ci: replace node-build with build+deploy workflow (PR validation, corepack, frozen lockfile)

[CMonnin]

Summary

Replaces `node-build.yml` with a single `ci.yml` that splits build and deploy into separate jobs.

What changes

Concern	Before	After
PR validation	none	build runs on every PR
pnpm version	`npm install -g pnpm` (latest)	corepack honours the `packageManager` pin
Lockfile drift	silently rewritten	`--frozen-lockfile` fails CI if out of sync
Deploy safety	runs on any push to main	gated to main + non-PR explicitly
Concurrency	global `pages` group	per-ref group, won't cancel main runs from PR runs
pnpm cache	n/a	intentionally not enabled — see commit message and TanStack incident

Notes for reviewers

• The new workflow's first run is on this PR (because the trigger now includes `pull_request`). The build job validates the merged-main lockfile + pnpm pin actually work in CI.
• After merge, the next push to main will redeploy via the new workflow.
• `VITE_BASE` is interpolated from `github.event.repository.name` so the same workflow works unchanged across all task repos.
• No pnpm cache: ~30s slower per run, but removes the cache-poisoning attack surface highlighted by https://tanstack.com/blog/incident-followup.

Test plan

• CI build passes on this PR
• After merge, main run completes and deploys to Pages
• `pnpm install --frozen-lockfile` succeeds (validates lockfile bootstrap from chore: add .npmrc supply-chain hardening + bump pnpm to 10.10.0 #25)

[coderabbitai]

Warning

Rate limit exceeded

@CMonnin has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 18 minutes and 29 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8eb93734-5d76-433d-b20a-5436aa8d3260

📥 Commits

Reviewing files that changed from the base of the PR and between 7db0290 and 0a530af.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• .github/workflows/node-build.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/ci-workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}