Pin pnpm 10.33.0 in CI so onlyBuiltDependencies is honored

pnpm/action-setup@v4 with `version: 9` was actually resolving to pnpm
10.x in CI (confirmed by the pnpm-10-only WARN about the package.json
"pnpm" field and by the "Verifying lockfile against supply-chain
policies" step). pnpm 10 reads onlyBuiltDependencies from
pnpm-workspace.yaml — our config has been correct there since the first
fix — but whichever 10.x the action picked apparently didn't, so every
install failed with ERR_PNPM_IGNORED_BUILDS.

Pin to 10.33.0 explicitly. That's the version where I verified locally
that pnpm-workspace.yaml's onlyBuiltDependencies is read correctly and
the install completes cleanly.

Dockerfiles still pin pnpm@9 via corepack, which reads the legacy
package.json#pnpm.onlyBuiltDependencies (still in place), so production
image builds remain unaffected.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitea/workflows/ci.yml

@@ -12,7 +12,11 @@ jobs:
 
       - uses: pnpm/action-setup@v4
         with:
-          version: 9
+          # Pinned explicitly. With `version: 9` the action was resolving to
+          # pnpm 10.x anyway, which doesn't read onlyBuiltDependencies from
+          # package.json#pnpm and broke installs with ERR_PNPM_IGNORED_BUILDS.
+          # Pin to the 10.x we know honors pnpm-workspace.yaml settings.
+          version: "10.33.0"
 
       - uses: actions/setup-node@v4
         with:
@@ -45,7 +49,11 @@ jobs:
 
       - uses: pnpm/action-setup@v4
         with:
-          version: 9
+          # Pinned explicitly. With `version: 9` the action was resolving to
+          # pnpm 10.x anyway, which doesn't read onlyBuiltDependencies from
+          # package.json#pnpm and broke installs with ERR_PNPM_IGNORED_BUILDS.
+          # Pin to the 10.x we know honors pnpm-workspace.yaml settings.
+          version: "10.33.0"
 
       - uses: actions/setup-node@v4
         with: