Stabilize CI workflows with lockfile parity and green-gated Dependabot auto-merge

[Copilot]

The failing workflow was caused by dependency/lockfile drift under pnpm install --frozen-lockfile and brittle CI post-scan behavior. This update aligns dependency resolution, hardens workflow execution paths, and enforces green-only Dependabot automation.

• CI failure root-cause remediation

  • Repaired workspace dependency parity so frozen installs are deterministic again.
  • Updated admin @types/node spec to match workspace lockfile expectations and removed manifest/lock mismatch.

• Security scan + SARIF upload hardening

  • Added an explicit SARIF readiness gate (file exists and non-empty) before upload.
  • Prevented false failure noise when Trivy output is absent.
  • Upgraded SARIF upload action path to CodeQL v4 and pinned to a commit SHA.

• Dependabot automation safety

  • Kept auto-approve/auto-merge limited to patch/minor updates.
  • Added required-check watch gate before merge activation (gh pr checks --required --watch).
  • Parameterized merge-check timeout in workflow env for easier tuning.

• Docs alignment

  • Refreshed dependency-health documentation to reflect current workflow behavior and real version baselines (including mixed Next/React baselines across packages).
  • Documented lockfile parity requirement for frozen-lockfile CI.

# .github/workflows/ci.yml
- name: Check Trivy SARIF output
  id: trivy_sarif
  if: always()
  run: |
    if [ -s trivy-results.sarif ]; then
      echo "ready=true" >> "$GITHUB_OUTPUT"
    else
      echo "ready=false" >> "$GITHUB_OUTPUT"
    fi

- name: Upload Trivy results
  if: (success() || failure()) && steps.trivy_sarif.outputs.ready == 'true'
  uses: github/codeql-action/upload-sarif@5e316336eb4f107009e477d4bfbfff13d7250fae # v4

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.