ci: pin Node to exact patched versions via central env vars

[BYK]

Summary

Follow-up to d7175e2, which pinned only the skill-eval E2E job to 24.18.0. Every other actions/setup-node step still floated a bare major ("22"/"24") and would silently reuse the runner's pre-cached buggy patch (24.17.0 / 22.23.0).

Those patches shipped CVE-2026-48931's http.Agent fix, which added a data listener on idle agent sockets that makes keep-alive fetch reuse throw false ERR_STREAM_PREMATURE_CLOSE ("Premature close"). It's fixed in 24.18.0 and 22.23.1 (nodejs/node#64004 — http: avoid stream listeners on idle agent sockets).

What changed

Centralized the Node version into per-workflow env vars (NODE_VERSION_22 / NODE_VERSION_24) as a single source of truth, and pinned the exact patched releases everywhere:

Workflow	Jobs touched	Version
ci.yml	all "22"/"24" setup-node steps (incl. build-binary, build-docs, test-e2e) + build-npm matrix	22.23.1 / 24.18.0
release.yml	release (publishes over HTTPS)	22.23.1
sentry-release.yml	finalize (installs + uploads over HTTPS)	22.23.1
docs-preview.yml	docs build	24.18.0
eval-skill-fork.yml	fork skill-eval job — added the missing setup-node step	24.18.0

The build-npm matrix keeps bare-major labels (["22", "24"]) for the job name and the matrix.node == '22' artifact guard, mapping each label to its exact env-pinned version in the step.

build-binary is included in the ci.yml repin (its setup-node went from "22" → ${{ env.NODE_VERSION_22 }}). It runs the binary build via pnpm tsx script/build.ts (esbuild + fossilize — pure Node, no Bun), so the pinned Node from setup-node is what drives it. (An earlier revision of this description incorrectly said build-binary was unaffected and used Bun — that was wrong on both counts.)

The fork skill-eval workflow (eval-skill-fork.yml) had set up pnpm but never ran setup-node at all, so pnpm install, generate:docs, and eval:skill ran on the runner's floating Node — the exact unpinned path this PR exists to close, and the one most likely to hit the ERR_STREAM_PREMATURE_CLOSE regression (the skill-eval planner talks to external APIs over keep-alive fetch). Added a workflow-level NODE_VERSION_24 and a pinned setup-node step mirroring the non-fork job.

Validation

• actionlint passes with zero new findings vs main (pre-existing shellcheck style infos unchanged), including the updated eval-skill-fork.yml.
• All five workflows parse as valid YAML.

[github-actions]

PR Preview Action v1.8.1
🚀 View preview at https://cli.sentry.dev/_preview/pr-1145/
Built to branch gh-pages at 2026-06-26 14:13 UTC. Preview will be ready when the GitHub Pages deployment is complete.

[github-actions]

Codecov Results 📊

✅ Patch coverage is 100.00%. Project has 5115 uncovered lines.
❌ Project coverage is 81.52%. Comparing base (base) to head (head).

Coverage diff

@@            Coverage Diff             @@
##          main       #PR       +/-##
==========================================
- Coverage    81.53%    81.52%    -0.01%
==========================================
  Files          397       397         —
  Lines        27679     27679         —
  Branches     17966     17966         —
==========================================
+ Hits         22566     22564        -2
- Misses        5113      5115        +2
- Partials      1868      1868         —

---

Generated by Codecov Action