feat(external-tools): SRI integrity migration + pnpm 11.0.6 + Node 26

Three coordinated changes that ship together because they cross the
same data:

1. **Schema migration**: every `sha256` field in external-tools.json
   becomes `integrity` carrying a Subresource Integrity string
   (`<algo>-<base64>`). Same encoding as npm's package-lock.json,
   same encoding upstream registries publish, generalizes to sha384
   and sha512 without schema churn. install-tool.mjs parses the
   algorithm from the SRI prefix and runs the matching createHash().
   Bare 64-char hex is still accepted for backward compat (deprecated
   path, will be removed once all consumer call sites are migrated).

2. **pnpm 11.0.6 bump** with darwin-x64 split-path: 7 platforms get
   their new sha256-base64 SRIs from the GitHub release artifacts.
   darwin-x64 takes a different shape — the upstream pnpm SEA binary
   was dropped in 11.0.5 (nodejs/node#62893: LIEF/Mach-O bug Node has
   declined to fix), so Intel Mac instead pulls the npm-registry JS
   tarball and runs it through the system Node. Adds new fields
   `source: "npm-registry"` + `binary: "package/dist/pnpm.cjs"` and a
   sha512 SRI from `npm view pnpm@11.0.6 dist.integrity`. The setup
   action's pnpm install step branches on `source` to pick the
   download URL and (for npm-registry) write a `node` wrapper at
   $PNPM_DIR/pnpm.

3. **Node default 25.9.0 → 26.0.0** in setup + setup-and-install
   composite actions, matching the upstream Node 26.0.0 GA.

The migration is fleet-wide; consumers reading external-tools.json
need to switch from `.sha256` to `.integrity` JSON paths in the same
PR window. Drift watch (template/CLAUDE.md) applies.

Author: jdalton

.github/actions/checkout/action.yml

@@ -86,15 +86,15 @@ runs:
           echo "SOCKET_TOOL_ZIZMOR_AVAILABLE=false" >> "${GITHUB_ENV:-/dev/null}"
           exit 0
         fi
-        EXPECTED_SHA256="$(node "$JQ" "$TOOLS_FILE" zizmor checksums "$PLATFORM" sha256)"
+        INTEGRITY="$(node "$JQ" "$TOOLS_FILE" zizmor checksums "$PLATFORM" integrity)"
         ZIZMOR_BIN="$ZIZMOR_DIR/zizmor"
         [[ "$ASSET" == *.zip ]] && ZIZMOR_BIN="$ZIZMOR_DIR/zizmor.exe"
-        # Shared installer: fetches, verifies sha256, extracts, chmods.
+        # Shared installer: fetches, integrity-verifies (SRI), extracts.
         INSTALL_TOOL="${GITHUB_ACTION_PATH}/../lib/install-tool.mjs"
         if [ ! -x "$ZIZMOR_BIN" ]; then
           node "$INSTALL_TOOL" \
             "https://github.com/zizmorcore/zizmor/releases/download/v${ZIZMOR_VERSION}/${ASSET}" \
-            "$EXPECTED_SHA256" \
+            "$INTEGRITY" \
             "$ZIZMOR_DIR"
         fi
         echo "$ZIZMOR_DIR" >> "${GITHUB_PATH:-/dev/null}"
@@ -106,7 +106,7 @@ runs:
           echo "SOCKET_TOOL_ZIZMOR_VERSION=$ZIZMOR_VERSION"
           echo "SOCKET_TOOL_ZIZMOR_PLATFORM=$PLATFORM"
           echo "SOCKET_TOOL_ZIZMOR_ASSET=$ASSET"
-          echo "SOCKET_TOOL_ZIZMOR_SHA256=$EXPECTED_SHA256"
+          echo "SOCKET_TOOL_ZIZMOR_INTEGRITY=$INTEGRITY"
           echo "SOCKET_TOOL_ZIZMOR_BIN=$ZIZMOR_BIN"
           echo "SOCKET_TOOL_ZIZMOR_DIR=$ZIZMOR_DIR"
         } >> "${GITHUB_ENV:-/dev/null}"

.github/actions/lib/install-tool.mjs

@@ -1,18 +1,28 @@
 /**
- * @fileoverview Downloads, sha256-verifies, and extracts a release asset.
+ * @fileoverview Downloads, integrity-verifies, and extracts a release asset.
  *
  * Replaces the curl + sha256sum/shasum + tar/unzip dance repeated
  * across pnpm/sfw/zizmor install steps. Built-in `fetch` follows
  * redirects automatically (github.com → objects.githubusercontent.com),
- * `node:crypto.createHash` computes sha256 in-process, and tar/unzip
+ * `node:crypto.createHash` computes the digest in-process, and tar/unzip
  * shell out (already preinstalled on every supported runner image).
  *
  * Usage:
- *   node .github/actions/lib/install-tool.mjs <url> <expected-sha256> <dest-dir> [<bin-name>]
+ *   node install-tool.mjs <url> <integrity> <dest-dir> [<bin-name>]
+ *
+ *   <integrity> is a Subresource Integrity string: `<algo>-<base64>`.
+ *   Examples: `sha256-67PM...=`, `sha512-l/kG...==`. The algorithm is
+ *   parsed from the prefix; multiple algos are supported (sha256, sha384,
+ *   sha512). Same encoding as npm package-lock.json's `integrity` field
+ *   and as `external-tools.json`'s `integrity` field.
+ *
+ *   Backward compat: a bare 64-char hex string is also accepted and
+ *   treated as `sha256-<base64-of-hex>` for transition. Deprecated; new
+ *   call sites should pass SRI directly.
  *
  * Behavior:
  *   - Streams the asset to <dest-dir>/<basename(url)>.
- *   - Aborts and removes the file if sha256 mismatches.
+ *   - Aborts and removes the file if integrity mismatches.
  *   - Extracts .tar.gz/.tgz with tar, .zip with unzip (POSIX) or
  *     Expand-Archive (Windows). Removes the archive after extracting.
  *   - For non-archive assets (bare binaries like sfw): the asset IS
@@ -21,21 +31,46 @@
  * Exit codes:
  *   0  success
  *   1  download or extraction failed
- *   2  sha256 mismatch (stderr names expected vs actual + the path)
+ *   2  integrity mismatch (stderr names expected vs actual + the path)
  */
 
 import { spawnSync } from 'node:child_process'
 import { createHash } from 'node:crypto'
 import { chmodSync, mkdirSync, renameSync, rmSync, writeFileSync } from 'node:fs'
 import path from 'node:path'
 
-const [, , url, expectedSha256, destDir, binName] = process.argv
+const [, , url, integrityArg, destDir, binName] = process.argv
+
+if (!url || !integrityArg || !destDir) {
+  console.error(
+    '× usage: install-tool.mjs <url> <integrity> <dest-dir> [<bin-name>]',
+  )
+  process.exit(1)
+}
 
-if (!url || !expectedSha256 || !destDir) {
-  console.error('× usage: install-tool.mjs <url> <expected-sha256> <dest-dir> [<bin-name>]')
+// Parse SRI string `<algo>-<base64>`. Bare 64-char hex is treated as
+// sha256 for backward compat — deprecated, will be removed once all
+// call sites pass SRI directly.
+function parseIntegrity(s) {
+  const m = /^(sha(?:256|384|512))-(.+)$/.exec(s)
+  if (m) {
+    return { algo: m[1], expected: m[2] }
+  }
+  if (/^[0-9a-f]{64}$/i.test(s)) {
+    // Bare sha256 hex — convert to SRI base64 for the comparison.
+    return {
+      algo: 'sha256',
+      expected: Buffer.from(s, 'hex').toString('base64'),
+    }
+  }
+  console.error(
+    `× unrecognized integrity format: ${s}\n  Expected SRI (e.g. sha256-base64=)`,
+  )
   process.exit(1)
 }
 
+const { algo, expected } = parseIntegrity(integrityArg)
+
 mkdirSync(destDir, { recursive: true })
 
 const assetName = path.basename(new URL(url).pathname)
@@ -52,17 +87,23 @@ if (process.env.GITHUB_TOKEN) {
 
 const res = await fetch(url, { redirect: 'follow', headers })
 if (!res.ok) {
-  console.error(`× download failed: HTTP ${res.status} ${res.statusText} for ${url}`)
+  console.error(
+    `× download failed: HTTP ${res.status} ${res.statusText} for ${url}`,
+  )
   process.exit(1)
 }
 
 const bytes = new Uint8Array(await res.arrayBuffer())
-const actualSha256 = createHash('sha256').update(bytes).digest('hex')
+const actual = createHash(algo).update(bytes).digest('base64')
 
