fix(worker): reject process global in workflow bundle

[nkgotcode]

Summary

Reject workflow bundles that reference the Node process global directly.

Webpack previously allowed free process references through the workflow bundle, which only failed later inside the workflow sandbox. This adds a workflow bundler parser check for free process expressions while preserving locally shadowed bindings.

Fixes #1112.

Testing

corepack pnpm install --frozen-lockfile

corepack pnpm -F @temporalio/worker run build

corepack pnpm -F @temporalio/test run build

Additional focused bundler checks were run with a minimal @temporalio/core-bridge cache stub:

• a workflow referencing free process is rejected as a disallowed module
• a workflow with a local process binding still bundles

Not run:

corepack pnpm -F @temporalio/worker... run build

This currently fails while building @temporalio/core-bridge because protoc is not installed in this environment.

[CLAassistant]

All committers have signed the CLA.

[chris-olszewski]

Thanks for taking this on. Only a small suggested change to avoid the as any cast.

[chris-olszewski]

Will need to add import type { javascript } from 'webpack'

Suggested change

	normalModuleFactory.hooks.parser.for(moduleType).tap('WorkflowCodeBundler', (parser) => {
	const javascriptParser = parser as any;
	normalModuleFactory.hooks.parser.for(moduleType).tap('WorkflowCodeBundler', (javascriptParser: javascript.JavascriptParser) => {

[nkgotcode]

Addressed the review feedback in 448b528 by replacing the as any parser cast with javascript.JavascriptParser from webpack while preserving the hook callback signature required by the local webpack typings.\n\nValidation:\n- corepack pnpm install --frozen-lockfile\n- corepack pnpm -F @temporalio/worker run build still fails before completion because generated @temporalio/proto exports are missing in this fresh checkout; the previous bundler callback type error is gone after the update.\n- corepack pnpm exec tsc --noEmit --pretty false packages/worker/src/workflow/bundler.ts --skipLibCheck --esModuleInterop --moduleResolution node --target ES2022 --module commonjs still fails only on missing generated @temporalio/proto exports from imported worker utilities.

[chris-olszewski]

Please read my suggested change from the previous review. You are still casting unnecessarily.

[nkgotcode]

Updated the review fix in 5bba954 to follow the requested shape directly.\n\nWhat changed:\n- Removed the parser cast entirely.\n- The parser callback parameter is now typed directly as javascript.JavascriptParser.\n- Marked the JavaScript module type list as const so TypeScript selects webpack's JavaScript parser hook overload instead of the generic parser fallback.\n\nValidation:\n- corepack pnpm exec prettier --check packages/worker/src/workflow/bundler.ts passed.\n- corepack pnpm -F @temporalio/worker run build still fails in this local checkout because generated @temporalio/proto exports are unavailable, but the previous src/workflow/bundler.ts callback type error is gone after the as const overload fix.

[chris-olszewski]

We will need this new hook to respect our allowlist so that our internal testing where we colocate workflow code with tests can pass.

[nkgotcode]

Addressed the allowlist feedback from @chris-olszewski.

Changes made:

• The process parser hook now respects ignoreModules through the same module matching path used for disallowed imports.
• Added process to baseBundlerIgnoreModules so colocated workflow/test code using the shared test helper allowlist can bundle.
• Added a regression test that bundles a workflow referencing the process global with baseBundlerIgnoreModules.

Validation:

• corepack pnpm exec prettier --check packages/worker/src/workflow/bundler.ts packages/test/src/test-bundler.ts packages/test-helpers/src/bundler.ts
• corepack pnpm run build:protos
• corepack pnpm -F @temporalio/test run build:protos
• corepack pnpm -F @temporalio/worker -F @temporalio/test-helpers -F @temporalio/test run build:ts

I also tried the focused AVA bundler test locally, but this checkout is missing the packages/core-bridge/releases/aarch64-apple-darwin/index.node native prebuild, so AVA exits before test discovery.