Improve supply chain configuration

Update CI and publish workflows to use Node 26, npm ci, and pinned GitHub Actions SHAs. Add npm min-release-age configuration and refresh the lockfile after npm install/audit fix.\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: dgreif

.github/workflows/publish.yml

@@ -11,10 +11,10 @@ jobs:
       contents: read
       id-token: write
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e
         with:
-          node-version: 24
+          node-version: 26
           registry-url: https://registry.npmjs.org/
           cache: npm
       - run: npm ci
@@ -31,10 +31,10 @@ jobs:
       packages: write
       id-token: write
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v5
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e
         with:
-          node-version: 24
+          node-version: 26
           registry-url: https://npm.pkg.github.com
           cache: npm
       - run: npm ci

.github/workflows/test.yml

@@ -1,18 +1,23 @@
 name: Node CI
 
+permissions:
+  contents: read
+
 on: [push]
 
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - name: Use Node.js 24.x
-      uses: actions/setup-node@v5
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
+    - name: Use Node.js 26.x
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e
       with:
-        node-version: 24.x
-    - name: npm install, build, and test
+        node-version: 26.x
+        cache: npm
+    - name: npm ci and test
       run: |
-        npm it
+        npm ci
+        npm test
       env:
         CI: true

.npmrc

@@ -0,0 +1 @@
+min-release-age=3