-if (actualSha256 !== expectedSha256) {
-  console.error(`× sha256 mismatch for ${assetName}`)
-  console.error(`  Expected: ${expectedSha256}`)
-  console.error(`  Actual:   ${actualSha256}`)
+// Compare base64 forms directly. Trailing `=` padding may differ
+// (npm strips it, our hash adds it) — strip both sides before
+// comparing so `sha512-...=` and `sha512-...` match.
+const stripPadding = b64 => b64.replace(/=+$/, '')
+if (stripPadding(actual) !== stripPadding(expected)) {
+  console.error(`× ${algo} integrity mismatch for ${assetName}`)
+  console.error(`  Expected: ${algo}-${expected}`)
+  console.error(`  Actual:   ${algo}-${actual}`)
   console.error(`  URL:      ${url}`)
   process.exit(2)
 }
@@ -72,7 +113,10 @@ writeFileSync(archivePath, bytes)
 const lower = assetName.toLowerCase()
 let extractCmd
 let extractArgs
-if (lower.endsWith('.tar.gz') || lower.endsWith('.tgz')) {
+if (
+  lower.endsWith('.tar.gz') ||
+  lower.endsWith('.tgz')
+) {
   extractCmd = 'tar'
   extractArgs = ['xzf', archivePath, '-C', destDir]
 } else if (lower.endsWith('.zip')) {

.github/actions/setup-and-install/action.yml

@@ -28,7 +28,7 @@ inputs:
   node-version:
     description: 'Node.js version to use'
     required: false
-    default: '25.9.0'
+    default: '26.0.0'
   scope:
     description: 'npm registry scope for package authentication'
     required: false

