7 @@ jobs:
 
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
-          node-version: 20
+          node-version: 22
 
       - name: Get pnpm store directory
         shell: bash

.github/workflows/drift-check.yml

@@ -16,7 +16,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
-          node-version: 20
+          node-version: 22
       - name: Compare @rendobar/sdk dep vs npm latest
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pr-title.yml

@@ -19,7 +19,7 @@ jobs:
 
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
-          node-version: 20
+          node-version: 22
           cache: pnpm
 
       - run: pnpm install --frozen-lockfile

.github/workflows/test.yml

@@ -23,7 +23,7 @@ jobs:
 
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
-          node-version: 20
+          node-version: 22
           cache: pnpm
 
       - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6  # v2.2.0

.github/workflows/watchdog.yml

@@ -17,7 +17,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
-          node-version: 20
+          node-version: 22
       - name: Detect silent release skip
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

package.json

@@ -38,5 +38,5 @@
     "lefthook": "^2.0.0",
     "typescript": "^6.0.0"
   },
-  "packageManager": "pnpm@9.15.9"
+  "packageManager": "pnpm@11.5.2"
 }

pnpm-workspace.yaml

@@ -0,0 +1,13 @@
+# pnpm 11 blocks dependency build scripts by default. lefthook needs its
+# postinstall to install the git hooks behind the commit-msg / pre-commit guards
+# (pnpm 9 ran these automatically).
+allowBuilds:
+  lefthook: true
+
+# pnpm 11 also enables a minimumReleaseAge supply-chain policy by default, which
+# rejects any dependency published within the cooldown window. The drift-check
+# cron bumps @rendobar/sdk to its newest release the same day it publishes, so
+# the default would intermittently fail `pnpm install --frozen-lockfile` in CI
+# until each release "ages in". Disable it to keep CI deterministic; SDK
+# provenance is already covered by npm publish attestations.
+minimumReleaseAge: 0