[codex] Harden CI supply-chain workflows

[macterra]

Summary

• pin GitHub Actions workflow dependencies to immutable commit SHAs
• replace remaining npm install calls in CI with npm ci
• add PR dependency review to catch risky dependency changes earlier
• add a lockfile consistency check so package.json updates must carry the right lockfile changes

Why

This hardens Archon's CI and release workflows against supply-chain drift and mutable third-party references. It reduces the risk from compromised upstream actions, surprise dependency resolution changes, and PRs that modify manifests without updating their resolved lockfiles.

Validation

• parsed all workflow YAML files successfully
• verified there are no remaining tag-based uses: references in .github/workflows
• verified there are no remaining npm install commands in .github/workflows
• git diff --check

[Copilot]

Pull request overview

Hardens the repository’s CI/release pipelines against supply-chain drift by pinning third-party GitHub Actions to immutable commit SHAs, standardizing Node installs to npm ci, and adding automated PR checks for dependency risk and lockfile consistency.

Changes:

• Pin all GitHub Actions uses: references in workflows to commit SHAs.
• Replace remaining npm install calls in workflows with npm ci.
• Add new PR workflows for dependency review and package/lockfile consistency enforcement.

Reviewed changes

Copilot reviewed 16 out of 16 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
AGENTS.md	Adds repo-specific workflow guidance for coding agents.
.github/workflows/unit-test.yml	Pins actions and switches dependency install to npm ci.
.github/workflows/release-publish.yml	Pins Docker/checkout/scanner actions used during release publishing.
.github/workflows/python-sdk-tests.yml	Pins checkout/setup-python/upload-artifact actions.
.github/workflows/npm-package-publish.yml	Pins checkout and setup-node for npm publish workflow.
.github/workflows/lockfile-consistency.yml	New PR check enforcing lockfile updates alongside package.json changes.
.github/workflows/e2e-test-report.yml	Pins test reporter action for E2E report workflow.
.github/workflows/docker-publish.yml	Pins Docker build/publish/scanner actions.
.github/workflows/docker-build.yml	Pins Docker build/scanner actions.
.github/workflows/docker-build-test.yml	Pins actions and standardizes install to npm ci for Docker E2E workflow.
.github/workflows/dependency-review.yml	New PR workflow running GitHub dependency review with severity gating.
.github/workflows/build-react-wallet-webapp.yml	Pins checkout/setup-node; keeps builds reproducible.
.github/workflows/build-explorer.yml	Pins actions and replaces installs with npm ci (root + explorer).
.github/workflows/build-browser-extension.yml	Pins actions and replaces installs with npm ci (root + extension).
.github/workflows/android-debug-build.yml	Pins actions (checkout/node/java/android/artifacts) for manual debug build.
.github/workflows/android-debug-build-release.yml	Pins actions for tag builds and release attachment flow.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.