.github/actions/setup/action.yml

@@ -13,7 +13,7 @@ inputs:
   node-version:
     description: 'Node.js version'
     required: false
-    default: '25.9.0'
+    default: '26.0.0'
   scope:
     description: 'npm registry scope for package authentication'
     required: false
@@ -81,16 +81,37 @@ runs:
         PLATFORM_TOOL="${GITHUB_ACTION_PATH}/../lib/platform.mjs"
         PLATFORM="$(node "$PLATFORM_TOOL")"
         ASSET="$(node "$JQ" "$TOOLS_FILE" pnpm checksums "$PLATFORM" asset)"
-        EXPECTED_SHA256="$(node "$JQ" "$TOOLS_FILE" pnpm checksums "$PLATFORM" sha256)"
+        INTEGRITY="$(node "$JQ" "$TOOLS_FILE" pnpm checksums "$PLATFORM" integrity)"
+        # Optional `source` field. When set to `npm-registry`, the asset
+        # is a JS-only npm tarball (e.g. pnpm-11.0.6.tgz) — runs through
+        # the system Node instead of being a SEA binary. Currently used
+        # only for darwin-x64 because upstream pnpm dropped the SEA
+        # binary in 11.0.5 due to nodejs/node#62893.
+        SOURCE="$(node "$JQ" "$TOOLS_FILE" pnpm checksums "$PLATFORM" source 2>/dev/null || echo "")"
+        BINARY_REL="$(node "$JQ" "$TOOLS_FILE" pnpm checksums "$PLATFORM" binary 2>/dev/null || echo "")"
         PNPM_BIN="$PNPM_DIR/pnpm"
         [[ "$ASSET" == *.zip ]] && PNPM_BIN="$PNPM_DIR/pnpm.exe"
-        # Shared installer: fetches, verifies sha256, extracts, chmods.
+        # Shared installer: fetches, integrity-verifies (SRI), extracts.
         INSTALL_TOOL="${GITHUB_ACTION_PATH}/../lib/install-tool.mjs"
         if [ ! -x "$PNPM_BIN" ]; then
-          node "$INSTALL_TOOL" \
-            "https://github.com/pnpm/pnpm/releases/download/v${PNPM_VERSION}/${ASSET}" \
-            "$EXPECTED_SHA256" \
-            "$PNPM_DIR"
+          if [ "$SOURCE" = "npm-registry" ]; then
+            URL="https://registry.npmjs.org/pnpm/-/${ASSET}"
+          else
+            URL="https://github.com/pnpm/pnpm/releases/download/v${PNPM_VERSION}/${ASSET}"
+          fi
+          node "$INSTALL_TOOL" "$URL" "$INTEGRITY" "$PNPM_DIR"
+        fi
+        # If the platform uses the npm-registry shape, the extracted
+        # tarball is a JS package — no native binary. Write a wrapper
+        # that runs it through the system Node.
+        if [ "$SOURCE" = "npm-registry" ]; then
+          BINARY_PATH="$PNPM_DIR/$BINARY_REL"
+          if [ ! -f "$BINARY_PATH" ]; then
+            echo "× pnpm npm-registry tarball missing $BINARY_REL after extract" >&2
+            exit 1
+          fi
+          printf '#!/bin/bash\nexec node "%s" "$@"\n' "$BINARY_PATH" > "$PNPM_BIN"
+          chmod +x "$PNPM_BIN"
         fi
         echo "$PNPM_DIR" >> "${GITHUB_PATH:-/dev/null}"
         # Export canonical pnpm provenance for downstream steps and
@@ -101,7 +122,7 @@ runs:
           echo "SOCKET_TOOL_PNPM_VERSION=$PNPM_VERSION"
           echo "SOCKET_TOOL_PNPM_PLATFORM=$PLATFORM"
           echo "SOCKET_TOOL_PNPM_ASSET=$ASSET"
-          echo "SOCKET_TOOL_PNPM_SHA256=$EXPECTED_SHA256"
+          echo "SOCKET_TOOL_PNPM_INTEGRITY=$INTEGRITY"
           echo "SOCKET_TOOL_PNPM_BIN=$PNPM_BIN"
           echo "SOCKET_TOOL_PNPM_DIR=$PNPM_DIR"
         } >> "${GITHUB_ENV:-/dev/null}"
@@ -132,12 +153,12 @@ runs:
         SOCKET_API_KEY: ${{ inputs.socket-api-key }}
       run: | # zizmor: ignore[github-env]
         set -euo pipefail
-        # SFW (Socket Firewall) version + per-platform asset/sha256
+        # SFW (Socket Firewall) version + per-platform asset/integrity
         # live in external-tools.json under sfw.<flavor>.checksums.
         # Bumping a tool requires updating the version AND every
-        # platform's sha256 there in the same commit. The lib/ scripts
-        # below resolve platform → asset → URL → install at the
-        # currently-detected runner.
+        # platform's integrity (SRI string) there in the same commit.
+        # The lib/ scripts below resolve platform → asset → URL →
+        # install at the currently-detected runner.
         TOOLS_FILE="${GITHUB_ACTION_PATH}/../../../external-tools.json"
         JQ="${GITHUB_ACTION_PATH}/../lib/jq.mjs"
         PLATFORM_TOOL="${GITHUB_ACTION_PATH}/../lib/platform.mjs"
@@ -163,7 +184,7 @@ runs:
           echo "  win-arm64 has no upstream binary — skip SFW-dependent steps on that runner or wait for upstream support." >&2
           exit 1
         fi
-        EXPECTED_SHA256="$(node "$JQ" "$TOOLS_FILE" sfw "$SFW_FLAVOR" checksums "$PLATFORM" sha256)"
+        INTEGRITY="$(node "$JQ" "$TOOLS_FILE" sfw "$SFW_FLAVOR" checksums "$PLATFORM" integrity)"
         SFW_BIN_NAME="$(node "$JQ" "$TOOLS_FILE" sfw "$SFW_FLAVOR" binaryName)"
         if [[ "$ASSET" == *.exe ]]; then
           SFW_BIN_NAME="${SFW_BIN_NAME}.exe"
@@ -173,7 +194,7 @@ runs:
         if [ ! -x "$SFW_BIN" ]; then
           node "$INSTALL_TOOL" \
             "https://github.com/${SFW_REPO}/releases/download/v${SFW_VERSION}/${ASSET}" \
-            "$EXPECTED_SHA256" \
+            "$INTEGRITY" \
             "$SFW_DIR" \
             "$SFW_BIN_NAME"
         fi
@@ -192,7 +213,7 @@ runs:
           echo "SOCKET_TOOL_SFW_VERSION=$SFW_VERSION"
           echo "SOCKET_TOOL_SFW_PLATFORM=$PLATFORM"
           echo "SOCKET_TOOL_SFW_ASSET=$ASSET"
-          echo "SOCKET_TOOL_SFW_SHA256=$EXPECTED_SHA256"
+          echo "SOCKET_TOOL_SFW_INTEGRITY=$INTEGRITY"
         } >> "${GITHUB_ENV:-/dev/null}"
 
     - name: Create sfw shims