chore: improve actions performance and security practices

[clrxbl]

Overhauls CI to be substantially faster and more cache-friendly. The bulk of the savings come from moving
Rust compilation onto Blacksmith runners with persistent disks, layering sccache on top, and rebuilding the
Docker images from prebuilt binaries instead of compiling inside the Docker context.

CI runners and caching

• Migrated all time-sensitive jobs from ubuntu-latest (and macos-latest / windows-latest for Theseus) to Blacksmith
  equivalents (blacksmith-Nvcpu-*). Sized runners per job (2vcpu for frontend deploys/preview, 4vcpu for Turbo
  CI and Docker builds, 8vcpu for Theseus). All other jobs will continue to use ubuntu-latest as GitHub provides these runners for free.
• Added sccache with multilevel disk,s3 storage to turbo-ci, labrinth-docker, daedalus-docker, and
  theseus-build. Disk tier is mounted via useblacksmith/stickydisk so it survives between runs.
• Added mold to the labrinth Docker job to cut link time.
• Cached ~/.cargo/registry, ~/.cargo/git, ~/.cargo/bin keyed on Cargo.lock.
• Cached apt packages for libwebkit2gtk-4.1-dev, libayatana-appindicator3-dev, librsvg2-dev via
  awalsh128/cache-apt-pkgs-action.
• Replaced pnpm/action-setup with corepack enable everywhere, and switched to manual actions/cache/restore
  for the pnpm store. Added a new prepare-pnpm-cache.yml workflow that warms the cache on changes to
  pnpm-lock.yaml / package.json.
• Added concurrency groups to long-running workflows so duplicate runs cancel themselves on feature branches
  but never on main / prod.
• Pinned every third-party action by commit SHA (with the version in a comment) and bumped most to current
  releases.

Docker build reshape

• apps/labrinth/Dockerfile and apps/daedalus_client/Dockerfile no longer compile inside Docker. The workflow
  now runs cargo build on the Blacksmith runner (so it benefits from sccache and the Cargo cache), stages the
  binary plus migrations/assets into a docker-stage/ directory, and the Dockerfile just COPYs into a slim
  Debian image.
• Removed the previous cache-from: type=registry … cache-to: type=inline registry caching since the Rust step
  is no longer in the build context. Not like it did much to begin with.
• Added Cargo.toml / Cargo.lock to the labrinth-docker and daedalus-docker path filters so dep bumps trigger
  rebuilds.

Build profiles and tooling

• release-labrinth profile: dropped codegen-units = 1, set opt-level = 2, switched to lto = "thin". Trades a
  small amount of runtime perf for considerably faster builds while keeping symbols for Sentry.
• Bumped Node from 20 to 24 (.nvmrc)
• pnpm-workspace.yaml: set minimumReleaseAge: 4320 (3 days) as a supply-chain guard against freshly-published
  malicious versions.
• .npmrc: added public-hoist-pattern[] entries for ESLint / Prettier plugin packages so they resolve
  correctly from the workspace root.
• packages/tooling-config: split runtime Prettier plugins into dependencies, added @eslint/compat,
  @nuxt/eslint-config, and eslint-plugin-turbo.

Cleanup

• Removed emoji prefixes from workflow step names across the repo.
• Standardized step casing and ID naming (docker_meta → docker-meta, kebab-case job IDs).

Performance results

Labrinth Docker build

	Time	Speedup
Current GitHub Actions	~17m	baseline
Blacksmith, uncached	9m	~1.9x faster
Blacksmith, cached	6m	~2.8x faster

Modrinth App build (Theseus)

Platform	Before	After (cached)	Speedup
macOS	17m	7m	~2.4x faster
Linux	9m	5m	~1.8x faster
Windows	13m	6m	~2.2x faster

Monorepo lint & test (pnpm run ci)

	Time	Speedup
Current GitHub Actions (incl. labrinth tests)	~17m	baseline
Blacksmith, uncached (incl. labrinth tests)	~13m	~1.3x faster
Blacksmith, cached (no labrinth tests)	1m	~17x faster
Blacksmith, cached (incl. labrinth tests)	~6m	~2.8x faster

[modrinth-bot]

Pull request changelog

App

Added

Changed

Deprecated

Removed

Fixed

Security

Website

Added

Changed

Deprecated

Removed

Fixed

Security

Hosting

Added

Changed

Deprecated

Removed

Fixed

Security

[modrinth-bot]

Frontend previews

Last deployed commit is 76b16d3c2db5a68b24f0f3f2c813cac2e060a978

Environment	URL
staging	https://git-76b16d3c-frontend-staging.modrinth.workers.dev
production	https://git-76b16d3c-frontend.modrinth.workers.dev
storybook	https://git-76b16d3c-storybook.modrinth.workers.dev