docs(readme): add lockfile=true to recommended NPM_CONFIG_FILE for pnpm 10 compat

CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## v0.1.13 - 20/05/2026
+
+### Documentation
+- `README` — add `lockfile=true` to the recommended `NPM_CONFIG_FILE` template. Pnpm `< 11.0.0` interprets the preceding `package-lock=false` line as `lockfile=false`, disabling `pnpm-lock.yaml` reads and breaking `pnpm install --frozen-lockfile` in `javascript/base`. The new line re-enables pnpm's lockfile explicitly on pnpm 10.x and is harmless on pnpm `>= 11`, where `lockfile=true` is already the default and `package-lock` is scoped to npm's lockfile only.
+
 ## v0.1.12 - 20/05/2026
 
 ### Documentation

README.md

@@ -246,6 +246,7 @@ fund=false
 audit=false
 ignore-scripts=true
 package-lock=false
+lockfile=true
 prefer-online=true
 ```
 
@@ -257,6 +258,7 @@ prefer-online=true
 | `audit=false` | `osv-scanner` (in `security.yml`) covers vulnerability scans natively. |
 | `ignore-scripts=true` | Belt-and-suspenders against postinstall supply-chain attacks — backs up the `--ignore-scripts` flag already passed by `javascript/base` on every `pnpm install`. |
 | `package-lock=false` | Prevent `npm` from emitting a parasitic `package-lock.json` in pnpm repos. |
+| `lockfile=true` | Explicit `pnpm-lock.yaml` enablement. Required on pnpm `< 11.0.0` consumers, where the preceding `package-lock=false` is interpreted as `lockfile=false` and collides with `pnpm install --frozen-lockfile`. Pnpm `>= 11` already defaults to `true` and ignores `package-lock` for `pnpm-lock.yaml`, so the line is harmless there. |
 | `prefer-online=true` | Re-fetch dep metadata each install — local cache cannot mask a yanked or republished version. |
 
 </details>

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coroboros/ci",
-  "version": "0.1.12",
+  "version": "0.1.13",
   "private": true,
   "description": "Reusable GitHub Actions CI for the Coroboros stack.",
   "license": "SEE LICENSE IN LICENSE.md",