Fix publish-without-sfw: move shim dir on disk instead of PATH env override

GITHUB_PATH entries always take precedence over GITHUB_ENV PATH overrides
(actions/toolkit#655), so the previous approach of writing a cleaned PATH
to GITHUB_ENV was ineffective — the shim directory was always re-prepended.

Instead, rename the shim directory to .disabled to remove shims from PATH
resolution, and restore it afterward.

Author: cursoragent

.github/workflows/provenance.yml

@@ -190,12 +190,10 @@ jobs:
 
       - name: Strip sfw shims for publishing
         if: inputs.publish-without-sfw == true
-        run: | # zizmor: ignore[github-env]
+        run: |
           echo "Bypassing Socket firewall shims for publishing"
-          echo "SFW_ORIGINAL_PATH=$PATH" >> "${GITHUB_ENV:-/dev/null}"
-          if [ -n "$SFW_SHIM_DIR" ]; then
-            CLEAN_PATH="$(echo "$PATH" | tr ':' '\n' | grep -vxF "$SFW_SHIM_DIR" | paste -sd: -)"
-            echo "PATH=$CLEAN_PATH" >> "${GITHUB_ENV:-/dev/null}"
+          if [ -n "$SFW_SHIM_DIR" ] && [ -d "$SFW_SHIM_DIR" ]; then
+            mv "$SFW_SHIM_DIR" "${SFW_SHIM_DIR}.disabled"
           fi
 
       - run: INLINED_SOCKET_CLI_PUBLISHED_BUILD=1 pnpm run build:dist
@@ -225,7 +223,7 @@ jobs:
           SOCKET_CLI_DEBUG: ${{ inputs.debug }}
       - name: Restore sfw shims after publishing
         if: inputs.publish-without-sfw == true && always()
-        run: | # zizmor: ignore[github-env]
-          if [ -n "$SFW_ORIGINAL_PATH" ]; then
-            echo "PATH=$SFW_ORIGINAL_PATH" >> "${GITHUB_ENV:-/dev/null}"
+        run: |
+          if [ -n "$SFW_SHIM_DIR" ] && [ -d "${SFW_SHIM_DIR}.disabled" ]; then
+            mv "${SFW_SHIM_DIR}.disabled" "$SFW_SHIM_DIR"
           fi