chore(security): harden supply chain and CI workflows

[mandarini]

Supply chain hardening prompted by the TanStack/router compromise on 2026-05-11 (TanStack/router#7383).

What changed

Pnpm config (pnpm-workspace.yaml)

• minimumReleaseAge: 10080 (7-day quarantine on new dep versions)
• minimumReleaseAgeExclude: ['@supabase/*'] (internal packages bypass the quarantine)
• blockExoticSubdeps: true (refuse github: / git+ / file: transitive deps, the exact vector TanStack hit)
• allowBuilds (explicit per-package postinstall allowlist: simple-git-hooks: true, esbuild: false)

Pnpm version pinning

• Added packageManager field in package.json with sha512 integrity hash (pnpm@11.0.8)
• Bumped pnpm/action-setup v5.0.0 -> v6.0.5 (SHA-pinned), now reads version from packageManager
• Fixes local-vs-CI drift (was 10.28.0 in CI, 11.x local)

Workflow hardening

• persist-credentials: false on every actions/checkout
• pnpm install --frozen-lockfile in ci.yml (was unpinned)
• Pinned floating CLI refs: pkg-pr-new@0.0.71, jsr@0.14.3
• Enabled npm publish --provenance

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@supabase/server@61

commit: 69c6add