fix(ci): align vibecoder workflows with npm and current trivy action

[Nadav011]

Fixes current-head CI/security failures by switching the workflows to the repo's actual npm lockfile model and pinning the Trivy action to the current safe revision.

[coderabbitai]

Warning

Rate limit exceeded

@Nadav011 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 13 minutes and 37 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 13 minutes and 37 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4aff68b6-f304-4a1e-9dbc-e1f69f9b997b

📥 Commits

Reviewing files that changed from the base of the PR and between 553aff9 and 7615e40.

📒 Files selected for processing (3)

• .github/workflows/ci.yml
• .github/workflows/security.yml
• .github/workflows/trivy-autofix.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/npm-lock-and-trivy

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[Copilot]

Pull request overview

Updates CI/security workflows to match the repository’s npm + package-lock.json setup and to harden Trivy action usage.

Changes:

• Switch CI install/lint/typecheck steps from pnpm to npm (npm ci, npm run ...).
• Pin aquasecurity/trivy-action to an immutable commit SHA (annotated as v0.35.0) across workflows.
• In Trivy auto-fix workflow, regenerate package-lock.json after applying package.json overrides.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/trivy-autofix.yml	Pins Trivy action; removes pnpm enablement; adds npm install --package-lock-only after override patching.
.github/workflows/security.yml	Pins Trivy action to the same immutable SHA.
.github/workflows/ci.yml	Moves CI to npm commands and simplifies CI-gate dependencies; removes prior Node PATH setup.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

lint-typecheck runs npm ci/npm run ... on a self-hosted runner but the workflow no longer ensures Node.js is available (no actions/setup-node and no fnm PATH injection). Other workflows in this repo still add the fnm-managed Node v24.14.0 to $GITHUB_PATH, so this job may fail if Node isn’t already on PATH or if a different Node version is picked up. Consider adding back a Node setup step (either actions/setup-node pinned to the expected version or the same fnm PATH export used elsewhere) before npm ci.