ci(adcp-sdk): pin @adcp/sdk to 7.9.0 (last known-green), salt cache key (closes #779 Track B)

[bokelley]

Re-opened of #780 (close+reopen failed via API). See #780 for full body. Pinning to 7.9.0; vendoring step from #775 preserved.

TL;DR

• ADCP_SDK_VERSION=7.9.0 pinned at workflow header
• All 4 @adcp/sdk@latest sites use the pin
• All 4 cache keys salted with ${{ env.ADCP_SDK_VERSION }}
• Fixture-vendoring from feat(signing): key_origins check + brand.json chain error codes (#350 stage 4) #775 preserved (idempotent)

Refs

• Was: ci(adcp-sdk): pin @adcp/sdk to 7.9.0 (last known-green), salt cache key (closes #779 Track B) #780 (closed, couldn't reopen)
• Tracks: chore(ci): freeze reference seller fixture for cross-SDK interop per adcp#4907 Phase 1 #779 Track B, adcp#4907
• Companion: adcp-client#1916
• Follow-up to bump example to 7.10.x: feat(examples): update seller_agent.py to handle @adcp/sdk@7.10.x storyboard scenarios #782

[aao-ipr-bot]

LGTM after the duplicated fixture-vendoring block at the storyboard install step comes out. Pin + salted cache key is the right shape — the floating-@latest cache-poisoning footgun is closed cleanly.

Things I checked

• Pin mechanism: env: ADCP_SDK_VERSION: "7.9.0" at workflow top (ci.yml:9-12), shell-expanded as @adcp/sdk@${ADCP_SDK_VERSION} in the 4 run: blocks. Workflow env: exports into step shells; value has no whitespace or shell metachars, so unquoted expansion is safe.
• Cache key salting: all 4 actions/cache@v4 keys end in -${{ env.ADCP_SDK_VERSION }} (~lines 399, 555, 781, 889). restore-keys: ${{ runner.os }}-npm- fallback preserved so the first post-bump run still warms from prior tarballs.
• The other 3 install sites (~lines 570, 786, 894) are clean — single set of vendoring lines, no duplication. Storyboard job is the only one with the doubled block.
• code-reviewer Major and dx-expert Major both land on the same ci.yml:413-417 duplicate, with no other correctness flags.

Follow-ups (Major — fix in this PR before merge)

• ci.yml:413-417: duplicated fixture-vendoring block in the storyboard install step. Five lines (SDK_ROOT=..., two mkdir -p/cp pairs) re-run verbatim after lines 408-412. Idempotent — same source bytes, same dest path — so CI doesn't fail, but it's debris from the #780 → #784 rebase and the other 3 install sites prove the right shape is a single block. Delete L413-417. This is what would flip the review to --approve.

Minor nits (non-blocking)

1. Commit cddde254 message says "pin @adcp/sdk to 7.10.1" but the file pins 7.9.0. Stale text from before the rollback; the follow-up commit 6456aee2 is honest about being a 7.9.0 retrigger. A later bisector hunting "when did we pin to 7.10.1" will land on a commit that doesn't. Squash-merge papers over it; otherwise worth amending.
2. Bump-instructions discoverability (ci.yml:9-12). Header comment is good. One added line — "to bump, edit this value and open a PR; cache invalidates automatically" — would close the loop for the next person who skims the workflow without reading the commit body.

Drop L413-417 and I'll approve.