chore(ci): harden workflows and bump packageManager to pnpm@11.1.1

[AlemTuzlak]

Summary

Hardens GitHub Actions workflows against common CI/CD attack vectors (action pinning, permissions, persist-credentials, timeouts, concurrency) and migrates the package manager to pnpm 11.1.1. Adds a zizmor workflow to lint future workflow changes for security weaknesses.

Findings & fixes applied

• Action SHA pinning — pinned 7 third-party action references to 40-char commit SHAs (previously floating tags or short SHA-pinned without version comments). Affected files:
  • .github/workflows/check-skills.yml (actions/checkout, actions/setup-node)
  • .github/workflows/validate-skills.yml (actions/checkout, actions/setup-node)
  • .github/workflows/notify-intent.yml (actions/checkout, peter-evans/repository-dispatch)
  • .github/workflows/pr.yml (actions/checkout, danielroe/provenance-action, nrwl/nx-set-shas)
  • .github/workflows/release.yml (actions/checkout)
  • .github/workflows/e2e-opportunistic-matrix.yml (actions/checkout, actions/upload-artifact)
• Workflow permissions — added least-privilege permissions: contents: read blocks to 2 workflows that previously inherited the write-all default: validate-skills.yml, notify-intent.yml.
• persist-credentials: false — added to 5 actions/checkout invocations in PR/scheduled jobs that do not push back: pr.yml (3 jobs), e2e-opportunistic-matrix.yml, notify-intent.yml, validate-skills.yml. NOT added to release.yml (release job pushes version updates back) or check-skills.yml (opens PR with gh).
• Job timeout-minutes: — added to every job that lacked one: 15 min (general), 30 min (unit tests), 45 min (E2E and release).
• Concurrency cancel-in-progress: true — added to validate-skills.yml (PR-triggered). Existing concurrency on pr.yml, release.yml, e2e-opportunistic-matrix.yml left untouched.
• Zizmor security analysis workflow — added new .github/workflows/zizmor.yml to lint workflows for security weaknesses on push to main and on every PR.

Findings deferred (need maintainer review)

• release.yml has concurrency: cancel-in-progress: true — best-practice guidance is to avoid cancelling release/publish workflows mid-run (a cancelled changeset publish can leave inconsistent npm/git state). Left as-is because the change is judgmental and could affect existing release semantics; maintainers may want to switch to a queue (e.g. drop cancel-in-progress or set it to false).
• tanstack/config/.github/setup@main floats on a branch — used by pr.yml, release.yml, e2e-opportunistic-matrix.yml. This is a TanStack-owned reusable composite action; per blitz policy, internal TanStack actions are left alone. Worth a future pass to pin to a tag/SHA.
• Pre-existing Windows-only unit-test failures — packages/create has 2 tests (findFilesRecursively, should create an app - not silent) that fail on Windows because they compare hardcoded POSIX paths against path.resolve() output. Verified to fail on main without any of this PR's changes. Unrelated to CI hardening; flagged here for awareness.

pnpm bump

• packageManager: pnpm@10.24.0 -> pnpm@11.1.1 (integrity hash written by corepack use pnpm@11.1.1).
• pnpm install: succeeds.
• onlyBuiltDependencies allowlist added with 3 entries: esbuild, nx, unrs-resolver. Rationale:
  • esbuild — native binary used by the build/test toolchain (vitest/tsx transitively).
  • nx — primary monorepo task runner used by pnpm build, pnpm test:unit, pnpm test:e2e.
  • unrs-resolver — native module resolver used by ESLint config / nx; install fails to wire correctly without its postinstall.
• pnpm.overrides migration: moved 1 field (overrides, 7 workspace pin entries) from package.json to top-level pnpm-workspace.yaml. package.json pnpm block deleted (now empty). pnpm-workspace.yaml is the recommended location in pnpm 11 for workspace repos.
• Workflow pnpm refs aligned: n/a — repo uses tanstack/config/.github/setup@main which derives pnpm from packageManager; no workflow pins to a pnpm version.

Validation

• YAML parse: 8 files parsed cleanly (7 workflows + pnpm-workspace.yaml).
• actionlint: not available in this environment.
• zizmor: not available locally; will run automatically once this PR merges via the new zizmor.yml.
• pnpm install: succeeds with no "Ignored build scripts" output.
• pnpm build: succeeds (all 10 nx targets build).
• pnpm test:unit: 2 pre-existing Windows-only failures (see deferred). All other 195 tests pass.
• Spot-checked 3 pinned SHAs against the GitHub API.

What I did NOT change

• No changes to CI behavior (test commands, schedules, deploy targets, matrix configs).
• No wholesale workflow rewrites.
• No auth/OIDC changes.
• No .npmrc edits — pnpm 11 install was clean without warnings.
• No changes to tanstack/config/.github/setup@main (internal reusable action).

[AlemTuzlak]

Closing in favor of a fresh PR — the original branch picked up a duplicate zizmor workflow already covered by #450. Will re-open with corrected scope (SHA pin / permissions / persist-creds / timeouts / concurrency + pnpm@11.1.1 only).